SlideShare a Scribd company logo

A secure network forensics system for cyber incidents analysis

Swapnil Jagtap
Swapnil Jagtap

Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. (The term, attributed to firewall expert Marcus Ranum is borrowed from the legal and criminology fi elds where forensics pertains to the investigation of crimes.) According to Simson Gar nkel, author of several books on security, network forensics systems can be one of two kinds.

Engineering
1 of 20
Download to read offline
A Secure Network Forensics System for Cyber Incidents Analysis A NON-CREDIT COURSE REPORT ON CYBER FORENSICS AND INFORMATION SECURITY SUBMITTED TO SAVITRIBAI PHULE PUNE UNIVERSITY, PUNE FOR THE PARTIAL FULFILLMENT OF AWARD OF DEGREE Of MASTER OF ENGINEERING In (Computer Engineering) By Swapnil S. Jagtap Semester-IV Roll No: ****** UNDER THE GUIDANCE OF Guide Name (Department of Computer Engineering) VPKBIET, Baramati. DEPARTMENT OF COMPUTER ENGINEERING Vidya Pratishthan’s Kamalnayan Bajaj Institute of Engineering & Technology, Vidyanagari Bhigawan Road Baramati, Dist. Pune - 413133 2016-2017
CERTIFICATE This is to certify that Mr. Swapnil S. Jagtap has successfully submitted his report to Department of Computer Engineering, VPKBIET, Baramati, on A Secure Network Forensics System for Cyber Incidents Analysis During the academic year 2016-2017 in the partial fulfillment towards completion of Second Year of Master of Engineering in Computer Engineering, of Savitribai Phule Pune University, Pune(Maharashtra) Swapnil S. Jagtap Guide Name Student Guide Dept. of Comp. Engg. Dept. of Comp. Engg. Date : Place: VPKBIET, Baramati.
Contents 1 Introduction 3 1.1 What is Network Forensics System . . . . . . . . . . . . . . . 3 1.2 Types of Network Forensics System . . . . . . . . . . . . . . . 3 1.2.1 TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.2 Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.3 Wireless Forensics . . . . . . . . . . . . . . . . . . . . . 4 1.2.4 The Internet . . . . . . . . . . . . . . . . . . . . . . . . 4 2 Cyber Incidents Analysis 5 2.1 Comparing different types of cyber security incident . . . . . . 6 2.2 Design of Cyber Black Box . . . . . . . . . . . . . . . . . . . . 6 2.3 Construction of Cyber Black Box . . . . . . . . . . . . . . . . 7 3 Cyber Black Box Interface Block 9 3.1 Traffic & Flow Information Gathering . . . . . . . . . . . . . 9 3.2 Transmitted File Reconstruction . . . . . . . . . . . . . . . . . 10 3.3 Virtual Volume based Storage Management . . . . . . . . . . 10 4 Network forensics tools and services for incident response 11 4.1 Reselling network forensic appliances . . . . . . . . . . . . . . 11 4.2 Cyber forensics in today’s world . . . . . . . . . . . . . . . . . 11 4.3 Cyber Forensics Security Applications . . . . . . . . . . . . . . 12 4.3.1 Online Identity Theft . . . . . . . . . . . . . . . . . . . 12 4.3.2 Industrial Cyber Espionage . . . . . . . . . . . . . . . 13 4.3.3 Critical Infrastructure Protection . . . . . . . . . . . . 13 5 Cyber Forensics & Information Security 15 5.1 CCFP - Certified Cyber Forensics Professional Certification . 16 6 Conclusion 17 7 References 18
Chapter 1 Introduction 1.1 What is Network Forensics System Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. (The term, attributed to firewall expert Marcus Ranum, is borrowed from the legal and criminology fields where forensics pertains to the investigation of crimes.) According to Simson Garfinkel, author of several books on security, network forensics systems can be one of two kinds [9]. 1.2 Types of Network Forensics System 1.2.1 TCP/IP On the network layer the Internet Protocol (IP) is responsible for direct- ing the packets generated by TCP through the network (e.g., the Internet) by adding source and destination information which can be interpreted by routers all over the network. Cellular digital packet networks, like GPRS, use similar protocols like IP, so the methods described for IP work with them as well [2]. 1.2.2 Ethernet Applying forensic methods on the Ethernet layer is done by eavesdropping bit streams with tools called monitoring tools or sniffers. The most common tool on this layer is Wireshark (formerly known as Ethereal) and TCP dump, where TCP dump works mostly on Unix operating systems [4]. These tools collect all data on this layer and allows the user to filter for different events. 3
An advantage of collecting this data is that it is directly connected to a host. If, for example the IP address or the MAC address of a host at a certain time is known, all data sent to or from this IP or MAC address can be filtered [8]. With these tools, website pages, email attachments, and other network traffic can be reconstructed only if they are transmitted or received unencrypted. 1.2.3 Wireless Forensics Wireless forensics is a sub-discipline of network forensics. The main goal of wireless forensics is to provide the methodology and tools required to collect and analyze (wireless) network traffic that can be presented as valid digital evidence in a court of law. The evidence collected can correspond to plain data or, with the broad usage of Voice-over-IP (VoIP) technologies, especially over wireless, can include voice conversations. Analysis of wireless network traffic is similar to that on wired networks, however there may be the added consideration of wireless security measures. 1.2.4 The Internet The internet can be a rich source of digital evidence including web browsing, email, newsgroup, synchronous chat and peer-to-peer traffic. For example, web server logs can be used to show when (or if) a suspect accessed informa- tion related to criminal activity [3]. 4
Chapter 2 Cyber Incidents Analysis There are many types of information (or IT) security incident that could be classified as a cyber security incident, ranging from serious cyber security attacks on critical national infrastructure and major organized cybercrime, through hacktivism and basic malware attacks, to internal misuse of systems and software malfunction. However, project research has revealed that there is no one common definition of a cyber security incident. There is no authoritative taxonomy to help organizations decide what is (or isnt) a cyber security incident, breach, or attack. Often cyber security in- cidents are associated with malicious attacks or Advanced Persistent Threats (APTs), but there appears to be no clear agreement. Many different organi- zations have different understandings of what the term means, consequently adopting inconsistent or inappropriate cyber security incident response ap- proaches. The original government definition of cyber security incidents as being state-sponsored attacks on critical national infrastructure or defense capabilities is still valid [1]. However, industry fuelled by the media has adopted the term wholesale and the term cyber security incident is often used to describe traditional information (or IT) security incidents. This perception is important, but has not been fully explored and the term cyber is both engaging and here to stay. The two most common (and somewhat polarized) sets of understandings as shown in Figure below - are either that cyber security incidents are no different from traditional information (or IT) security incidents or that they are solely cyber security attacks. 5
Figure 2.1: Conceptual goals of Cyber Black Box 2.1 Comparing different types of cyber secu- rity incident The main difference between different types of cyber security incident appears to lie in the source of the incident (e.g. a minor criminal compared to a major organized crime syndicate), rather than the type of incident (e.g. hacking, malware or social engineering) [4]. Therefore, it may be useful to define cyber security incidents based on the type of attacker, their capability and intent. At one end of the spectrum come basic cyber security incidents, such as minor crime, localized disruption and theft. At the other end, we can see major organized crime, widespread disruption, critical damage to national infrastructure and even warfare. 2.2 Design of Cyber Black Box Cyber Black Box is designed to operate as a network forensics system [5, 6] which collects network traffic to use it as evidence and generates useful information and analyzes the collected data [5]. It extracts various infor- mation from the collected network packets for attack analysis and supports users can search specific information what they want to find. Additionally, 6
it generates attack scenarios based on the extracted information. In order to collect the network traffic as an evidence Cyber Black Box guarantees integrity and confidentiality. The conceptual goals of Cyber Black Box are shown in Figure. Figure 2.2: Relationships between subsystems of Cyber Black Box system 2.3 Construction of Cyber Black Box There are two subsystems in Cyber Black Box, and they are Cyber Black Box Sensor (CBS) and Cyber Black Box Manager (CBM) subsystems. The relationship between CBS and CBM is shown in Figure. The main objective of CBS is to collect network data and extract related information. All the collected network traffic, flow information, reconstructed files and related metadata are generated and stored in CBS in real-time. CBM is designed to provide various interfaces to users for information search and attack scenario generation. CBM can collect data from CBS and analyze it. Also, CBM can cooperate with external systems to collect more informa- tion. Also, CBM can manage multiple CBS simultaneously. When a user wants to analyze some network traffic and related information then the user can connect to a CBM and gather the information from dedicated CBSs and 7
proceeds the analysis. Main functionalities of Cyber Black Box which is shown in Figure 3 could be listed as follows; x Network traffic storing and flow information generation. x Network transmitted file reconstruction and related metadata generation. x Integrity preserving of collected data and data management. x Cyber inci- dents analysis based on the collected network traffic and related information x Incident information sharing. Figure 2.3: Architecture of the cyber black box for network intrusion forensics 8
Chapter 3 Cyber Black Box Interface Block In the related works, since analysis is mainly used as an action against a cyber intrusion event, there are limitations in quick cause analysis and post- action. They cannot give a complete picture for the forensics analysis when the attacks are end. In addition, since there is no log information necessary for analyzing an attack cause after the cyber incident occurs, it is difficult to analyze the cause of an attack. In the network security field, a cyber intrusion event denotes a case of attacking an information communication network and a system associated with the information communication network in a way such as hacking, a computer virus, a logic bomb, a mail bomb, and so on. 3.1 Traffic & Flow Information Gathering It gathers the network traffic and flow data (e.g., Net flow), and send to the forensics server. Network traffic capture may become the bottleneck of the system when the traffic is huge, but the waiving of some traffic may result in the losing of trace or evidence. The solution of the trade-off depends on the burden of real time traffic. Developed a network interface card dealing with 10Gbps traffic without loss of traffic data. It may encode the entire packet data, the flow data, and the PE file which are stored in the buffer as a file having the PCAP format. It may also store the entire packet data, the flow data, and the PE file, which are encoded by the encoding unit in units of a file, as the preservation data. 9
