10-07-2012, 03:30 PM
Attack Pattern Discovery in Forensic Investigation of Network Attacks
Attack Pattern Discovery in Forensic.pdf (Size: 372.65 KB / Downloads: 42)
INTRODUCTION AND MOTIVATION
THE SCENARIO we consider in this paper is the investigation
that follows the occurrence of disruptive or
suspected network attacks on one or more connected systems.
It is well-known that network attacks typically do not occur in
isolation [1]: the activities that cause damage or detection are
not stand-alone, because these attacks are impossible to carry
out without some detailed required information of the target
systems; therefore, they are always, by necessity, preceded by
a few stages of exploratory probings by the attackers in order
to obtain as much information as possible on the target system
and thereby find vulnerabilities.
RELATED WORK
To the best of our knowledge, there are no previous work
specifically addressing the attack pattern discovery problem in
this paper. There are a number of open-source and commercial
tools available that can aid in network forensics investigations,
e.g., [9], [10], [11], [12], [13]. Their packet capturing and
logging functionalities could be used to generate the logs
that are scanned in our algorithm. They have the objective
of detecting a single attack at real-time, which is different
from our problem of finding all the network activities that are
correlated to an attack that was already detected.
PROBLEM SETUP
Our approach to the network attack pattern discovery problem
is sketched in this section, then presented in further detail
in the later sections.
It is assumed that on any target system, a packet sniffer
tool captures all the raw network packets, and the TCP/UDP
headers and other relevant information from the data payloads
are recorded in a log file stored locally. Every system stores
one big log file that stores all this network traffic data, which
can be viewed as a data table; each line or entry we call an
event, containing fields that hold the captured packet header
and occasionally selected payload information.
SIMULATIONS AND EXPERIMENTS
A. Simulation
In order to evaluate the performance of the proposed
network forensic algorithms, we have set up a simulated
environment consisting of several profiles modeling different
types of network activities. The activity profiles simulate
network traffic patterns ranging from normal network usage
over protocols such as HTTP, to malicious network attacks
of varying degree. The types of attacks simulated by activity
profiles include port scan, ping sweep, password attack, ruser
buffer overflow attack and HTTP DoS.
CONCLUSION
In this paper, we have identified the problem of discovering
the context of network events related to a security breach,
by mining the logs of network traffic data. We proposed
an iterative algorithm that uses a feedback mechanism to
propagate likelihoods of attack events or suspicion scores
to the next iteration, thereby increasingly refining the search
for events or attacks related to the ones already found. Our
simulations verify the accuracy of the algorithm in discovering
the attack patterns.