Payload attribution via hierarchical bloom filters
Proceedings of the 11th ACM conference on Computer and communications security
The Kerf Toolkit for Intrusion Analysis
IEEE Security and Privacy
| Hi-index | 0.00 |
Network traffic logs play an important role in incidentanalysis. With the increasing throughput of networklinks, maintaining a complete log of all network activityhas become a task that requires an enormous amountof resources. We propose an approach to network monitoringthat mitigates the resource consumption problemwhile still providing effective support to evidence collectionand incident analysis. The approach relies on a tool,called MNEMOSYNE, that maintains a sliding window containingthe traffic that has been recently seen on a networklink. MNEMOSYNE provides improved logging features,such as multiple streams, support for cross-streamqueries, and dynamic remote reconfiguration. By integratingMNEMOSYNE with real-time intrusion detection capability,it is possible to provide incident analysis functionalityand effective evidence collection, without having tomaintain complete traffic logs. This paper describes theMNEMOSYNE tool, its architecture, and presents the resultsof the quantitative evaluation of its performance.Keywords: Network Security, Intrusion Detection, NetworkForensics, Incident Analysis