skip to main content
research-article

New payload attribution methods for network forensic investigations

Authors Info & Claims
Published:05 March 2010Publication History
Skip Abstract Section

Abstract

Payload attribution can be an important element in network forensics. Given a history of packet transmissions and an excerpt of a possible packet payload, a payload attribution system (PAS) makes it feasible to identify the sources, destinations, and the times of appearance on a network of all the packets that contained the specified payload excerpt. A PAS, as one of the core components in a network forensics system, enables investigating cybercrimes on the Internet by, for example, tracing the spread of worms and viruses, identifying who has received a phishing e-mail in an enterprise, or discovering which insider allowed an unauthorized disclosure of sensitive information.

Due to the increasing volume of network traffic in today's networks, it is infeasible to effectively store and query all the actual packets for extended periods of time in order to allow analysis of network events for investigative purposes; therefore, we focus on extremely compressed digests of the packet activity. We propose several new methods for payload attribution, which utilize Rabin fingerprinting, shingling, and winnowing. Our best methods allow building practical payload attribution systems, which provide data reduction ratios greater than 100:1 while supporting efficient queries with very low false positive rates. We demonstrate the properties of the proposed methods and specifically analyze their performance and practicality when used as modules of a network forensics system ForNet. Our experimental results outperform current state-of-the-art methods both in terms of false positives and data reduction ratio. Finally, these approaches directly allow the collected data to be stored and queried by an untrusted party without disclosing any payload information nor the contents of queries.

References

  1. Anderson, E. and Arlitt, M. 2006. Full packet capture and offline analysis on 1 and 10gb networks. Tech. rep. HPL-2006-156. http://www.hpl.hp.com/techreports/2006/HPL-2006-156.html.Google ScholarGoogle Scholar
  2. Bellovin, S. and Cheswick, W. 2004. Privacy-enhanced searches using encrypted Bloom filters. Cryptology ePrint Archive, report 2004/022. http://eprint.iacr.org/.Google ScholarGoogle Scholar
  3. Bloom, B. 1970. Space/time tradeoffs in hash coding with allowable errors. Commun. ACM 422--426. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Broder, A. 1993. Some applications of Rabin's fingerprinting method. In Proceedings of the International Conference on Methods in Communications, Security, and Computer Science. Springer-Verlag, Berlin, 143--152.Google ScholarGoogle ScholarCross RefCross Ref
  5. Broder, A. 1997. On the resemblance and containment of documents. In Proceedings of the Compression and Complexity of Sequences. IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Broder, A. and Mitzenmatcher, M. 2002. Network applications of Bloom filters: A survey. In Proceedings of the Annual Allerton Conference on Communication, Control, and Computing. SIAM, Philadelphia.Google ScholarGoogle Scholar
  7. Cho, C. Y., Lee, S. Y., Tan, C. P., and Tan, Y. T. 2006. Network forensics on packet fingerprints. In Proceedings of the 21st IFIP Information Security Conference (SEC 2006). Springer, Berlin.Google ScholarGoogle Scholar
  8. Garfinkel, S. 2002. Network forensics: Tapping the internet. O'Reilly Network. http://www.oreillynet.com/pub/a/network/2002/04/26/nettap.html.Google ScholarGoogle Scholar
  9. Gu, G., Porras, P., Yegneswaran, V., Fong, M., and Lee, W. 2007. BotHunter: Detecting malware infection through IDS-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium. USENIX, Berkeley, CA, 167--182. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Handley, M., Kreibich, C., and Paxson, V. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end rotocol Semantics. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. King, N. and Weiss, E. 2002. Network forensics analysis tools (NFATs) reveal insecurities, turn sysadmins into system detectives. Inf. Secur. http://www.infosecuritymag.com/2002/feb/cover.shtml.Google ScholarGoogle Scholar
  12. Manber, U. 1994. Finding similar files in a large file system. In Proceedings of the USENIX Winter 1994 Technical Conference. USENIX, Berkeley, CA, 1--10. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Mitzenmacher, M. 2002. Compressed Bloom filters. IEEE/ACM Trans. Networking 10, 5, 604--612. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. NTOP. 2008. PF RING Linux kernel patch. http://www.ntop.org/PF RING.html.Google ScholarGoogle Scholar
  15. Ponec, M., Giura, P., Brönnimann, H., and Wein, J. 2007. Highly efficient techniques for network forensics. In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, New York, 150--160. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Rabin, M. O. 1981. Fingerprinting by random polynomials. Tech. rep. 15-81, Harvard University.Google ScholarGoogle Scholar
  17. Rhea, S., Liang, K., and Brewer, E. 2003. Value-based Web caching. In Proceedings of the 12th International World Wide Web Conference. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Richardson, R. and Peters, S. 2007. 2007 CSI Computer crime and security survey shows average cyber-losses jumping after five-year decline. CSI Press Release. http://www.gocsi. com/press/20070913.jhtml.Google ScholarGoogle Scholar
  19. Schleimer, S., Wilkerson, D. S., and Aiken, A. 2003. Winnowing: Local algorithms for document fingerprinting. In Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data (SIGMOD'03). ACM, New York, 76--85. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Shanmugasundaram, K., Brönnimann, H., and Memon, N. 2004. Payload attribution via hierarchical Bloom filters. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Shanmugasundaram, K., Memon, N., Savant, A., and Brönnimann, H. 2003. ForNet: A distributed forensics network. In Proceedings of the 2nd International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security(MMM-ACNS'03). Springer, Berlin, 1--16.Google ScholarGoogle Scholar
  22. Snoeren, A. C., Partridge, C., Sanchez, L. A., Jones, C. E., Tchakountio, F., Kent, S. T., 2001. Hash-based IP traceback. In Proceedings of the ACM SIGCOMM Conferernce. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Staniford-Chen, S. and Heberlein, L. 1995. Holding intruders accountable on the internet. In Proceedings of the 1995 IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. New payload attribution methods for network forensic investigations

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on Information and System Security
      ACM Transactions on Information and System Security  Volume 13, Issue 2
      February 2010
      230 pages
      ISSN:1094-9224
      EISSN:1557-7406
      DOI:10.1145/1698750
      Issue’s Table of Contents

      Copyright © 2010 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 5 March 2010
      • Accepted: 1 November 2008
      • Revised: 1 July 2008
      • Received: 1 February 2008
      Published in tissec Volume 13, Issue 2

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Research
      • Refereed

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!