Information Technology Reference
In-Depth Information
ForNet: A Distributed Forensics Network
Kulesh Shanmugasundaram, Nasir Memon,
Anubhav Savant, and Herve Bronnimann
Department of Computer and Information Science
Polytechnic University, Brooklyn, NY 11201, USA
{
kulesh,anubhav
}
@isis.poly.edu,
{
memon,hbr
}
@poly.edu
Abstract.
This paper introduces
ForNet
, a distributed network logging
mechanism to aid digital forensics over wide area networks. We describe
the need for such a system, review related work, present the architecture
of the system, and discuss key research issues.
1
Introduction
Computer networks have become ubiquitous and an integral part of a nation's
critical infrastructure. For example, the Internet is now regarded as an economic
platform and a vehicle for information dissemination at an unprecedented scale
to the worlds population. However, the last few years have taught us that these
very networks are vulnerable to attacks and misuse. Hence, mitigating threats to
networks have become one of the most important tasks of several government and
private entities. Recent attacks on critical network infrastructures are evidence
that defensive mechanisms, such as firewalls and intrusion detection systems,
alone are not enough to protect a network. Lack of attack attribution mechanisms
on our networks provides an excellent cloak to perpetrators to remain anonymous
before, during, and after their attacks. Most often we are not only unable to
prevent the attacks but also unable to identify the source of the attacks. In
order to guarantee the security and the survival of future networks we need to
complement the defensive mechanisms with additional capabilities to track-and-
trace attacks on wide area networks.
The problem with most defensive measures is that they are fail-open by
design and hence when they fail the attackers have the opportunity to leave
the crime scene without any evidence. In order to track down the perpetrators,
forensic analysts currently rely on manually examining packet-logs and host-logs
to reconstruct the events that led to an attack. This process has the following
drawbacks:
- Large Volume of Data:
Growth of network trac out-paces Moore's
law [39] making prolonged storage, processing, and sharing of raw network
data infeasible. Most of the approaches to evidence collection have focused
on improving the performance of packet-loggers to keep up with ever in-
creasing network speeds and have failed to exploit the inherent hierarchy of
networks or the availability of various synopsis techniques to collect evidence
eciently.
