Rahul Chandran,Wei Q. Yan

DOI: https://doi.org/10.4018/ijdcf.2014010103

2014-01-01

International Journal of Digital Crime and Forensics

Abstract:The development of technology in computer networks has boosted the percentage of cyber-attacks today. Hackers are now able to penetrate even the strongest IDS and firewalls. With the help of anti-forensic techniques, attackers defend themselves, from being tracked by destroying and distorting evidences. To detect and prevent network attacks, the main modus of operandi in network forensics is the successful implementation and analysis of attack graph from gathered evidences. This paper conveys the main concepts of attack graphs, requirements for modeling and implementation of graphs. It also contributes the aspect of incorporation of anti-forensic techniques in attack graph which will help in analysis of the diverse possibilities of attack path deviations and thus aids in recommendation of various defense strategies for better security. To the best of our knowledge, this is the first time network anti-forensics has been fully discussed and the attack graphs are employed to analyze the network attacks. The experimental analysis of anti-forensic techniques using attack graphs were conducted in the proposed test-bed which helped to evaluate the model proposed and suggests preventive measures for the improvement of security of the networks.

LIU Zai-Qiang,LIN Dong-Dai,FENG Deng-Guo

DOI: https://doi.org/10.1360/jos182635

2007-01-01

Journal of Software

Abstract:Network forensics is an important extension to present security infrastructure,and is becoming the research focus of forensic investigators and network security researchers.However many challenges still exist in conducting network forensics:The sheer amount of data generated by the network;the comprehensibility of evidences extracted from collected data;the efficiency of evidence analysis methods,etc.Against above challenges,by taking the advantage of both the great learning capability and the comprehensibility of the analyzed results of decision tree technology and fuzzy logic,the researcher develops a fuzzy decision tree based network forensics system to aid an investigator in analyzing computer crime in network environments and automatically extract digital evidence.At the end of the paper,the experimental comparison results between our proposed method and other popular methods are presented.Experimental results show that the system can classify most kinds of events (91.16% correct classification rate on average),provide analyzed and comprehensible information for a forensic expert and automate or semi-automate the process of forensic analysis.

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

Yangyang Mei,Weihong Han,Shudong Li,Kaihan Lin,Zhihong Tian,Shumei Li

DOI: https://doi.org/10.1109/tits.2024.3360260

IF: 8.5

2024-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:The Internet now plays a pivotal role in the social and economic landspace, providing individuals and businesses with access to essential daily services and tasks. However, it has also become a breeding ground for conflicts. Advanced Persistent Threats (APTs) pose a formidable chanllenge when directed at organizations and governments, exposing the entire network to substantial security risks. Employing network fornesics for attributing cyber-attacks and acquiring timely, credible forensic results is a fundamental challenge in maintaining cyber security. This paper introduces a Deep Learning-based network forensics framework for digitally identifying and tracking network attacks, providing a comprehensive overview of the network forensics process. Specifically, we extract network traffic and employ encryption to ensure the integrity and security of data. Subsequently, we apply feature filtering techniques to retain essential traceability information, and Deep Learning model parameters are automatically optimized using hyperparameter optimization techniques. Lastly, we develop a Multi-Layer Perceptual Deep Neural Network (MLP DNN) model with perceptual capabilities for detecting anomalous events within the network. We evaluated the framework’s effectiveness using the UNSW-NB15 dataset. The experiments demonstrate that the proposed framework is applicable to APT attack forensics scenarios. In comparison to other AI methods, our framework excels in discovering and tracking network attack events with high performance.

engineering, electrical & electronic,transportation science & technology, civil

Xin-Dong WU,Ya-Dong LI,Dong-Hui HU

DOI: https://doi.org/10.13328/j.cnki.jos.004727

2015-01-01

Abstract:Based on advances in computing technology and information technology, social networks have emerged as a new tool for people to exchange information and build interaction networks, and have become a key topic for social software studies in social computing. Social network forensics seeks to acquire, organize, analyze and visualize user information as direct, objective and fair evidence from a third-party perspective. Along with the rapid development of the Internet, social network forensics faces new challenges in dealing with user information being diverse, real-time and dynamic, huge in volume, and interactive, and also photo trustworthiness. It therefore has become a hot issue for opinion analysis, affective computing, content analysis in social networking relations, as well as individual, group and social behaviors in social networks and social computing. This paper designs a forensic model for social network forensics, and implements it on Sina microblogging. This model provides user information analysis, facial image recognition, and location presentation for trustworthiness analysis of digital evidence, and applies visualization to help reduce the difficulty of analysis and forensics on massive data from social networks.

