A scalable network forensics mechanism for stealthy self-propagating attacks |
| |
| Authors: | Li Ming Chen Meng Chang Chen Wanjiun Liao Yeali S. Sun |
| |
| Affiliation: | 1. Department of Electrical Engineering, National Taiwan University, No. 1, Sec. 4, Roosevelt Rd., Taipei 106, Taiwan;2. Institute of Information Science, Academia Sinica, No. 128, Sec. 2, Academia Rd., Nankang, Taipei 115, Taiwan;3. Department of Information Management, National Taiwan University, No. 1, Sec. 4, Roosevelt Rd., Taipei 106, Taiwan |
| |
| Abstract: | Network forensics supports capabilities such as attacker identification and attack reconstruction, which complement the traditional intrusion detection and perimeter defense techniques in building a robust security mechanism. Attacker identification pinpoints attack origin to deter future attackers, while attack reconstruction reveals attack causality and network vulnerabilities. In this paper, we discuss the problem and feasibility of back tracking the origin of a self-propagating stealth attack when given a network traffic trace for a sufficiently long period of time. We propose a network forensics mechanism that is scalable in computation time and space while maintaining high accuracy in the identification of the attack origin. We further develop a data reduction method to filter out attack-irrelevant data and only retain evidence relevant to potential attacks for a post-mortem investigation. Using real-world trace driven experiments, we evaluate the performance of the proposed mechanism and show that we can trim down up to 97% of attack-irrelevant network traffic and successfully identify attack origin. |
| |
| Keywords: | Network forensics Data reduction Stealthy self-propagating attack Contact activity |
| 本文献已被 ScienceDirect 等数据库收录! |
|