3.2 Transmitted File Reconstruction Header analysis technology detects malwares based on the information of PE header. There is lots of information in PE header for executing a file. When a network packet is arrived, it is confirmed whether the packet includes a PE file or not. If it is, then the packet is collected to reconstruct the PE file from the packet payload. For reconstructing the correct file, the TCP reassemble functionality has been implemented as well. Once a PE file is constructed, the file is examined by header analysis technology. 3.3 Virtual Volume based Storage Manage- ment Virtual volume management is performed solely for the storage device. Stor- ing the collected data provides several APIs to execute the traffic information gathering module. The proposed system performs a function to provide the integrity of the data when stored in the virtual volume storage to preserve the collected data for the evidence of attacks. Moreover, the storage management supports a write once read many (WROM) function. Figure 3.1: Components of cyber blackbox and the data flows between them 10
Chapter 4 Network forensics tools and services for incident response Network forensics tools are investigative aids that can be useful immediately after an incident, as network operations center (NOC) operators try to re- spond to IDS alerts and contain damage. They can also be helpful long after incidents for example, to determine whether a newly patched vulnerabil- ity has already been compromised. Finally, network forensics can be used to deliver evidence for human resources action or legal prosecution by recon- structing activity to determine which systems were impacted, what regulated data was lost or whether acceptable use policies were violated. 4.1 Reselling network forensic appliances One way for security solution providers to capitalize on this network forensics technology is by selling, installing, integrating and validating proper opera- tion of network forensics appliances. Network forensics requires capturing and storing very large traffic volumes at line rate. This can be done by deploying dedicated ”recorders” at high- visibility intersection(s) within the network to be monitored, using span ports or taps. 4.2 Cyber forensics in today’s world Cyber forensics has been in the popular mainstream for some time, and has matured into an information-technology capability that is very common among modern information security programs. The goal of cyber forensics 11
is to support the elements of troubleshooting, monitoring, recovery, and the protection of sensitive data. Moreover, in the event of a crime being com- mitted, cyber forensics is also the approach to collecting, analyzing, and archiving data as evidence in a court of law. Although scalable to many information technology domains, especially modern corporate architectures, cyber forensics can be challenging when be- ing applied to non-traditional environments, which are not comprised of cur- rent information technologies or are designed with technologies that do not provide adequate data storage or audit capabilities. In addition, further complexity is introduced if the environments are designed using proprietary solutions and protocols, thus limiting the ease of which modern forensic meth- ods can be utilized. The legacy nature and somewhat diverse or disparate component aspects of control systems environments can often prohibit the smooth translation of modern forensics analysis into the control systems do- main. Compounded by a wide variety of proprietary technologies and protocols, as well as critical system technologies with no capability to store significant amounts of event information, the task of creating a ubiquitous and unified strategy for technical cyber forensics on a control systems device or comput- ing resource is far from trivial. To date, no direction regarding cyber forensics as it relates to control systems has been produced other than what might be privately available from commercial vendors. Current materials have been designed to support event recreation (event-based), and although important, these requirements do not always satisfy the needs associated with incident response or forensics that are driven by cyber incidents. 4.3 Cyber Forensics Security Applications While the intent of this article is to provide generalized advice to help strengthen cyber security, it is useful to consider particular applications where cyber security is needed. We now describe four of the most prescient threats to cyber security: online identity theft, industrial cyber espionage, critical infrastructure protection, and botnets. 4.3.1 Online Identity Theft One key way in which malicious parties capitalize on Internet insecurity is by committing online identity theft. Banks have made a strong push for 12
customers to adopt online services due to the massive cost savings compared to performing transactions at physical branches. Yet the means of authen- tication have not kept up. Banks have primarily relied on passwords to identify customers, which miscreants can obtain by simple guessing or by installing keystroke loggers that record the password as it is entered on a computer. Another way to steal passwords takes advantage of the difficulties in authenticating a bank to a consumer. Using a phishing attack, miscreants masquerade as the customers bank and ask for credentials. Phishing sites are typically advertised via spam email purporting to come from the bank. Keystroke loggers can be installed using a more general rusefor instance, fraudsters sent targeted emails to the payroll departments of businesses and school districts with fake invoices attached that triggered installation of the malicious software.1Once the banking credentials have been obtained, mis- creants need a way to convert the stolen credentials to cash. 4.3.2 Industrial Cyber Espionage The rise of the information economy has meant that the valuable property of firms is increasingly Stored in digital form on corporate networks. This has made it easier for competitors to remotely gain unauthorized access to proprietary information. Such industrial espionage can be difficult to detect, since simply reading the information does not affect its continued use by the victim. Nonetheless, a few detailed cases of espionage have been uncovered. In 2005, 21 executives at several large Israeli companies were arrested for hir- ing private investigators to install spyware that stole corporate secrets from competitors. In 2009, the hotel operator Starwood sued Hilton, claiming that a Hilton manager electronically copied 100,000 Starwood documents, includ- ing market research studies and a design for a new hotel brand. Researchers at the Universities of Toronto and Cambridge uncovered a sophisticated spy ring targeting the Tibetan government in exile (Information War Monitor 2009, Nagaraja and Anderson 2009). 4.3.3 Critical Infrastructure Protection It is widely known that the process control systems that control critical infras- tructures such as chemical refineries and the power grid are insecure. Why? Protocols for communicating between devices do not include any authenti- cation, which means that anyone that can communicate on these networks is treated as legitimate. Consequently, these systems can be disrupted by receiving a series of crafted messages. The potential for harm was demon- strated by researchers at Idaho National Laboratory who remotely destroyed 13
a large diesel power generator by simply issuing SCADA commands. In order to carry out an attack, the adversary needs to know quite a bit of specialist knowledge about the obscure protocols used to send the messages, as well as which combination of messages to select. She also needs access to the system. This latter requirement is becoming easier for an attacker to meet due to the trend over the past decade to indirectly connect these control systems to the Internet. The main motivation for doing so is to ease remote administration. 14
Chapter 5 Cyber Forensics & Information Security As new technological innovations continue to proliferate in our society, so do the opportunities for technology exploitation. Once a mere nuisance, hackers now threaten private citizens, businesses, and government agencies. Government and law enforcement agencies need skilled professionals who can join the fight against cyber crime, cyber terrorism, identity theft, and the exploitation of minors. Companies and other private sector organizations need skilled professionals with both business acumen and technology skills for recognizing and mitigating vulnerabilities. Information is like the lifeblood for organizations of all sizes, types and industry sectors. It needs to be managed and protected, and when there is a breach or crime committed involving leaked or stolen information, the perpetrators must be identified and prosecuted. Cyber forensics, also called computer forensics or digital forensics, is the process of extracting information and data from computers to serve as digital evidence - for civil purposes or, in many cases, to prove and legally prosecute cyber crime. With technology changing and evolving on a daily basis, cyber forensic professionals must continually keep pace and educate themselves on the new techniques to collect this data. They are tasked with being an expert in forensic techniques and procedures, standards of practice, and legal and ethical principles that will assure the accuracy, completeness and reliability of the digital evidence. 15
5.1 CCFP - Certified Cyber Forensics Pro- fessional Certification CCFP certification is a comprehensive, professional-level credential that vali- dates experienced practitioners expertise in the field of cyber forensics, which encompasses digital and computer forensics. It is the first certification avail- able within the forensics discipline that reflects internationally accepted prac- tices while accommodating the specific knowledge required by forensics pro- fessionals at a national level. 16
Chapter 6 Conclusion Cyber Black Box is constructed with two subsystems, CBS (Cyber Black Box Sensor), CBM (Cyber Black Box Manager) and the roles for each subsystem is to collect traffic and data by CBS and analyze collected data and informa- tion by CBM. Since the intrusion cannot be avoided fully, the deployment of intrusion forensics system is needed. As described above, in a related re- search against a cyber-attack, since several months or more are expended in only analyzing a cause of an intrusion event and there is no information necessary for analyzing an attack cause, it is unable to know the cause of attack even after the intrusion event occurs. 17
Chapter 7 References 1. Yangseo Choi and Joo-Young Lee, “Introduction to a Network Forensics System for Cyber Incidents Analysis,”ICACT2016, Jan 2016. 2. M. Tanviruzzaman, S.I. Ahamed, C.S. Hasan, and C. Obrien, “ePet: When Cellular Phone Learns to Recognize Its Owner,”Communications of ACM, pp. 13-17, Nov. 2009. 3. Y. Ijiri, M. Sakuragi, and S. Lao, “Security Management for Mobile De- vices by Face Recognition,”Electronics & Communication Engineering Journal, pp. 49-55, May 2006. 4. H. A. Shabeer and P. Suganthi, “Mobile Phones Security Using Biomet- rics,”Electronics & Communication Engineering Journal, pp. 270-272, Dec. 2007. 5. A. K. Jain, A. Ross, S. Prabhakar, “An Introduction to biometric recog- nition,”IEEE Transactions on Circuits and Systems for Video Technol- ogy, 14(1):4-20, 2004. 6. G. Parziale, “Touchless fingerprinting technology,”Advances in biomet- rics, 25-48, 2008. 7. Y. Adini, Y. Moses, S. Ullman, “Face recognition: the problem of compensating for changes in illumination direction,”IEEE Transactions on Pattern Analysis and Machine Intelligence, 19(7):721-732, 1997. 18
8. National Science and Technology Council: Introduction to biometrics. 2007. http://www.biometrics.gov/documents/biofoundationdocs.pdf 9. A.K. Jain, A. Ross, S. Prabhakar, “Biometrics: a tool for informa- tion security,”IEEE Transactions on Information Forensics and Secu- rity, 1(2):125-143, 2006. 10. J.P. Campbell, “Speaker recognition: a tutorial,”Proceedings of the IEEE, 85(9):1437-1462, 1997. 19