Natarajan Meghanathan,Sumanth Reddy Allam,Loretta A. Moore

DOI: https://doi.org/10.48550/arXiv.1004.0570

2010-04-05

Abstract:Network forensics deals with the capture, recording and analysis of network events in order to discover evidential information about the source of security attacks in a court of law. This paper discusses the different tools and techniques available to conduct network forensics. Some of the tools discussed include: eMailTrackerPro to identify the physical location of an email sender; Web Historian to find the duration of each visit and the files uploaded and downloaded from the visited website; packet sniffers like Etherea to capture and analyze the data exchanged among the different computers in the network. The second half of the paper presents a survey of different IP traceback techniques like packet marking that help a forensic investigator to identify the true sources of the attacking IP packets. We also discuss the use of Honeypots and Honeynets that gather intelligence about the enemy and the tools and tactics of network intruders.

Networking and Internet Architecture

JI Yu-chen,FU Xiao,SHI Jin,LUO Bin,ZHAO Zhi-hong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.01.068

2014-01-01

Abstract:According to characteristics of computer intrusion forensic evidence, such as easy revise, easy loss, numerous sources, multifarious content, this paper discusses the current developing states about intrusion event reconstruction, analyzes intrusion event reconstruction source from the system layer object/event and the operate system layer object/event, and introduces the main intrusion event reconstruction tools. It reviews the existing methods for intrusion event reconstruction, including log analysis based on timestamp, semantic integrity checking, tracking technologies based on operate system layer object, event reconstruction models based on finite state machine and so on, evaluates their performance in terms of several metrics, such as reconstruction efficiency, false positives rate, credibility of evidence, authenticity of evidence, reconstruction environment, and summarizes the pros and cons of each method. Some important future research directions in the field of intrusion event reconstruction of computer intrusion forensic are discussed.

Wu Liu,Haixin Duan,Peng Wang,Jianping Wu

DOI: https://doi.org/10.1109/ICCT.2003.1209101

2003-01-01

Abstract:The phenomenal increase in the amounts of network security data are due to the hacker attacks, virus, worm and Shapper etc. Network security log file databases are very important in computer forensics. From researches, a lot of data mining methods have been found, such as content-based queries and similarity searches to manage and use such data. Fast and accurate retrievals for content-based queries are crucial for such numerous database systems to be useful. In this paper, a new method is provided to analyze and mine this kind of time-serial database. We first signalize the NSD databases, then we use these wavelet based transform to analyze the NSD and get the periodic law of intrusion event.

Lin Chen,Zhitang Li,Cuixia Gao,Yingshu Liu

DOI: https://doi.org/10.1109/CIT.2009.108

2009-01-01

Abstract:As an important part of computer forensics, network forensics particularly places emphasis on dynamic network information collection and proactive defense. Most forensics systems based on intrusion detection or honeypot rarely emphasize the availability of actual servers. In addition, few of them discussed the occasion of dynamic forensics particularly. The work presented in this paper is based on an idea to assist dynamic forensics with intrusion tolerance and deception technology to enhance the availability of server system and gather more useful evidences on a proper occasion. A mechanism of dynamic forensics based on intrusion forensics is proposed and is modeled with finite state machine. The workflow is described. A semi Markov process based on the embedded Markov chain of the states transition model is built and described. Finally, the forensics capability and server availability are analysis. According to the numerical analysis result, the security performance and forensics capability of the forensics system are enhanced to a certain degree.

Chen Lin,Li Zhitang,Gao Cuixia

DOI: https://doi.org/10.1109/ETCS.2009.153

2009-01-01

Abstract:Nowadays, one of the reasons for the lack of legal sanctions taken against attackers is that the collection and analysis of forensic evidence is very troublesome and time-consuming. There are many research results about events correlation but not directly suitable for network forensics. The work presented in this paper is based on an idea to collect the evidences from multiple network sensors and analyze them to improve the quality of forensic evidence automatically. This paper discusses the issues of log evidence first. The framework of IEAAS (Automated Analysis System of Intrusion Evidences) is illustrated with LCA (Log Collection Agent) in network sensors and multiple modules in IEAAS. Analysis mechanism is discussed, particularly the improved aggregation algorithm and evidence preservation method are described. Then a series of experiments are performed to validate our method on actual attack network environments of CERNET. The results of experiments show that our approach is practical and effective for dynamic forensics to augment the computer crime investigators’ efforts.

weisong he,guangmin hu,guangyuan kan

DOI: https://doi.org/10.1142/9789812799524_0266

2008-01-01

Abstract:In this paper, we propose a network situation comprehension method using multiple time series data mining and time frequency analysis method. This method automatically constructs a system behavior model in the form of a set of rules by applying sample entropy and principal component analysis and piecewise aggregate approximation and symbolic aggregate approximation and time frequency analysis and association rule mining to the time series data obtained from backbone router, then comprehends current network security situation by checking the subsequence on-line data with the acquired rules.

