Network Forensic Evidence Acquisition (NFEA) with packet marking

Hyung Seok Kim, Huy Kang Kim

Research output: Chapter in Book/Report/Conference proceedingConference contribution

12 Citations (Scopus)

Abstract

Internet crimes such as DDoS attack have seriously affected the businesses that have dependencies on computer networks such as the Internet. However, TCP/IP based networks have no protection against malicious packet modifications and attackers do exploit such vulnerabilities to attack others as well as forging IP packets to hide source IP address of attack packets; hence attackers could hinder the efforts to identify the real origin of attacks using Firewall, Intrusion Detection System and other traffic capturing tools. Therefore, having ability to trace back to the origin of the attack becomes an important part of incident investigation. There are number of traceback schemes available but their effective tracking range is up to the very first edge routers or even worse, data used by such methods could be forged and/or tricked; hence use of existing methods are limited for crimes investigation. Network Forensic Evidence Acquisition (NFEA) scheme proposed in this paper is a new traceback scheme that offers improved effective tracking range with consideration for providing admissible evidence. NFEA guarantees authenticity and integrity of tracking data collected based on Authenticated Evidence Marking Scheme (AEMS). AEMS also improves effective tracking range by producing tracking data at edge-routers, which also helps to minimize loss in overall network performance. Effect on edge-routers' performance is also guaranteed using Flow-based Selection Marking Scheme (FSMS). An implementation of NFEA has been evaluated and the result shows that NFEA is viable to deploy in real networks.

Original languageEnglish
Title of host publicationProceedings - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - ICASE 2011, SGH 2011, GSDP 2011
Pages388-393
Number of pages6
DOIs
Publication statusPublished - 2011
Event9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - 2011, ICASE 2011, SGH 2011, GSDP 2011 - Busan, Korea, Republic of
Duration: 2011 May 262011 May 28

Publication series

NameProceedings - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - ICASE 2011, SGH 2011, GSDP 2011

Other

Other9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - 2011, ICASE 2011, SGH 2011, GSDP 2011
CountryKorea, Republic of
CityBusan
Period11/5/2611/5/28

Keywords

  • DDoS attacks
  • IP traceback
  • Network forensic
  • Network security
  • Packet marking

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software

Fingerprint Dive into the research topics of 'Network Forensic Evidence Acquisition (NFEA) with packet marking'. Together they form a unique fingerprint.

  • Cite this

    Kim, H. S., & Kim, H. K. (2011). Network Forensic Evidence Acquisition (NFEA) with packet marking. In Proceedings - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - ICASE 2011, SGH 2011, GSDP 2011 (pp. 388-393). [5952007] (Proceedings - 9th IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW 2011 - ICASE 2011, SGH 2011, GSDP 2011). https://doi.org/10.1109/ISPAW.2011.27