Recommended

Ak03402100217
Ak03402100217Ak03402100217
Ak03402100217
ijceronline
 
Comparative Analysis: Network Forensic Systems
Comparative Analysis: Network Forensic SystemsComparative Analysis: Network Forensic Systems
Comparative Analysis: Network Forensic Systems
ijsrd.com
 
D03302030036
D03302030036D03302030036
D03302030036
theijes
 
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection SystemsDetecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
CSCJournals
 
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...
IJNSA Journal
 
N44096972
N44096972N44096972
N44096972
IJERA Editor
 
Identity-Based Key Management in MANETs Using Public Key Cryptography
Identity-Based Key Management in MANETs Using Public Key CryptographyIdentity-Based Key Management in MANETs Using Public Key Cryptography
Identity-Based Key Management in MANETs Using Public Key Cryptography
CSCJournals
 
Secure intrusion detection and countermeasure selection in virtual system usi...
Secure intrusion detection and countermeasure selection in virtual system usi...Secure intrusion detection and countermeasure selection in virtual system usi...
Secure intrusion detection and countermeasure selection in virtual system usi...
eSAT Publishing House
 

Recommended

Ak03402100217
Ak03402100217Ak03402100217
Ak03402100217
ijceronline
 
Comparative Analysis: Network Forensic Systems
Comparative Analysis: Network Forensic SystemsComparative Analysis: Network Forensic Systems
Comparative Analysis: Network Forensic Systems
ijsrd.com
 