Kuo Zhao,Huajian Zhang,Jiaxin Li,Qifu Pan,Li Lai,Yike Nie,Zhongfei Zhang

DOI: https://doi.org/10.3390/e26070579

2024-07-07

Abstract:The rapid evolution of computer technology and social networks has led to massive data generation through interpersonal communications, necessitating improved methods for information mining and relational analysis in areas such as criminal activity. This paper introduces a Social Network Forensic Analysis model that employs network representation learning to identify and analyze key figures within criminal networks, including leadership structures. The model incorporates traditional web forensics and community algorithms, utilizing concepts such as centrality and similarity measures and integrating the Deepwalk, Line, and Node2vec algorithms to map criminal networks into vector spaces. This maintains node features and structural information that are crucial for the relational analysis. The model refines node relationships through modified random walk sampling, using BFS and DFS, and employs a Continuous Bag-of-Words with Hierarchical Softmax for node vectorization, optimizing the value distribution via the Huffman tree. Hierarchical clustering and distance measures (cosine and Euclidean) were used to identify the key nodes and establish a hierarchy of influence. The findings demonstrate the effectiveness of the model in accurately vectorizing nodes, enhancing inter-node relationship precision, and optimizing clustering, thereby advancing the tools for combating complex criminal networks.

Yun Luo,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/GLOBECOM42002.2020.9348178

2020-01-01

Abstract:Recent trends have shown that botnets have been active since the 1990s. Attackers use newer technologies to damage enterprises and individuals through identity theft, bank fraud, spam campaigns, malw are distribution, and distributed denial of service (DDoS) attacks. To identify the hidden details from a DDoS attack, we introduce a forensic model in this paper. This model uses NS2 to simulate the connectivity of real nodes in the network and uses Botnet and DDoS attack electronic evidence analysis methods. The botnet uses IRC channels as the basic unit. The analytical algorithm for Botnet uses election vectors to detect the split and transfer behavior of hackers. The analysis method for DDoS attacks uses attack vectors to detect whether Botnet is participating in a DDoS attack. On this basis, the fragmented packet marking method is added to track the source and path reconstruction of the router, thereby improving the scale recognition rate to 93%.

Sheng Yan,Yu Chen,Yan Song,Minjie Zhu

DOI: https://doi.org/10.1088/1742-6596/1176/3/032052

2019-01-01

Journal of Physics Conference Series

Abstract:As an important part of modern IT infrastructure, network provides great convenience for people to exchange information and share resources. However, network still faces with many threats such as network virus, hacker attacks, data theft and tampering and so on. Network logs includes a lot of valuable information about all behaviours happened in the network. How to analyse these network log to enhance the security of network becomes consequently the focus of many researchers. In this paper, we first design three similarity functions between two network attack records to create the network attack sequences, and then present a PrefixSpan-based frequent attack sequence mining algorithm to identify all frequent attack sequences in network log. The experimental results show that the PrefixSpan-based frequent attack sequence mining algorithm has shorter executing time and less running space than the Apriori algorithm. The PrefixSpan-based frequent attack sequence mining algorithm provides a network log analysing method for intrusion detection.

Zhengbing Hu,Roman Odarchenko,Sergiy Gnatyuk,Maksym Zaliskyi,Anastasia Chaplits,Sergiy Bondar,Vadim Borovik,

DOI: https://doi.org/10.5815/ijcnis.2020.06.01

2021-12-08

International Journal of Computer Network and Information Security

Abstract:Represented paper is currently topical, because of year on year increasing quantity and diversity of attacks on computer networks that causes significant losses for companies. This work provides abilities of such problems solving as: existing methods of location of anomalies and current hazards at networks, statistical methods consideration, as effective methods of anomaly detection and experimental discovery of choosed method effectiveness. The method of network traffic capture and analysis during the network segment passive monitoring is considered in this work. Also, the processing way of numerous network traffic indexes for further network information safety level evaluation is proposed. Represented methods and concepts usage allows increasing of network segment reliability at the expense of operative network anomalies capturing, that could testify about possible hazards and such information is very useful for the network administrator. To get a proof of the method effectiveness, several network attacks, whose data is storing in specialised DARPA dataset, were chosen. Relevant parameters for every attack type were calculated. In such a way, start and termination time of the attack could be obtained by this method with insignificant error for some methods.

