Information Technology Reference
In-Depth Information
seen on the network. For instance, a multi-dimensional histogram will identify
that there was a high proportion of SYN packets from two machines on various
ports, which may indicate a port scan. High frequency of activity on a single port
from various machines to a single target may indicate denial-of-service attack
(DoS). It can also gather trends across time, for example detecting a slow scans.
A sample may also indicate a time period for a certain connection provided this
connection has enough packets so that at least one is included in the sample.
In general, high-level data is susceptible to data mining. Since the purpose is
forensics and not intrusion detection, a later processing is acceptable as long as
the mining has sucient and representative data to use. A sample is adapted in
this case because it keeps a representation of the data which can later be mined
in unexpected ways whereas histograms and wavelet representation cannot.
5 Security of ForNet
The usefulness of information obtained from ForNet relies on the integrity, accu-
racy, and authenticity of results it generates. Furthermore, ForNet itself has to
be resilient to attacks by an adversary. In this section we discuss some measures
to provide integrity and authenticity of data on ForNet and possible attacks on
ForNet itself.
5.1
Security Measures in ForNet
Security primitives required for data integrity and authentication are provided by
the Security Manager. Integrity of evidence on ForNet is guaranteed by digitally
signing time-stamped synopses along with necessary meta data, such as false
positive rates and hash keys, before committing them to the database. Security
manager also enforces access control to data by means of privacy policies. All
queries should be signed by querier and security manager verifies access control
privileges of the querier upon receiving the query. If the query doesn't violate any
privacy policies then the query processor retrieves necessary data from storage.
Upon successful completion of integrity checks on the data by security manager
query processor is allowed to process the data. Finally, results generated by the
query processor are certified at the Forensic Server and sent to the querier along
with meta data required to quantify the accuracy of results.
5.2
Attacks on ForNet
As a passive network security tool ForNet is vulnerable to most of the attacks
described in [29,31]. In addition, being a storage unit for network trac and pro-
cessing queries from untrusted remote hosts introduce new challenges as well. A
notable distinction on the effects of these attacks on intrusion detection systems
and forensic systems, like ForNet, is that while in an IDS they may subvert
the system to avoid recording of evidence, on ForNet such attacks would create
problems during query processing and data interpretation but cannot subvert
