Information Technology Reference
In-Depth Information
pact on existing users or based on keeping the digest of all the IP packets in
the infrastructure itself (e.g. routers). Thus, given an input IP packet, it can
be reliably traced back to its origin. In the latter technique, a router picks a
network packet with a small probability (e.g. 1 in 20,000) and sends a traceback
packet as an ICMP message to the destination of the packet with the router's
own IP as the source. During a denial of service attack the victim will receive
sucient traceback packets to reconstruct the attack path. Recently, another
system to track malicious emails (in fact any email) has been proposed, which
aims to reduce the spread of self-replicating viruses [7].
Intrusion Detection Systems:
Intrusion Detection Systems (IDS) have been stud-
ied extensively over the past few years and the main body of work can be cat-
egorized into two groups, signature based and anomaly detection systems [13].
Signature-based methods rely on a specific signature of an intrusion which when
found triggers an alarm [23, 21]. Such systems cannot detect novel attacks as
evident by recent Internet worm activities. On the other hand, anomaly de-
tection systems rely on characterizing normal operations of a network or a
host and attempt to detect significant deviations from the norm to trigger an
alarm [16, 22, 30, 29]. Although anomaly detection systems can detect novel at-
tacks to a certain extent they are not a viable solution because of the unaccept-
able rate of false alarms [2]. Hybrid solutions [1], that combine signature based
systems and anomaly detection systems, have been suggested to decrease false
alarm rates and are used in commercial products. SHADOW and EMERALD
are distributed IDS capable of collecting and processing data from various points
on a network. As far as we know these are the earliest schemes to collect data in
a distributed manner for security related analysis. In these systems raw data is
collected and transferred to a central collection facility for analysis. IDS' are not
always suitable for forensic analysis as they only catch the known or the unusual.
But crimes are often committed by insiders using new and unknown methods.
It is conceivable that an IDS and a forensics system can co-operate with each
other, but this is beyond the scope of this paper. We envisage the community
moving in this direction, once we have demonstrated a working prototype.
Synopsis Techniques for Managing Data Streams:
Data Stream Management
Systems (DSMS) have been proposed [5] to integrate data collection and pro-
cessing of network streams in order to support on-line processing for various
network management applications. Data stream management systems work on
continuous streams of data with stringent bounds on space and processing power
to produce best estimate results [3, 28]. With such volumes of data, there is no
time to do detailed analysis but only some synopses of the data streams can be
extracted and archived. There are various approaches to building synopses of
data streams [17] (histograms [19, 38, 25, 26], samples [4, 17], wavelets [18], deci-
sion trees [14,20], sliding windows [4,11], Bloom-filters [8,9]) and each is adapted
to a certain kind of queries. Often, the kind of aggregate queries they answer
are not suitable for forensics, as they tend to focus on the recent past (sliding