D03302030036
D03302030036D03302030036
D03302030036
theijes
 
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection SystemsDetecting and Preventing Attacks Using Network Intrusion Detection Systems
Detecting and Preventing Attacks Using Network Intrusion Detection Systems
CSCJournals
 
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...
IJNSA Journal
 
N44096972
N44096972N44096972
N44096972
IJERA Editor
 
Identity-Based Key Management in MANETs Using Public Key Cryptography
Identity-Based Key Management in MANETs Using Public Key CryptographyIdentity-Based Key Management in MANETs Using Public Key Cryptography
Identity-Based Key Management in MANETs Using Public Key Cryptography
CSCJournals
 
Secure intrusion detection and countermeasure selection in virtual system usi...
Secure intrusion detection and countermeasure selection in virtual system usi...Secure intrusion detection and countermeasure selection in virtual system usi...
Secure intrusion detection and countermeasure selection in virtual system usi...
eSAT Publishing House
 
Survey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection SystemSurvey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection System
Eswar Publications
 
AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHM
AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHMAN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHM
AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHM
IJNSA Journal
 
1776 1779
1776 17791776 1779
1776 1779
Editor IJARCET
 
Survey on classification techniques for intrusion detection
Survey on classification techniques for intrusion detectionSurvey on classification techniques for intrusion detection
Survey on classification techniques for intrusion detection
csandit
 
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...
IJNSA Journal
 
Self Adaptive Automatch Protocol for Batch Identification Mechanism in Wirele...
Self Adaptive Automatch Protocol for Batch Identification Mechanism in Wirele...Self Adaptive Automatch Protocol for Batch Identification Mechanism in Wirele...
Self Adaptive Automatch Protocol for Batch Identification Mechanism in Wirele...
IRJET Journal
 
Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments
IJITCA Journal
 
Analysis of network_security_threats_and_vulnerabilities_by_development__impl...
Analysis of network_security_threats_and_vulnerabilities_by_development__impl...Analysis of network_security_threats_and_vulnerabilities_by_development__impl...
Analysis of network_security_threats_and_vulnerabilities_by_development__impl...
Tương Hoàng
 
Ijmet 10 02_045
Ijmet 10 02_045Ijmet 10 02_045
Ijmet 10 02_045
IAEME Publication
 
IRJET- Software Defined Network: DDOS Attack Detection
IRJET- Software Defined Network: DDOS Attack DetectionIRJET- Software Defined Network: DDOS Attack Detection
IRJET- Software Defined Network: DDOS Attack Detection
IRJET Journal
 
A Study on Data Mining Based Intrusion Detection System
A Study on Data Mining Based Intrusion Detection SystemA Study on Data Mining Based Intrusion Detection System
A Study on Data Mining Based Intrusion Detection System
AM Publications
 
Survey of Clustering Based Detection using IDS Technique
Survey of Clustering Based Detection using IDS Technique Survey of Clustering Based Detection using IDS Technique
Survey of Clustering Based Detection using IDS Technique
IRJET Journal
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learning
eSAT Publishing House
 
COMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTION
COMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTIONCOMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTION
COMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTION
IJNSA Journal
 
Utilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA NetworksUtilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA Networks
International Journal of Engineering Inventions www.ijeijournal.com
 
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...
ijsptm
 
Es34887891
Es34887891Es34887891
Es34887891
IJERA Editor
 
Software engineering based self-checking process for cyber security system in...
Software engineering based self-checking process for cyber security system in...Software engineering based self-checking process for cyber security system in...
Software engineering based self-checking process for cyber security system in...
IJECEIAES
 
IRJET- Multimedia Content Security with Random Key Generation Approach in...
IRJET- Multimedia Content Security with Random Key Generation Approach in...IRJET- Multimedia Content Security with Random Key Generation Approach in...
IRJET- Multimedia Content Security with Random Key Generation Approach in...
IRJET Journal
 
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSDDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
ijfls
 
DDoS Attack Detection on Internet o Things using Unsupervised Algorithms
DDoS Attack Detection on Internet o Things using Unsupervised AlgorithmsDDoS Attack Detection on Internet o Things using Unsupervised Algorithms
DDoS Attack Detection on Internet o Things using Unsupervised Algorithms
ijfls
 
Collecting and analyzing network-based evidence
Collecting and analyzing network-based evidenceCollecting and analyzing network-based evidence
Collecting and analyzing network-based evidence
CSITiaesprime
 

More Related Content

What's hot

Survey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection SystemSurvey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection System
Eswar Publications
 
AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHM
AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHMAN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHM
AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHM
IJNSA Journal
 
1776 1779
1776 17791776 1779
1776 1779
Editor IJARCET
 
Survey on classification techniques for intrusion detection
Survey on classification techniques for intrusion detectionSurvey on classification techniques for intrusion detection
Survey on classification techniques for intrusion detection
csandit
 
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...
IJNSA Journal
 
Self Adaptive Automatch Protocol for Batch Identification Mechanism in Wirele...
Self Adaptive Automatch Protocol for Batch Identification Mechanism in Wirele...Self Adaptive Automatch Protocol for Batch Identification Mechanism in Wirele...
Self Adaptive Automatch Protocol for Batch Identification Mechanism in Wirele...
IRJET Journal
 
Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments
IJITCA Journal
 
Analysis of network_security_threats_and_vulnerabilities_by_development__impl...
Analysis of network_security_threats_and_vulnerabilities_by_development__impl...Analysis of network_security_threats_and_vulnerabilities_by_development__impl...
Analysis of network_security_threats_and_vulnerabilities_by_development__impl...
Tương Hoàng
 
Ijmet 10 02_045
Ijmet 10 02_045Ijmet 10 02_045
Ijmet 10 02_045
IAEME Publication
 
IRJET- Software Defined Network: DDOS Attack Detection
IRJET- Software Defined Network: DDOS Attack DetectionIRJET- Software Defined Network: DDOS Attack Detection
IRJET- Software Defined Network: DDOS Attack Detection
IRJET Journal
 
A Study on Data Mining Based Intrusion Detection System
A Study on Data Mining Based Intrusion Detection SystemA Study on Data Mining Based Intrusion Detection System
A Study on Data Mining Based Intrusion Detection System
AM Publications
 
Survey of Clustering Based Detection using IDS Technique
Survey of Clustering Based Detection using IDS Technique Survey of Clustering Based Detection using IDS Technique
Survey of Clustering Based Detection using IDS Technique
IRJET Journal
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learning
eSAT Publishing House
 
COMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTION
COMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTIONCOMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTION
COMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTION
IJNSA Journal
 
Utilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA NetworksUtilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA Networks
International Journal of Engineering Inventions www.ijeijournal.com
 
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...
ijsptm
 
Es34887891
Es34887891Es34887891
Es34887891
IJERA Editor
 
Software engineering based self-checking process for cyber security system in...
Software engineering based self-checking process for cyber security system in...Software engineering based self-checking process for cyber security system in...
Software engineering based self-checking process for cyber security system in...
IJECEIAES
 
IRJET- Multimedia Content Security with Random Key Generation Approach in...
IRJET- Multimedia Content Security with Random Key Generation Approach in...IRJET- Multimedia Content Security with Random Key Generation Approach in...
IRJET- Multimedia Content Security with Random Key Generation Approach in...
IRJET Journal
 

What's hot (19)

Survey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection SystemSurvey on Host and Network Based Intrusion Detection System
Survey on Host and Network Based Intrusion Detection System
 
AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHM
AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHMAN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHM
AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHM
 
1776 1779
1776 17791776 1779
1776 1779
 
Survey on classification techniques for intrusion detection
Survey on classification techniques for intrusion detectionSurvey on classification techniques for intrusion detection
Survey on classification techniques for intrusion detection
 
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...
 
