Network Forensic Evidence Acquisition (NFEA) with packet marking

Hyung Seok Kim, Huy Kang Kim

Research output: Chapter in Book/Report/Conference proceedingConference contribution

11 Citations (Scopus)

Abstract

Internet crimes such as DDoS attack have seriously affected the businesses that have dependencies on computer networks such as the Internet. However, TCP/IP based networks have no protection against malicious packet modifications and attackers do exploit such vulnerabilities to attack others as well as forging IP packets to hide source IP address of attack packets; hence attackers could hinder the efforts to identify the real origin of attacks using Firewall, Intrusion Detection System and other traffic capturing tools. Therefore, having ability to trace back to the origin of the attack becomes an important part of incident investigation. There are number of traceback schemes available but their effective tracking range is up to the very first edge routers or even worse, data used by such methods could be forged and/or tricked; hence use of existing methods are limited for crimes investigation. Network Forensic Evidence Acquisition (NFEA) scheme proposed in this paper is a new traceback scheme that offers improved effective tracking range with consideration for providing admissible evidence. NFEA guarantees authenticity and integrity of tracking data collected based on Authenticated Evidence Marking Scheme (AEMS). AEMS also improves effective tracking range by producing tracking data at edge-routers, which also helps to minimize loss in overall network performance. Effect on edge-routers' performance is also guaranteed using Flow-based Selection Marking Scheme (FSMS). An implementation of NFEA has been evaluated and the result shows that NFEA is viable to deploy in real networks.

Original languageEnglish
Title of host publicationProceedings - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - ICASE 2011, SGH 2011, GSDP 2011
Pages388-393
Number of pages6
DOIs
Publication statusPublished - 2011 Aug 29
Event9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - 2011, ICASE 2011, SGH 2011, GSDP 2011 - Busan, Korea, Republic of
Duration: 2011 May 262011 May 28

Other

Other9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - 2011, ICASE 2011, SGH 2011, GSDP 2011
CountryKorea, Republic of
CityBusan
Period11/5/2611/5/28

Fingerprint

Routers
Crime
Internet
Intrusion detection
Forging
Network performance
Computer networks
Digital forensics
Industry

Keywords

  • DDoS attacks
  • IP traceback
  • Network forensic
  • Network security
  • Packet marking

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software

Cite this

Kim, H. S., & Kim, H. K. (2011). Network Forensic Evidence Acquisition (NFEA) with packet marking. In Proceedings - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - ICASE 2011, SGH 2011, GSDP 2011 (pp. 388-393). [5952007] https://doi.org/10.1109/ISPAW.2011.27

Network Forensic Evidence Acquisition (NFEA) with packet marking. / Kim, Hyung Seok; Kim, Huy Kang.

Proceedings - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - ICASE 2011, SGH 2011, GSDP 2011. 2011. p. 388-393 5952007.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kim, HS & Kim, HK 2011, Network Forensic Evidence Acquisition (NFEA) with packet marking. in Proceedings - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - ICASE 2011, SGH 2011, GSDP 2011., 5952007, pp. 388-393, 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - 2011, ICASE 2011, SGH 2011, GSDP 2011, Busan, Korea, Republic of, 11/5/26. https://doi.org/10.1109/ISPAW.2011.27
Kim HS, Kim HK. Network Forensic Evidence Acquisition (NFEA) with packet marking. In Proceedings - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - ICASE 2011, SGH 2011, GSDP 2011. 2011. p. 388-393. 5952007 https://doi.org/10.1109/ISPAW.2011.27
Kim, Hyung Seok ; Kim, Huy Kang. / Network Forensic Evidence Acquisition (NFEA) with packet marking. Proceedings - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - ICASE 2011, SGH 2011, GSDP 2011. 2011. pp. 388-393
@inproceedings{383c98d699fb4aad8275fcf1d3c38fba,
title = "Network Forensic Evidence Acquisition (NFEA) with packet marking",
abstract = "Internet crimes such as DDoS attack have seriously affected the businesses that have dependencies on computer networks such as the Internet. However, TCP/IP based networks have no protection against malicious packet modifications and attackers do exploit such vulnerabilities to attack others as well as forging IP packets to hide source IP address of attack packets; hence attackers could hinder the efforts to identify the real origin of attacks using Firewall, Intrusion Detection System and other traffic capturing tools. Therefore, having ability to trace back to the origin of the attack becomes an important part of incident investigation. There are number of traceback schemes available but their effective tracking range is up to the very first edge routers or even worse, data used by such methods could be forged and/or tricked; hence use of existing methods are limited for crimes investigation. Network Forensic Evidence Acquisition (NFEA) scheme proposed in this paper is a new traceback scheme that offers improved effective tracking range with consideration for providing admissible evidence. NFEA guarantees authenticity and integrity of tracking data collected based on Authenticated Evidence Marking Scheme (AEMS). AEMS also improves effective tracking range by producing tracking data at edge-routers, which also helps to minimize loss in overall network performance. Effect on edge-routers' performance is also guaranteed using Flow-based Selection Marking Scheme (FSMS). An implementation of NFEA has been evaluated and the result shows that NFEA is viable to deploy in real networks.",
keywords = "DDoS attacks, IP traceback, Network forensic, Network security, Packet marking",
author = "Kim, {Hyung Seok} and Kim, {Huy Kang}",
year = "2011",
month = "8",
day = "29",
doi = "10.1109/ISPAW.2011.27",
language = "English",
isbn = "9780769544298",
pages = "388--393",
booktitle = "Proceedings - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - ICASE 2011, SGH 2011, GSDP 2011",

