Information Technology Reference
In-Depth Information
- Incompleteness of Logs:
Most network administrators rely on alerts from
intrusion detection systems and the resulting packet-logs for forensic analy-
sis. It is important to note that intrusion detection systems log packets only
when an alert is triggered. Hence, a new attack or an attack currently not de-
fined by the security policy is not recorded by the system. Some networks are
equipped with packet-loggers which log packets indiscriminately. However,
due to cost considerations and associated storage requirements, such packet
loggers are usually deployed at network edges and do not witness network
events, such as insider attacks, that never cross network boundaries.
- Long Response Times:
Most of the investigative process is manual. Since
attacks often span multiple administrative domains, this makes response
times undesirably long. Since digital evidence is malleable it is important to
reduce response times so that evidence can be secured on time.
- Lack of Mechanisms to Share Logs:
The inability of existing forensic
mechanisms to share evidence and lack of mechanisms to query networks pro-
hibit forensic analysts from exploring networks incrementally while tracking
and tracing an attack. This in turn results in inecient allocation of resources
because the analysts are unable to confine their search for perpetrators to a
particular network.
- Unreliable Logging Mechanisms:
Logging mechanisms on hosts are not
reliable and can easily be circumvented by adversaries. Increasing use of
wireless networks and support for mobility enable hosts to join a network
from any arbitrary point and makes enforcement of prudent host logging
policies dicult.
As more and more failures of defensive mechanisms result in financial dam-
ages and cause significant threats to our critical infrastructure, there will be an
increased need for attack attribution so that criminal acts do not go unpunished.
In this context, digital forensics will play an increasingly vital role in the security
of future networks. In fact, we envision that future networks will be equipped
with forensic components that complement existing defensive mechanisms to
provide viable deterrence to malicious activity by increasing our ability to track
and trace attacks to their source.
In this paper we present the design of a network forensics system,
ForNet
, that
aims to address the lack of effective tools for aiding investigation of malicious
activity on the Internet. ForNet is a network of two functional components.
A Synopsis Appliance, called
SynApp
, is designed to summarize and remember
network events in its vicinity for a prolonged period of time and be able to attest
to these events with certain level of confidence. A
Forensic Server
is a centralized
authority for a domain that manages a set of SynApps in that domain. A Forensic
Server receives queries from outside its domain, processes them in co-operation
with the SynApps within its domain and returns query results back to the senders
after authentication and certification.
One key idea behind our network forensics system is that it builds and stores
summaries of network events, based on which queries are answered. Ideally, a net-
work forensics system should provide complete and accurate information about