Self Adaptive Automatch Protocol for Batch Identification Mechanism in Wirele...
Self Adaptive Automatch Protocol for Batch Identification Mechanism in Wirele...Self Adaptive Automatch Protocol for Batch Identification Mechanism in Wirele...
Self Adaptive Automatch Protocol for Batch Identification Mechanism in Wirele...
 
Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments
 
Analysis of network_security_threats_and_vulnerabilities_by_development__impl...
Analysis of network_security_threats_and_vulnerabilities_by_development__impl...Analysis of network_security_threats_and_vulnerabilities_by_development__impl...
Analysis of network_security_threats_and_vulnerabilities_by_development__impl...
 
Ijmet 10 02_045
Ijmet 10 02_045Ijmet 10 02_045
Ijmet 10 02_045
 
IRJET- Software Defined Network: DDOS Attack Detection
IRJET- Software Defined Network: DDOS Attack DetectionIRJET- Software Defined Network: DDOS Attack Detection
IRJET- Software Defined Network: DDOS Attack Detection
 
A Study on Data Mining Based Intrusion Detection System
A Study on Data Mining Based Intrusion Detection SystemA Study on Data Mining Based Intrusion Detection System
A Study on Data Mining Based Intrusion Detection System
 
Survey of Clustering Based Detection using IDS Technique
Survey of Clustering Based Detection using IDS Technique Survey of Clustering Based Detection using IDS Technique
Survey of Clustering Based Detection using IDS Technique
 
Defense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learningDefense mechanism for d do s attack through machine learning
Defense mechanism for d do s attack through machine learning
 
COMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTION
COMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTIONCOMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTION
COMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTION
 
Utilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA NetworksUtilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA Networks
 
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...
 
Es34887891
Es34887891Es34887891
Es34887891
 
Software engineering based self-checking process for cyber security system in...
Software engineering based self-checking process for cyber security system in...Software engineering based self-checking process for cyber security system in...
Software engineering based self-checking process for cyber security system in...
 
IRJET- Multimedia Content Security with Random Key Generation Approach in...
IRJET- Multimedia Content Security with Random Key Generation Approach in...IRJET- Multimedia Content Security with Random Key Generation Approach in...
IRJET- Multimedia Content Security with Random Key Generation Approach in...
 

Similar to A secure network forensics system for cyber incidents analysis

DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSDDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
ijfls
 
DDoS Attack Detection on Internet o Things using Unsupervised Algorithms
DDoS Attack Detection on Internet o Things using Unsupervised AlgorithmsDDoS Attack Detection on Internet o Things using Unsupervised Algorithms
DDoS Attack Detection on Internet o Things using Unsupervised Algorithms
ijfls
 
Collecting and analyzing network-based evidence
Collecting and analyzing network-based evidenceCollecting and analyzing network-based evidence
Collecting and analyzing network-based evidence
CSITiaesprime
 
Topic Since information extracted from router or switch interfaces.docx
Topic Since information extracted from router or switch interfaces.docxTopic Since information extracted from router or switch interfaces.docx
Topic Since information extracted from router or switch interfaces.docx
juliennehar
 
Layered Approach for Preprocessing of Data in Intrusion Prevention Systems
Layered Approach for Preprocessing of Data in Intrusion Prevention SystemsLayered Approach for Preprocessing of Data in Intrusion Prevention Systems
Layered Approach for Preprocessing of Data in Intrusion Prevention Systems
Editor IJCATR
 
Evaluating Network Forensics Applying Advanced Tools
Evaluating Network Forensics Applying Advanced ToolsEvaluating Network Forensics Applying Advanced Tools
Evaluating Network Forensics Applying Advanced Tools
IJAEMSJORNAL
 
Trust Metric-Based Anomaly Detection Via Deep Deterministic Policy Gradient R...
Trust Metric-Based Anomaly Detection Via Deep Deterministic Policy Gradient R...Trust Metric-Based Anomaly Detection Via Deep Deterministic Policy Gradient R...
Trust Metric-Based Anomaly Detection Via Deep Deterministic Policy Gradient R...
IJCNCJournal
 
Trust Metric-Based Anomaly Detection via Deep Deterministic Policy Gradient R...
Trust Metric-Based Anomaly Detection via Deep Deterministic Policy Gradient R...Trust Metric-Based Anomaly Detection via Deep Deterministic Policy Gradient R...
Trust Metric-Based Anomaly Detection via Deep Deterministic Policy Gradient R...
IJCNCJournal
 
Boni Yeamin Thesis final_report.pdf
Boni Yeamin Thesis final_report.pdfBoni Yeamin Thesis final_report.pdf
Boni Yeamin Thesis final_report.pdf
Boni Yeamin
 
MACHINE LEARNING AND DEEP LEARNING MODEL-BASED DETECTION OF IOT BOTNET ATTACKS.
MACHINE LEARNING AND DEEP LEARNING MODEL-BASED DETECTION OF IOT BOTNET ATTACKS.MACHINE LEARNING AND DEEP LEARNING MODEL-BASED DETECTION OF IOT BOTNET ATTACKS.
MACHINE LEARNING AND DEEP LEARNING MODEL-BASED DETECTION OF IOT BOTNET ATTACKS.
IRJET Journal
 
Review on Computer Forensic
Review on Computer ForensicReview on Computer Forensic
Review on Computer Forensic
Editor IJCTER
 
Detecting network attacks model based on a convolutional neural network
Detecting network attacks model based on a convolutional neural network Detecting network attacks model based on a convolutional neural network
Detecting network attacks model based on a convolutional neural network
IJECEIAES
 
G017424448
G017424448G017424448
G017424448
IOSR Journals
 
Overview of SMB, NetBIOS and other network attacks
Overview of SMB, NetBIOS and other network attacksOverview of SMB, NetBIOS and other network attacks
Overview of SMB, NetBIOS and other network attacks
David Sweigert
 
IJISRT22MAR7471.docx
IJISRT22MAR7471.docxIJISRT22MAR7471.docx
IJISRT22MAR7471.docx
ballolliemin
 
A honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network securityA honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network security
IAEME Publication
 
Peripheral Review and Analysis of Internet Network Security
Peripheral Review and Analysis of Internet Network SecurityPeripheral Review and Analysis of Internet Network Security
Peripheral Review and Analysis of Internet Network Security
IJRES Journal
 
Optimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning AlgorithmOptimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning Algorithm
ijtsrd
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
Krishna Gehlot
 
