Title :
Network Forensic Evidence Acquisition (NFEA) with Packet Marking
Author :
Kim, Hyung Seok ; Kim, Huy Kang
Author_Institution :
Grad. Sch. of Inf. Security, Korea Univ., Seoul, South Korea
Abstract :
Internet crimes such as DDoS attack have seriously affected the businesses that have dependencies on computer networks such as the Internet. However, TCP/IP based networks have no protection against malicious packet modifications and attackers do exploit such vulnerabilities to attack others as well as forging IP packets to hide source IP address of attack packets, hence attackers could hinder the efforts to identify the real origin of attacks using Firewall, Intrusion Detection System and other traffic capturing tools. Therefore, having ability to trace back to the origin of the attack becomes an important part of incident investigation. There are number of trace back schemes available but their effective tracking range is up to the very first edge routers or even worse, data used by such methods could be forged and/or tricked, hence use of existing methods are limited for crimes investigation. Network Forensic Evidence Acquisition (NFEA) scheme proposed in this paper is a new trace back scheme that offers improved effective tracking range with consideration for providing admissible evidence. NFEA guarantees authenticity and integrity of tracking data collected based on Authenticated Evidence Marking Scheme (AEMS). AEMS also improves effective tracking range by producing tracking data at edge-routers, which also helps to minimize loss in overall network performance. Effect on edge-routers´ performance is also guaranteed using Flow-based Selection Marking Scheme (FSMS). An implementation of NFEA has been evaluated and the result shows that NFEA is viable to deploy in real networks.
Keywords :
Internet; computer forensics; computer network security; AEMS; DDoS attack; Internet crimes; NFEA; TCP/IP based networks; authenticated evidence marking scheme; firewall; flow-based selection marking scheme; intrusion detection system; malicious packet modifications; network forensic evidence acquisition; packet marking; Computer crime; Cryptography; Decoding; Encoding; Forensics; IP networks; Radio frequency; DDoS attacks; IP traceback; network forensic; network security; packet marking;
Conference_Titel :
Parallel and Distributed Processing with Applications Workshops (ISPAW), 2011 Ninth IEEE International Symposium on
Conference_Location :
Busan
Print_ISBN :
978-1-4577-0524-3
Electronic_ISBN :
978-0-7695-4429-8
DOI :
10.1109/ISPAW.2011.27