Abstract
Payload attribution can be an important element in network forensics. Given a history of packet transmissions and an excerpt of a possible packet payload, a payload attribution system (PAS) makes it feasible to identify the sources, destinations, and the times of appearance on a network of all the packets that contained the specified payload excerpt. A PAS, as one of the core components in a network forensics system, enables investigating cybercrimes on the Internet by, for example, tracing the spread of worms and viruses, identifying who has received a phishing e-mail in an enterprise, or discovering which insider allowed an unauthorized disclosure of sensitive information.
Due to the increasing volume of network traffic in today's networks, it is infeasible to effectively store and query all the actual packets for extended periods of time in order to allow analysis of network events for investigative purposes; therefore, we focus on extremely compressed digests of the packet activity. We propose several new methods for payload attribution, which utilize Rabin fingerprinting, shingling, and winnowing. Our best methods allow building practical payload attribution systems, which provide data reduction ratios greater than 100:1 while supporting efficient queries with very low false positive rates. We demonstrate the properties of the proposed methods and specifically analyze their performance and practicality when used as modules of a network forensics system ForNet. Our experimental results outperform current state-of-the-art methods both in terms of false positives and data reduction ratio. Finally, these approaches directly allow the collected data to be stored and queried by an untrusted party without disclosing any payload information nor the contents of queries.
- Anderson, E. and Arlitt, M. 2006. Full packet capture and offline analysis on 1 and 10gb networks. Tech. rep. HPL-2006-156. http://www.hpl.hp.com/techreports/2006/HPL-2006-156.html.Google Scholar
- Bellovin, S. and Cheswick, W. 2004. Privacy-enhanced searches using encrypted Bloom filters. Cryptology ePrint Archive, report 2004/022. http://eprint.iacr.org/.Google Scholar
- Bloom, B. 1970. Space/time tradeoffs in hash coding with allowable errors. Commun. ACM 422--426. Google Scholar
Digital Library
- Broder, A. 1993. Some applications of Rabin's fingerprinting method. In Proceedings of the International Conference on Methods in Communications, Security, and Computer Science. Springer-Verlag, Berlin, 143--152.Google Scholar
Cross Ref
- Broder, A. 1997. On the resemblance and containment of documents. In Proceedings of the Compression and Complexity of Sequences. IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Broder, A. and Mitzenmatcher, M. 2002. Network applications of Bloom filters: A survey. In Proceedings of the Annual Allerton Conference on Communication, Control, and Computing. SIAM, Philadelphia.Google Scholar
- Cho, C. Y., Lee, S. Y., Tan, C. P., and Tan, Y. T. 2006. Network forensics on packet fingerprints. In Proceedings of the 21st IFIP Information Security Conference (SEC 2006). Springer, Berlin.Google Scholar
- Garfinkel, S. 2002. Network forensics: Tapping the internet. O'Reilly Network. http://www.oreillynet.com/pub/a/network/2002/04/26/nettap.html.Google Scholar
- Gu, G., Porras, P., Yegneswaran, V., Fong, M., and Lee, W. 2007. BotHunter: Detecting malware infection through IDS-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium. USENIX, Berkeley, CA, 167--182. Google Scholar
Digital Library
- Handley, M., Kreibich, C., and Paxson, V. 2001. Network intrusion detection: Evasion, traffic normalization, and end-to-end rotocol Semantics. In Proceedings of the USENIX Security Symposium. USENIX, Berkeley, CA. Google Scholar
Digital Library
- King, N. and Weiss, E. 2002. Network forensics analysis tools (NFATs) reveal insecurities, turn sysadmins into system detectives. Inf. Secur. http://www.infosecuritymag.com/2002/feb/cover.shtml.Google Scholar
- Manber, U. 1994. Finding similar files in a large file system. In Proceedings of the USENIX Winter 1994 Technical Conference. USENIX, Berkeley, CA, 1--10. Google Scholar
Digital Library
- Mitzenmacher, M. 2002. Compressed Bloom filters. IEEE/ACM Trans. Networking 10, 5, 604--612. Google Scholar
Digital Library
- NTOP. 2008. PF RING Linux kernel patch. http://www.ntop.org/PF RING.html.Google Scholar
- Ponec, M., Giura, P., Brönnimann, H., and Wein, J. 2007. Highly efficient techniques for network forensics. In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, New York, 150--160. Google Scholar
Digital Library
- Rabin, M. O. 1981. Fingerprinting by random polynomials. Tech. rep. 15-81, Harvard University.Google Scholar
- Rhea, S., Liang, K., and Brewer, E. 2003. Value-based Web caching. In Proceedings of the 12th International World Wide Web Conference. ACM, New York. Google Scholar
Digital Library
- Richardson, R. and Peters, S. 2007. 2007 CSI Computer crime and security survey shows average cyber-losses jumping after five-year decline. CSI Press Release. http://www.gocsi. com/press/20070913.jhtml.Google Scholar
- Schleimer, S., Wilkerson, D. S., and Aiken, A. 2003. Winnowing: Local algorithms for document fingerprinting. In Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data (SIGMOD'03). ACM, New York, 76--85. Google Scholar
Digital Library
- Shanmugasundaram, K., Brönnimann, H., and Memon, N. 2004. Payload attribution via hierarchical Bloom filters. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, New York. Google Scholar
Digital Library
- Shanmugasundaram, K., Memon, N., Savant, A., and Brönnimann, H. 2003. ForNet: A distributed forensics network. In Proceedings of the 2nd International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security(MMM-ACNS'03). Springer, Berlin, 1--16.Google Scholar
- Snoeren, A. C., Partridge, C., Sanchez, L. A., Jones, C. E., Tchakountio, F., Kent, S. T., 2001. Hash-based IP traceback. In Proceedings of the ACM SIGCOMM Conferernce. ACM, New York. Google Scholar
Digital Library
- Staniford-Chen, S. and Heberlein, L. 1995. Holding intruders accountable on the internet. In Proceedings of the 1995 IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA. Google Scholar
Digital Library
Index Terms
New payload attribution methods for network forensic investigations
Recommendations
Highly efficient techniques for network forensics
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityGiven a history of packet transmissions and an excerpt of a possible packet payload, the payload attribution problem requires the identification of sources, destinations and the times of appearance on a network of all the packets that contained such ...
Payload attribution via hierarchical bloom filters
CCS '04: Proceedings of the 11th ACM conference on Computer and communications securityPayload attribution is an important problem often encountered in network forensics. Given an excerpt of a payload, finding its source and destination is useful for many security applications such as identifying sources and victims of a worm or virus. ...
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion
In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...






Comments