Encryption Security in SCADA Networks
Encryption Security in SCADA NetworksEncryption Security in SCADA Networks
Encryption Security in SCADA Networks
IJRES Journal
 

Similar to A secure network forensics system for cyber incidents analysis (20)

DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSDDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
 
DDoS Attack Detection on Internet o Things using Unsupervised Algorithms
DDoS Attack Detection on Internet o Things using Unsupervised AlgorithmsDDoS Attack Detection on Internet o Things using Unsupervised Algorithms
DDoS Attack Detection on Internet o Things using Unsupervised Algorithms
 
Collecting and analyzing network-based evidence
Collecting and analyzing network-based evidenceCollecting and analyzing network-based evidence
Collecting and analyzing network-based evidence
 
Topic Since information extracted from router or switch interfaces.docx
Topic Since information extracted from router or switch interfaces.docxTopic Since information extracted from router or switch interfaces.docx
Topic Since information extracted from router or switch interfaces.docx
 
Layered Approach for Preprocessing of Data in Intrusion Prevention Systems
Layered Approach for Preprocessing of Data in Intrusion Prevention SystemsLayered Approach for Preprocessing of Data in Intrusion Prevention Systems
Layered Approach for Preprocessing of Data in Intrusion Prevention Systems
 
Evaluating Network Forensics Applying Advanced Tools
Evaluating Network Forensics Applying Advanced ToolsEvaluating Network Forensics Applying Advanced Tools
Evaluating Network Forensics Applying Advanced Tools
 
Trust Metric-Based Anomaly Detection Via Deep Deterministic Policy Gradient R...
Trust Metric-Based Anomaly Detection Via Deep Deterministic Policy Gradient R...Trust Metric-Based Anomaly Detection Via Deep Deterministic Policy Gradient R...
Trust Metric-Based Anomaly Detection Via Deep Deterministic Policy Gradient R...
 
Trust Metric-Based Anomaly Detection via Deep Deterministic Policy Gradient R...
Trust Metric-Based Anomaly Detection via Deep Deterministic Policy Gradient R...Trust Metric-Based Anomaly Detection via Deep Deterministic Policy Gradient R...
Trust Metric-Based Anomaly Detection via Deep Deterministic Policy Gradient R...
 
Boni Yeamin Thesis final_report.pdf
Boni Yeamin Thesis final_report.pdfBoni Yeamin Thesis final_report.pdf
Boni Yeamin Thesis final_report.pdf
 
MACHINE LEARNING AND DEEP LEARNING MODEL-BASED DETECTION OF IOT BOTNET ATTACKS.
MACHINE LEARNING AND DEEP LEARNING MODEL-BASED DETECTION OF IOT BOTNET ATTACKS.MACHINE LEARNING AND DEEP LEARNING MODEL-BASED DETECTION OF IOT BOTNET ATTACKS.
MACHINE LEARNING AND DEEP LEARNING MODEL-BASED DETECTION OF IOT BOTNET ATTACKS.
 
Review on Computer Forensic
Review on Computer ForensicReview on Computer Forensic
Review on Computer Forensic
 
Detecting network attacks model based on a convolutional neural network
Detecting network attacks model based on a convolutional neural network Detecting network attacks model based on a convolutional neural network
Detecting network attacks model based on a convolutional neural network
 
G017424448
G017424448G017424448
G017424448
 
Overview of SMB, NetBIOS and other network attacks
Overview of SMB, NetBIOS and other network attacksOverview of SMB, NetBIOS and other network attacks
Overview of SMB, NetBIOS and other network attacks
 
IJISRT22MAR7471.docx
IJISRT22MAR7471.docxIJISRT22MAR7471.docx
IJISRT22MAR7471.docx
 
A honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network securityA honeynet framework to promote enterprise network security
A honeynet framework to promote enterprise network security
 
Peripheral Review and Analysis of Internet Network Security
Peripheral Review and Analysis of Internet Network SecurityPeripheral Review and Analysis of Internet Network Security
Peripheral Review and Analysis of Internet Network Security
 
Optimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning AlgorithmOptimized Intrusion Detection System using Deep Learning Algorithm
Optimized Intrusion Detection System using Deep Learning Algorithm
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
 
Encryption Security in SCADA Networks
Encryption Security in SCADA NetworksEncryption Security in SCADA Networks
Encryption Security in SCADA Networks
 

Recently uploaded

Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
21UME003TUSHARDEB
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
KrishnaveniKrishnara1
 
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student MemberIEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
VICTOR MAESTRE RAMIREZ
 
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
ydzowc
 
学校原版美国波士顿大学毕业证学历学位证书原版一模一样
学校原版美国波士顿大学毕业证学历学位证书原版一模一样学校原版美国波士顿大学毕业证学历学位证书原版一模一样
学校原版美国波士顿大学毕业证学历学位证书原版一模一样
171ticu
 
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
IJECEIAES
 
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by AnantLLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
Anant Corporation
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
IJECEIAES
 
Data Control Language.pptx Data Control Language.pptx
Data Control Language.pptx Data Control Language.pptxData Control Language.pptx Data Control Language.pptx
Data Control Language.pptx Data Control Language.pptx
ramrag33
 
integral complex analysis chapter 06 .pdf
integral complex analysis chapter 06 .pdfintegral complex analysis chapter 06 .pdf
integral complex analysis chapter 06 .pdf
gaafergoudaay7aga
 
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURSCompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
RamonNovais6
 
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
insn4465
 
Certificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi AhmedCertificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi Ahmed
Mahmoud Morsy
 
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
171ticu
 
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
Gino153088
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
kandramariana6
 
Manufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptxManufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptx
Madan Karki
 
artificial intelligence and data science contents.pptx
artificial intelligence and data science contents.pptxartificial intelligence and data science contents.pptx
artificial intelligence and data science contents.pptx
GauravCar
 
Null Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAMNull Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAM
Divyanshu
 
Engineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdfEngineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdf
abbyasa1014
 

Recently uploaded (20)

Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
 
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student MemberIEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
 
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
 
学校原版美国波士顿大学毕业证学历学位证书原版一模一样
学校原版美国波士顿大学毕业证学历学位证书原版一模一样学校原版美国波士顿大学毕业证学历学位证书原版一模一样
学校原版美国波士顿大学毕业证学历学位证书原版一模一样
 
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
 
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by AnantLLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
LLM Fine Tuning with QLoRA Cassandra Lunch 4, presented by Anant
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
 
Data Control Language.pptx Data Control Language.pptx
Data Control Language.pptx Data Control Language.pptxData Control Language.pptx Data Control Language.pptx
Data Control Language.pptx Data Control Language.pptx
 
integral complex analysis chapter 06 .pdf
integral complex analysis chapter 06 .pdfintegral complex analysis chapter 06 .pdf
integral complex analysis chapter 06 .pdf
 
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURSCompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
 
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
哪里办理(csu毕业证书)查尔斯特大学毕业证硕士学历原版一模一样
 
Certificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi AhmedCertificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi Ahmed
 
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
 
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
 
Manufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptxManufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptx
 
artificial intelligence and data science contents.pptx
artificial intelligence and data science contents.pptxartificial intelligence and data science contents.pptx
artificial intelligence and data science contents.pptx
 
