Information Technology Reference
In-Depth Information
network events. However, this is not feasible in practice due to storage limita-
tions. It is our contention that even if a network forensics system is unable to
provide complete and accurate information about network events, as long as we
have intelligent summaries, snippets of approximate information can be put to-
gether to form the “big picture,” much like corroborating evidence in classical
forensics.
For example, let us consider the latest Internet worm outbreak, SQL Slam-
mer Worm, as a possible investigation scenario where an analyst has to find
the origin of the worm. The worm spreads by infecting unpatched SQL Servers
running on UDP port 1434. Assuming ForNet is widely deployed on the Inter-
net the analyst needs to determine from which region of the Internet the worm
began its propagation. Since SynApps keep track of various events in their local
environment, the analyst will be able to determine a spike in trac to port 1434
on any network. Starting from an arbitrary network the analyst can now query
the network about its first observation in increased activity to port 1434 and
recursively query any network which reports the earliest time. These recursive
queries will eventually lead us to a particular network from which the worm
started its propagation. Now the analyst can focus their investigative resources
into a particular network to locate a host that sent out the first malignant packet
to port 1434. This would help them associate a particular host to the outbreak.
When further investigation on the host turns up new leads, ForNet can be used
in a similar fashion to find the perpetrator who actually unleashed the worm.
Currently there is no infrastructure to provide valuable, trustworthy infor-
mation about network events. We believe ForNet will fill this gap. The rest of
this paper is organized as follows: the next section presents a brief overview of
related work. Section 3 presents design goals of ForNet and an overview of the
system. In Section 4 we discuss synopsis techniques, followed by a discussion of
security issues in the design of ForNet in Section 5 and we conclude in Section
6 with a discussion on future work.
2 Related Work
Network Forensics:
There has been very little work done in network forensics.
Mnemosyne is a dynamically configurable advanced packet capture application
that supports multi-stream capturing, sliding-window based logging to conserve
space, and query support on collected packets [27]. In [40], a general framework
in terms of enterprise network and computer related policies to facilitate inves-
tigation is presented. Also, in the recent past, researchers have proposed some
clever solutions to the Denial Of Service (DoS) problem by tracing IP packets
back to their source (IP traceback) [36,33,37,6,12,10,24]. Most of this work can
be grouped into two main categories: one in which no extra network packets are
generated [36, 33, 37, 12, 10] and the other in which a few extra network packets
are generated [6,24]. The former is either based on probabilistic packet marking
which overloads existing header fields (e.g. IP fragment ID field) to succinctly
encode the path traversed by a packet in a manner that will have minimal im-
