Network monitoring for security and forensics
ICISS'06 Proceedings of the Second international conference on Information Systems Security
| Hi-index | 0.00 |
Networks are vulnerable to attacks and misuse. Firewalls and Intrusion Detection Systems are in place to protect the networks. Despite these defenses we still witness many security incidents. To guarantee the safety and survivability of networks we must complement the defensive mechanisms with a monitoring mechanism capable of aiding forensics when the security mechanisms fail. State-of-the-art solutions to support network forensics often collect raw network data but lack the ability to retain large volumes of collected data for prolonged periods of time. This reduces the longevity of evidence collected which in turn inhibit postmortems. Furthermore, these solutions also do not scale well for large inranets and wide area networks. This dissertation describes the design and the development of a distributed network forensics system called ForNet. Unlike the state-of-the-art solutions, ForNet uses a concept called synopses to reduce raw network traffic to succinct form such that sufficient data useful for forensics is captured and archived for prolonged periods of time. The dissertation also describes the architecture of ForNet in which we introduce the concept cascading data collection and the integration of monitoring and privacy policies into the system itself. The use of synopses and cascading collection of data together allow ForNet to scale better for large networks as well. We also introduce some useful synopses in this dissertation. The first synopsis, called a Hierarchical Bloom Filter, represents payloads in a succinct form. The synopsis is then extended and used in ForNet to be able to attribute bit strings to their sources and destinations. The second set of synopses keep track of flow aggregates and flow compositions. This synopsis uses the statistical properties of payloads to identify the content type of flows independent of port bindings or application headers. We conclude the dissertation with the description of ForNet's deployment in an intranet and with the evaluation of its synopses in tracking real security incidents in the intranet.