Null Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAMNull Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAM
 
Engineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdfEngineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdf
 

A secure network forensics system for cyber incidents analysis

  • 1. A Secure Network Forensics System for Cyber Incidents Analysis A NON-CREDIT COURSE REPORT ON CYBER FORENSICS AND INFORMATION SECURITY SUBMITTED TO SAVITRIBAI PHULE PUNE UNIVERSITY, PUNE FOR THE PARTIAL FULFILLMENT OF AWARD OF DEGREE Of MASTER OF ENGINEERING In (Computer Engineering) By Swapnil S. Jagtap Semester-IV Roll No: ****** UNDER THE GUIDANCE OF Guide Name (Department of Computer Engineering) VPKBIET, Baramati. DEPARTMENT OF COMPUTER ENGINEERING Vidya Pratishthan’s Kamalnayan Bajaj Institute of Engineering & Technology, Vidyanagari Bhigawan Road Baramati, Dist. Pune - 413133 2016-2017
  • 2. CERTIFICATE This is to certify that Mr. Swapnil S. Jagtap has successfully submitted his report to Department of Computer Engineering, VPKBIET, Baramati, on A Secure Network Forensics System for Cyber Incidents Analysis During the academic year 2016-2017 in the partial fulfillment towards completion of Second Year of Master of Engineering in Computer Engineering, of Savitribai Phule Pune University, Pune(Maharashtra) Swapnil S. Jagtap Guide Name Student Guide Dept. of Comp. Engg. Dept. of Comp. Engg. Date : Place: VPKBIET, Baramati.
  • 3. Contents 1 Introduction 3 1.1 What is Network Forensics System . . . . . . . . . . . . . . . 3 1.2 Types of Network Forensics System . . . . . . . . . . . . . . . 3 1.2.1 TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.2 Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2.3 Wireless Forensics . . . . . . . . . . . . . . . . . . . . . 4 1.2.4 The Internet . . . . . . . . . . . . . . . . . . . . . . . . 4 2 Cyber Incidents Analysis 5 2.1 Comparing different types of cyber security incident . . . . . . 6 2.2 Design of Cyber Black Box . . . . . . . . . . . . . . . . . . . . 6 2.3 Construction of Cyber Black Box . . . . . . . . . . . . . . . . 7 3 Cyber Black Box Interface Block 9 3.1 Traffic & Flow Information Gathering . . . . . . . . . . . . . 9 3.2 Transmitted File Reconstruction . . . . . . . . . . . . . . . . . 10 3.3 Virtual Volume based Storage Management . . . . . . . . . . 10 4 Network forensics tools and services for incident response 11 4.1 Reselling network forensic appliances . . . . . . . . . . . . . . 11 4.2 Cyber forensics in today’s world . . . . . . . . . . . . . . . . . 11 4.3 Cyber Forensics Security Applications . . . . . . . . . . . . . . 12 4.3.1 Online Identity Theft . . . . . . . . . . . . . . . . . . . 12 4.3.2 Industrial Cyber Espionage . . . . . . . . . . . . . . . 13 4.3.3 Critical Infrastructure Protection . . . . . . . . . . . . 13 5 Cyber Forensics & Information Security 15 5.1 CCFP - Certified Cyber Forensics Professional Certification . 16 6 Conclusion 17 7 References 18
  • 4. Chapter 1 Introduction 1.1 What is Network Forensics System Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. (The term, attributed to firewall expert Marcus Ranum, is borrowed from the legal and criminology fields where forensics pertains to the investigation of crimes.) According to Simson Garfinkel, author of several books on security, network forensics systems can be one of two kinds [9]. 1.2 Types of Network Forensics System 1.2.1 TCP/IP On the network layer the Internet Protocol (IP) is responsible for direct- ing the packets generated by TCP through the network (e.g., the Internet) by adding source and destination information which can be interpreted by routers all over the network. Cellular digital packet networks, like GPRS, use similar protocols like IP, so the methods described for IP work with them as well [2]. 1.2.2 Ethernet Applying forensic methods on the Ethernet layer is done by eavesdropping bit streams with tools called monitoring tools or sniffers. The most common tool on this layer is Wireshark (formerly known as Ethereal) and TCP dump, where TCP dump works mostly on Unix operating systems [4]. These tools collect all data on this layer and allows the user to filter for different events. 3
  • 5. An advantage of collecting this data is that it is directly connected to a host. If, for example the IP address or the MAC address of a host at a certain time is known, all data sent to or from this IP or MAC address can be filtered [8]. With these tools, website pages, email attachments, and other network traffic can be reconstructed only if they are transmitted or received unencrypted. 1.2.3 Wireless Forensics Wireless forensics is a sub-discipline of network forensics. The main goal of wireless forensics is to provide the methodology and tools required to collect and analyze (wireless) network traffic that can be presented as valid digital evidence in a court of law. The evidence collected can correspond to plain data or, with the broad usage of Voice-over-IP (VoIP) technologies, especially over wireless, can include voice conversations. Analysis of wireless network traffic is similar to that on wired networks, however there may be the added consideration of wireless security measures. 1.2.4 The Internet The internet can be a rich source of digital evidence including web browsing, email, newsgroup, synchronous chat and peer-to-peer traffic. For example, web server logs can be used to show when (or if) a suspect accessed informa- tion related to criminal activity [3]. 4
  • 6. Chapter 2 Cyber Incidents Analysis There are many types of information (or IT) security incident that could be classified as a cyber security incident, ranging from serious cyber security attacks on critical national infrastructure and major organized cybercrime, through hacktivism and basic malware attacks, to internal misuse of systems and software malfunction. However, project research has revealed that there is no one common definition of a cyber security incident. There is no authoritative taxonomy to help organizations decide what is (or isnt) a cyber security incident, breach, or attack. Often cyber security in- cidents are associated with malicious attacks or Advanced Persistent Threats (APTs), but there appears to be no clear agreement. Many different organi- zations have different understandings of what the term means, consequently adopting inconsistent or inappropriate cyber security incident response ap- proaches. The original government definition of cyber security incidents as being state-sponsored attacks on critical national infrastructure or defense capabilities is still valid [1]. However, industry fuelled by the media has adopted the term wholesale and the term cyber security incident is often used to describe traditional information (or IT) security incidents. This perception is important, but has not been fully explored and the term cyber is both engaging and here to stay. The two most common (and somewhat polarized) sets of understandings as shown in Figure below - are either that cyber security incidents are no different from traditional information (or IT) security incidents or that they are solely cyber security attacks. 5
  • 7. Figure 2.1: Conceptual goals of Cyber Black Box 2.1 Comparing different types of cyber secu- rity incident The main difference between different types of cyber security incident appears to lie in the source of the incident (e.g. a minor criminal compared to a major organized crime syndicate), rather than the type of incident (e.g. hacking, malware or social engineering) [4]. Therefore, it may be useful to define cyber security incidents based on the type of attacker, their capability and intent. At one end of the spectrum come basic cyber security incidents, such as minor crime, localized disruption and theft. At the other end, we can see major organized crime, widespread disruption, critical damage to national infrastructure and even warfare. 2.2 Design of Cyber Black Box Cyber Black Box is designed to operate as a network forensics system [5, 6] which collects network traffic to use it as evidence and generates useful information and analyzes the collected data [5]. It extracts various infor- mation from the collected network packets for attack analysis and supports users can search specific information what they want to find. Additionally, 6
