Elements of information theory
Elements of information theory
Machine Learning - Special issue on learning with probabilistic representations
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information and System Security (TISSEC)
Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
Machine Learning
Practical automated detection of stealthy portscans
Journal of Computer Security
NetFlow: information loss or win?
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Locality: a new paradigm for thinking about normal behavior and outsider threat
Proceedings of the 2003 workshop on New security paradigms
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Worm Origin Identification Using Random Moonwalks
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
BLINC: multilevel traffic classification in the dark
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
The monitoring and early detection of internet worms
IEEE/ACM Transactions on Networking (TON)
Worm evolution tracking via timing analysis
Proceedings of the 2005 ACM workshop on Rapid malcode
A Multi-Resolution Approach forWorm Detection and Containment
DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
PRIMED: community-of-interest-based DDoS mitigation
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Is sampled data sufficient for anomaly detection?
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Data reduction for the scalable automated analysis of distributed darknet traffic
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Exploiting underlying structure for detailed reconstruction of an internet-scale event
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Enriching network security analysis with time travel
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
A Graph Based Approach Toward Network Forensics Analysis
ACM Transactions on Information and System Security (TISSEC)
Online Accumulation: Reconstruction of Worm Propagation Path
NPC '08 Proceedings of the IFIP International Conference on Network and Parallel Computing
An integrated approach to detection of fast and slow scanning worms
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
When gossip is good: distributed probabilistic inference for detection of slow network intrusions
AAAI'06 proceedings of the 21st national conference on Artificial intelligence - Volume 2
Network forensics based on fuzzy logic and expert system
Computer Communications
Detection of slow malicious worms using multi-sensor data fusion
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Behavior-based worm detectors compared
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
NetStore: an efficient storage infrastructure for network forensics and monitoring
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Characterizing internet worm infection structure
LEET'11 Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
Toward a framework for forensic analysis of scanning worms
ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
Network forensic frameworks: Survey and research challenges
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Hi-index | 0.24 |
Network forensics supports capabilities such as attacker identification and attack reconstruction, which complement the traditional intrusion detection and perimeter defense techniques in building a robust security mechanism. Attacker identification pinpoints attack origin to deter future attackers, while attack reconstruction reveals attack causality and network vulnerabilities. In this paper, we discuss the problem and feasibility of back tracking the origin of a self-propagating stealth attack when given a network traffic trace for a sufficiently long period of time. We propose a network forensics mechanism that is scalable in computation time and space while maintaining high accuracy in the identification of the attack origin. We further develop a data reduction method to filter out attack-irrelevant data and only retain evidence relevant to potential attacks for a post-mortem investigation. Using real-world trace driven experiments, we evaluate the performance of the proposed mechanism and show that we can trim down up to 97% of attack-irrelevant network traffic and successfully identify attack origin.