Liwen Xu,Xiang Lin,Jianhua Li,Min Bai,Liejun Wang

DOI: https://doi.org/10.1109/trustcom60117.2023.00067

2024-01-01

Abstract:A multi-step targeted cyberattack refers to a sophisticated, systematic, and persistent form of attack aiming to compromise the security and integrity of a complex network system. These attacks exhibit spatial and temporal correlations in their execution sequences. However, conventional anomaly detection methods, which often focus on single facets such as network traffic or host behavior, lack the capacity to correlate and validate these steps. To address this deficiency, we introduce HiSec, a cyber threat correlation and discovery framework that leverages dynamic graph modeling and hierarchical graph neural networks. HiSec enhances the modeling of complex network systems and the analysis of spatio-temporal characteristics of multi-step targeted cyberattacks. Specifically, we introduce a novel dynamic graph modeling algorithm that employs overlapping samplers and sliding windows to establish long-term correlations among system activities. Aided by graph attention networks and the Transformer, HiSec uniquely exploits the spatio-temporal correlated edge feature representation, a capability inaccessible to traditional algorithms. Evaluation results reveal that HiSec surpasses existing benchmarks in unsupervised detection, achieving a high degree of accuracy (93.10%) and recall (94.77%). When deployed in our intranet for two rounds of evaluation, HiSec demonstrated remarkable efficiency, taking only 0.15 seconds to model 10,000 system activities occurring within approximately an hour.

Lihua Wu,Tian Deng

DOI: https://doi.org/10.1088/1742-6596/1648/4/042111

2020-10-01

Journal of Physics: Conference Series

Abstract:Abstract With the computer network in the industry, business, politics, finance, military and other social fields in the application of more and more extensive, the society on the computer network is also more and more dependent. However, because of its wide area distribution, heterogeneity and dynamic characteristics, computer network is very vulnerable to security threats from various aspects. In order to better maintain computer network security, this paper studies computer network security analysis modeling based on space-time characteristics and deep learning algorithm. First of all, this article through to the computer network security connotation and the present situation analysis, points out the main problems of network security model, and thus build a combination of deep learning algorithm, a simulation model of network security analysis results show that the intercept network attack rate increased by 32.12% than that of the traditional model, verify the validity of the model. Through the construction of the model, it is expected to contribute to the improvement of computer network security analysis.

YAN Qiao,WU Jianping,JIANG Yong

DOI: https://doi.org/10.3321/j.issn:1000-0054.2005.04.019

2005-01-01

Abstract:Network attack source tracing plays a key role in stopping on-going attacks, establishing liability, enabling prosecution of attackers, and deterring attackers. This paper classifies some promising traceback approaches and their technical characteristics. Each approach is evaluated in terms of its advantages and disadvantages. Finally, future develops in network attack tracing technologies are discussed including quantitative evaluation metrics, theoretical models, multicast systems, mobility abilities, ipv6 protocol, data encryption, and administration problems.

Tala Tafazzoli,Elham Salahi,Hossein Gharaee

DOI: https://doi.org/10.48550/arXiv.1508.01890

2015-08-08

Cryptography and Security

Abstract:Cybercrime is increasing at a faster pace and sometimes causes billions of dollars of business- losses so investigating attackers after commitment is of utmost importance and become one of the main concerns of network managers. Network forensics as the process of Collecting, identifying, extracting and analyzing data and systematically monitoring traffic of network is one of the main requirements in detection and tracking of criminals. In this paper, we propose an architecture for network forensic system. Our proposed architecture consists of five main components: collection and indexing, database management, analysis component, SOC communication component and the database. The main difference between our proposed architecture and other systems is in analysis component. This component is composed of four parts: Analysis and investigation subsystem, Reporting subsystem, Alert and visualization subsystem and the malware analysis subsystem. The most important differentiating factors of the proposed system with existing systems are: clustering and ranking of malware, dynamic analysis of malware, collecting and analysis of network flows and anomalous behaviour analysis.

Guang Kou,Shuo Wang,Guangming Tang

DOI: https://doi.org/10.1049/cje.2018.10.007

IF: 1.019

2019-01-01

Chinese Journal of Electronics

Abstract:This paper analyzed the existing network security situation evaluation methods and discovered that they cannot accurately reflect the features of large-scale, synergetic, multi-stage gradually shown by network attack behaviors. For this purpose, the association between attack intention and network configuration information was deep analyzed. Then a network security situation evaluation method based on attack intention recognition was proposed. Unlike traditional method, the evaluation method was based on intruder. This method firstly made causal analysis of attack event and discovered and simplified intrusion path to recognize every attack phases, then realized situation evaluation based on the attack phases. Lastly attack intention was recognized and next attack phase was forecasted based on achieved attack phases, combined with vulnerability and network connectivity. A simulation experiments for the proposed network security situation evaluation model is performed by network examples. The experimental results show that this method is more accurate on reflecting the truth of attack. And the method does not need training on the historical sequence, so the method is more effective on situation forecasting.

engineering, electrical & electronic