Attack pattern discovery in forensic investigation of network attacks

IEEE Journal on Selected Areas in Communications

Volumn 29, Issue 7, 2011, Pages 1349-1357

  Zhu, Ying ^a  

^a UNIVERSITY OF ONTARIO INSTITUTE OF TECHNOLOGY   (Canada)

Author keywords

attack patterns; network forensics; security; suspicion feedback

Indexed keywords

ATTACK PATTERNS; FEEDBACK MECHANISMS; FORENSIC INVESTIGATION; ITERATIVE ALGORITHM; NETWORK ATTACK; NETWORK FORENSICS; NETWORK TRAFFIC; SECURITY; SUSPICION FEEDBACK; UNSUPERVISED ALGORITHMS;

ALGORITHMS;

COMPUTER CRIME;

EID: 80051527078     PISSN: 07338716     EISSN: None     Source Type: Journal    
DOI: 10.1109/JSAC.2011.110802     Document Type: Article

References (42)

1. S. McClure, J. Scambray, and G. Kurtz, Hacking Exposed: Network security secrets and solutions, 5th ed. McGraw-Hill, 2005.
2. E. Casey, "Network traffic as a source of evidence: Tool strengths, weaknesses, and future needs," Elsevier Journal of Digital Investigation, vol. 1, pp. 28-43, 2004.
3. V. e. a. Corey, "Network forensics analysis," IEEE Internet Comput., vol. 6, no. 6, 2002.
4. B. H., "The discipline of internet forensics," Communications of the ACM, vol. 46, no. 8, August 2003.
5. V. Paxson, "Bro: A system for detecting network intruders in real-time," Computer Networks, no. 31, pp. 2435-2463, 1999.
6. M. Roesch, "Snort - lightweight intrusion detection for networks," in Proceedings of the Thirteenth Systems Administration Conference (LISA 1999), November 7-12 1999, Seattle, WA.
7. A. Lakhina, M. Crovella, and C. Diot, "Mining anomalies using traffic feature distributions," in Proc. SIGCOMM'05, August 21-26, 2005, Philadelphia, PA.
8. S. Singh, C. Estan, G. Varghese, and S. Savage, "Automated worm fingerprinting," in Proceedings of the 6th Symposium on Operating Systems Design and Implementation (OSDI'04). USENIX, 2004, San Fransisco, CA.
9. "Netdetector," http://www.niksun.com/product.php?id=4.
10. "Networkminer," http://networkminer.wiki.sourceforge.net/ NetworkMiner.
11. "Netintercept," http://sandstorm.net/products/netintercept.
12. "Wireshark," http://www.wireshark.org.
13. "Snort," http://www.snort.org.
14. R. M. et al., "Implementing a generalized tool for network monitoring," in Proc. Eleventh Systems Administration Conference (LISA 1997), 1997, San Diego, CA.
15. K. Shanmugasundaram, H. Bronnimann, and N. Memon, "Payload attribution via hierarchical Bloom filters," in Proc. ACM Conference on Computer and Communications Security, 2004, Washington DC.
16. C. Cho, S. Lee, C. Tan, and Y. Tan, "Network forensics on packet fingerprints," in Proc. 21st IFIP Information Security Conference (SEC 2006), 2006, Karlstad, Sweden.
17. M. Ponec, G. P., W. J., and B. H., "New payload attribution methods for network forensic investigations," ACM Transactions on Information and System Security, vol. 13, no. 2, pp. 15:2-15:32, February 2006.
18. "The leurre.com project," http://www.leurrecom.org.
19. The Honeynet Project (ed.): Know Your Enemy: Learning about Security Threats, 2nd ed. Addison Wesley Professional, 2004.
20. N. Provos, "A virtual honeypot framework," in Proc. 13th USENIX security symposium, 2004, San Diego, CA.
21. P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. Freiling, "The nepenthes platform: An efficient approach to collect malware," in Proc. 9th international symposium on recent advances in intrusion detection (RAID), September 2006, Hamburg, Germany.
22. T. Werner, "Honeytrap," http://honeytrap.mwcollect.org.
23. J. Riordan, D. Zamboni, and Y. Duponchel, "Building and deploying billy goat, a worm-detection system," in Proc. 18th annual FIRST conference, 2006, Baltimore, Maryland.
24. F. Pouget and M. Dacier, "Honeypot-based forensics," in Proc. AusCERT2004, Brisbane, Australia, May 23-27 2004.
25. F. Pouget, M. Dacier, J. Zimmerman, A. Clark, and G. Mohay, "Internet attack knowledge discovery via clusters and cliques of attack traces," Journal of Information Assurance and Security, vol. 1, pp. 21-32, 2006.
26. O. Thonnard and M. Dacier, "A framework for attack patterns' discovery in honeynet data," Digital Investigation, vol. 8, pp. S128-S139, 2008.
27. H. Jin, O. de Vel, K. Zhang, and N. Liu, "Knowledge discovery from honeypot data for monitoring malicious attacks," in Proc. 21st Australian Joint Conference on Artificial Intelligence: Advances in Artificial Intelligence, 2008, Auckland, New Zealand, pp. 470-481.
28. V. Yegneswaran, P. Barford, and V. Paxson, "Using honeypots for internet situational awareness," in Fourth ACM SIGCOMM Workshop on Hot Topics in Networking (Hotnets IV), 2005, College Park, Maryland.
29. C. Estan, S. Savage, and G. Varghese, "Automatically inferring patterns of resource consumption in network traffic," in Proc. SIGCOMM'03, August 25-29, Karlsruhe, Germany 2003.
30. T. Karagiannis, K. Papagiannaki, and M. Faloutsos, "Blinc: Multilevel traffic classification in the dark," in Proc. SIGCOMM'05, August 21-26, Philadelphia, Pennsylvania 2005.
31. J. Kannan, J. Jung, V. Paxson, and C. Koksal, "Semi-automated discovery of application session structure," in Proc. Sixth ACM SIGCOMM Conference on Internet Measurement (IMC'06), 2006, Rio de Janeiro, Brazil, pp. 119-132. (Pubitemid 47165594)
32. A. Leon-Garcia, Probability and Random Processes for Electrical Engineering, 2nd ed. Addison-Wesley, 1994.
33. E. Doron and A. Wool, "Wda: A web farm distributed denial of service attack attenuator," Computer Networks, vol. 10, no. 1016, May 2010.
34. Y. Ohsita and S. Ata, "Detecting distributed denial-of-service attacks by analyzing tcp syn packets statistically," in Proc. IEEE GLOBECOM, Dallas, TX, 2004, p. 20432049.
35. J. A. Gubner, Probability and random processes for electrical and computer engineers. Cambridge University Press, 2006.
36. "Georgia ddos attacks a quick summary of observations," http://asert.arbornetworks.com/2008/08/ georgia-ddos-attacks-a-quick-summary-of- observations/.
37. D. L. Olson and D. Delen, Advanced Data Mining Techniques, 1st ed. Springer, 2008.
38. S. Axelsson, "Intrusion detection systems: A survey and taxonomy," Department of Computer Engineering, Chalmers University of Technology, Tech. Rep., March 2000.
39. "Tripwire," http://www.tripwire.com/.
40. W. Venema, "Tcp wrapper: Network monitoring, access control, and booby traps," in Proc. 3rd USENIX UNIX Security Symposium, September 14-16 1992, pp. 85-92.
41. Northcutt, Cooper, Fearnow, and Frederick, Intrusion Signatures and Analysis. Sams, 2001.
42. "Nmap," nmap.org.