}

TY - GEN

T1 - Network Forensic Evidence Acquisition (NFEA) with packet marking

AU - Kim, Hyung Seok

AU - Kim, Huy Kang

PY - 2011/8/29

Y1 - 2011/8/29

N2 - Internet crimes such as DDoS attack have seriously affected the businesses that have dependencies on computer networks such as the Internet. However, TCP/IP based networks have no protection against malicious packet modifications and attackers do exploit such vulnerabilities to attack others as well as forging IP packets to hide source IP address of attack packets; hence attackers could hinder the efforts to identify the real origin of attacks using Firewall, Intrusion Detection System and other traffic capturing tools. Therefore, having ability to trace back to the origin of the attack becomes an important part of incident investigation. There are number of traceback schemes available but their effective tracking range is up to the very first edge routers or even worse, data used by such methods could be forged and/or tricked; hence use of existing methods are limited for crimes investigation. Network Forensic Evidence Acquisition (NFEA) scheme proposed in this paper is a new traceback scheme that offers improved effective tracking range with consideration for providing admissible evidence. NFEA guarantees authenticity and integrity of tracking data collected based on Authenticated Evidence Marking Scheme (AEMS). AEMS also improves effective tracking range by producing tracking data at edge-routers, which also helps to minimize loss in overall network performance. Effect on edge-routers' performance is also guaranteed using Flow-based Selection Marking Scheme (FSMS). An implementation of NFEA has been evaluated and the result shows that NFEA is viable to deploy in real networks.

AB - Internet crimes such as DDoS attack have seriously affected the businesses that have dependencies on computer networks such as the Internet. However, TCP/IP based networks have no protection against malicious packet modifications and attackers do exploit such vulnerabilities to attack others as well as forging IP packets to hide source IP address of attack packets; hence attackers could hinder the efforts to identify the real origin of attacks using Firewall, Intrusion Detection System and other traffic capturing tools. Therefore, having ability to trace back to the origin of the attack becomes an important part of incident investigation. There are number of traceback schemes available but their effective tracking range is up to the very first edge routers or even worse, data used by such methods could be forged and/or tricked; hence use of existing methods are limited for crimes investigation. Network Forensic Evidence Acquisition (NFEA) scheme proposed in this paper is a new traceback scheme that offers improved effective tracking range with consideration for providing admissible evidence. NFEA guarantees authenticity and integrity of tracking data collected based on Authenticated Evidence Marking Scheme (AEMS). AEMS also improves effective tracking range by producing tracking data at edge-routers, which also helps to minimize loss in overall network performance. Effect on edge-routers' performance is also guaranteed using Flow-based Selection Marking Scheme (FSMS). An implementation of NFEA has been evaluated and the result shows that NFEA is viable to deploy in real networks.

KW - DDoS attacks

KW - IP traceback

KW - Network forensic

KW - Network security

KW - Packet marking

UR - http://www.scopus.com/inward/record.url?scp=80051981238&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80051981238&partnerID=8YFLogxK

U2 - 10.1109/ISPAW.2011.27

DO - 10.1109/ISPAW.2011.27

M3 - Conference contribution

AN - SCOPUS:80051981238

SN - 9780769544298

SP - 388

EP - 393

BT - Proceedings - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - ICASE 2011, SGH 2011, GSDP 2011

ER -