TY - GEN
T1 - Network Forensic Evidence Acquisition (NFEA) with packet marking
AU - Kim, Hyung Seok
AU - Kim, Huy Kang
N1 - Copyright:
Copyright 2011 Elsevier B.V., All rights reserved.
PY - 2011
Y1 - 2011
N2 - Internet crimes such as DDoS attack have seriously affected the businesses that have dependencies on computer networks such as the Internet. However, TCP/IP based networks have no protection against malicious packet modifications and attackers do exploit such vulnerabilities to attack others as well as forging IP packets to hide source IP address of attack packets; hence attackers could hinder the efforts to identify the real origin of attacks using Firewall, Intrusion Detection System and other traffic capturing tools. Therefore, having ability to trace back to the origin of the attack becomes an important part of incident investigation. There are number of traceback schemes available but their effective tracking range is up to the very first edge routers or even worse, data used by such methods could be forged and/or tricked; hence use of existing methods are limited for crimes investigation. Network Forensic Evidence Acquisition (NFEA) scheme proposed in this paper is a new traceback scheme that offers improved effective tracking range with consideration for providing admissible evidence. NFEA guarantees authenticity and integrity of tracking data collected based on Authenticated Evidence Marking Scheme (AEMS). AEMS also improves effective tracking range by producing tracking data at edge-routers, which also helps to minimize loss in overall network performance. Effect on edge-routers' performance is also guaranteed using Flow-based Selection Marking Scheme (FSMS). An implementation of NFEA has been evaluated and the result shows that NFEA is viable to deploy in real networks.
AB - Internet crimes such as DDoS attack have seriously affected the businesses that have dependencies on computer networks such as the Internet. However, TCP/IP based networks have no protection against malicious packet modifications and attackers do exploit such vulnerabilities to attack others as well as forging IP packets to hide source IP address of attack packets; hence attackers could hinder the efforts to identify the real origin of attacks using Firewall, Intrusion Detection System and other traffic capturing tools. Therefore, having ability to trace back to the origin of the attack becomes an important part of incident investigation. There are number of traceback schemes available but their effective tracking range is up to the very first edge routers or even worse, data used by such methods could be forged and/or tricked; hence use of existing methods are limited for crimes investigation. Network Forensic Evidence Acquisition (NFEA) scheme proposed in this paper is a new traceback scheme that offers improved effective tracking range with consideration for providing admissible evidence. NFEA guarantees authenticity and integrity of tracking data collected based on Authenticated Evidence Marking Scheme (AEMS). AEMS also improves effective tracking range by producing tracking data at edge-routers, which also helps to minimize loss in overall network performance. Effect on edge-routers' performance is also guaranteed using Flow-based Selection Marking Scheme (FSMS). An implementation of NFEA has been evaluated and the result shows that NFEA is viable to deploy in real networks.
KW - DDoS attacks
KW - IP traceback
KW - Network forensic
KW - Network security
KW - Packet marking
UR - http://www.scopus.com/inward/record.url?scp=80051981238&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=80051981238&partnerID=8YFLogxK
U2 - 10.1109/ISPAW.2011.27
DO - 10.1109/ISPAW.2011.27
M3 - Conference contribution
AN - SCOPUS:80051981238
SN - 9780769544298
T3 - Proceedings - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - ICASE 2011, SGH 2011, GSDP 2011
SP - 388
EP - 393
BT - Proceedings - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - ICASE 2011, SGH 2011, GSDP 2011
T2 - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - 2011, ICASE 2011, SGH 2011, GSDP 2011
Y2 - 26 May 2011 through 28 May 2011
ER -