Information Technology Reference
In-Depth Information
Such a mechanism will of course has to be deployed at SynApps closers to hosts
and not at the ones closer to the core of the network.
Forensic Analyst:
In the previous case, the adversary manipulated synopsis al-
gorithms' interpretation of evidence but it is important to note that he can also
manipulate how an analyst or the query processor interprets the evidence. For
example, the adversary can send a FIN or RST packet to a host with which he
has established a connection such that the host would take no action for the
packet — for example FIN or RST with wrong sequence numbers — however
connection records reflects a connection termination as it simply records any
packet with TCP flags set. Although the connection records will have subse-
quent real connection termination packets if the analyst or the query processor
only looks for the first FIN or RST packet following a SYN it would seem the
connection is terminated earlier. Note that unlike the previous attack, in this
attack data is available in ForNet however it is never processed as the query in-
terpretation of connection time is first FIN or RST packet that follows the SYN
packet. A persistent analyst will find this ambiguity in the connection records.
6 Conclusions and Future Work
In this paper we have motivated the need for a network forensics system that
aids in the investigation of crimes connected on or via a network. We also present
a high level description of the design of a distributed forensics network called
ForNet which aims to fill this need. At the core of ForNet is a SynApp which
creates synopses of network activity. Multiple such SynApps within a domain
and connected to other domains via a Forensics server form a hierarchical struc-
ture which comprises ForNet. We present an overview of the architecture of a
SynApps and some simple examples by means which synopses of network events
could be constructed.
Although we have described our vision and goals in this paper, a lot of effort
still remains to bring our ideas to fruition. There are many important problems
that need to be solved, which include:
- Identification of Useful Network Events:
Cybercrimes are committed
over networks and the network can be viewed as a virtual “crime scene” that
holds critical evidence based on events before, during, and after a crime. The
problem is that we do not know when, where, and how a crime will be com-
mitted beforehand. The challenge then is to identify useful network events,
such as connection establishment, DNS queries, fragmentation of IP pack-
ets, etc., and choose a minimum representative set that would potentially be
evidence in a variety of cybercrimes.
- Developing Ecient Synopses:
There are two types of trac on the
Internet - packets belonging to a connection and connectionless tra
c. The
trac corresponding to connection consists of three distinct phases when
viewed at the network protocol level: connection establishment, data transfer
and connection termination. In order to keep a synopsis of such a connection