  • 8. it generates attack scenarios based on the extracted information. In order to collect the network traffic as an evidence Cyber Black Box guarantees integrity and confidentiality. The conceptual goals of Cyber Black Box are shown in Figure. Figure 2.2: Relationships between subsystems of Cyber Black Box system 2.3 Construction of Cyber Black Box There are two subsystems in Cyber Black Box, and they are Cyber Black Box Sensor (CBS) and Cyber Black Box Manager (CBM) subsystems. The relationship between CBS and CBM is shown in Figure. The main objective of CBS is to collect network data and extract related information. All the collected network traffic, flow information, reconstructed files and related metadata are generated and stored in CBS in real-time. CBM is designed to provide various interfaces to users for information search and attack scenario generation. CBM can collect data from CBS and analyze it. Also, CBM can cooperate with external systems to collect more informa- tion. Also, CBM can manage multiple CBS simultaneously. When a user wants to analyze some network traffic and related information then the user can connect to a CBM and gather the information from dedicated CBSs and 7
  • 9. proceeds the analysis. Main functionalities of Cyber Black Box which is shown in Figure 3 could be listed as follows; x Network traffic storing and flow information generation. x Network transmitted file reconstruction and related metadata generation. x Integrity preserving of collected data and data management. x Cyber inci- dents analysis based on the collected network traffic and related information x Incident information sharing. Figure 2.3: Architecture of the cyber black box for network intrusion forensics 8
  • 10. Chapter 3 Cyber Black Box Interface Block In the related works, since analysis is mainly used as an action against a cyber intrusion event, there are limitations in quick cause analysis and post- action. They cannot give a complete picture for the forensics analysis when the attacks are end. In addition, since there is no log information necessary for analyzing an attack cause after the cyber incident occurs, it is difficult to analyze the cause of an attack. In the network security field, a cyber intrusion event denotes a case of attacking an information communication network and a system associated with the information communication network in a way such as hacking, a computer virus, a logic bomb, a mail bomb, and so on. 3.1 Traffic & Flow Information Gathering It gathers the network traffic and flow data (e.g., Net flow), and send to the forensics server. Network traffic capture may become the bottleneck of the system when the traffic is huge, but the waiving of some traffic may result in the losing of trace or evidence. The solution of the trade-off depends on the burden of real time traffic. Developed a network interface card dealing with 10Gbps traffic without loss of traffic data. It may encode the entire packet data, the flow data, and the PE file which are stored in the buffer as a file having the PCAP format. It may also store the entire packet data, the flow data, and the PE file, which are encoded by the encoding unit in units of a file, as the preservation data. 9
  • 11. 3.2 Transmitted File Reconstruction Header analysis technology detects malwares based on the information of PE header. There is lots of information in PE header for executing a file. When a network packet is arrived, it is confirmed whether the packet includes a PE file or not. If it is, then the packet is collected to reconstruct the PE file from the packet payload. For reconstructing the correct file, the TCP reassemble functionality has been implemented as well. Once a PE file is constructed, the file is examined by header analysis technology. 3.3 Virtual Volume based Storage Manage- ment Virtual volume management is performed solely for the storage device. Stor- ing the collected data provides several APIs to execute the traffic information gathering module. The proposed system performs a function to provide the integrity of the data when stored in the virtual volume storage to preserve the collected data for the evidence of attacks. Moreover, the storage management supports a write once read many (WROM) function. Figure 3.1: Components of cyber blackbox and the data flows between them 10
  • 12. Chapter 4 Network forensics tools and services for incident response Network forensics tools are investigative aids that can be useful immediately after an incident, as network operations center (NOC) operators try to re- spond to IDS alerts and contain damage. They can also be helpful long after incidents for example, to determine whether a newly patched vulnerabil- ity has already been compromised. Finally, network forensics can be used to deliver evidence for human resources action or legal prosecution by recon- structing activity to determine which systems were impacted, what regulated data was lost or whether acceptable use policies were violated. 4.1 Reselling network forensic appliances One way for security solution providers to capitalize on this network forensics technology is by selling, installing, integrating and validating proper opera- tion of network forensics appliances. Network forensics requires capturing and storing very large traffic volumes at line rate. This can be done by deploying dedicated ”recorders” at high- visibility intersection(s) within the network to be monitored, using span ports or taps. 4.2 Cyber forensics in today’s world Cyber forensics has been in the popular mainstream for some time, and has matured into an information-technology capability that is very common among modern information security programs. The goal of cyber forensics 11
  • 13. is to support the elements of troubleshooting, monitoring, recovery, and the protection of sensitive data. Moreover, in the event of a crime being com- mitted, cyber forensics is also the approach to collecting, analyzing, and archiving data as evidence in a court of law. Although scalable to many information technology domains, especially modern corporate architectures, cyber forensics can be challenging when be- ing applied to non-traditional environments, which are not comprised of cur- rent information technologies or are designed with technologies that do not provide adequate data storage or audit capabilities. In addition, further complexity is introduced if the environments are designed using proprietary solutions and protocols, thus limiting the ease of which modern forensic meth- ods can be utilized. The legacy nature and somewhat diverse or disparate component aspects of control systems environments can often prohibit the smooth translation of modern forensics analysis into the control systems do- main. Compounded by a wide variety of proprietary technologies and protocols, as well as critical system technologies with no capability to store significant amounts of event information, the task of creating a ubiquitous and unified strategy for technical cyber forensics on a control systems device or comput- ing resource is far from trivial. To date, no direction regarding cyber forensics as it relates to control systems has been produced other than what might be privately available from commercial vendors. Current materials have been designed to support event recreation (event-based), and although important, these requirements do not always satisfy the needs associated with incident response or forensics that are driven by cyber incidents. 4.3 Cyber Forensics Security Applications While the intent of this article is to provide generalized advice to help strengthen cyber security, it is useful to consider particular applications where cyber security is needed. We now describe four of the most prescient threats to cyber security: online identity theft, industrial cyber espionage, critical infrastructure protection, and botnets. 4.3.1 Online Identity Theft One key way in which malicious parties capitalize on Internet insecurity is by committing online identity theft. Banks have made a strong push for 12
  • 14. customers to adopt online services due to the massive cost savings compared to performing transactions at physical branches. Yet the means of authen- tication have not kept up. Banks have primarily relied on passwords to identify customers, which miscreants can obtain by simple guessing or by installing keystroke loggers that record the password as it is entered on a computer. Another way to steal passwords takes advantage of the difficulties in authenticating a bank to a consumer. Using a phishing attack, miscreants masquerade as the customers bank and ask for credentials. Phishing sites are typically advertised via spam email purporting to come from the bank. Keystroke loggers can be installed using a more general rusefor instance, fraudsters sent targeted emails to the payroll departments of businesses and school districts with fake invoices attached that triggered installation of the malicious software.1Once the banking credentials have been obtained, mis- creants need a way to convert the stolen credentials to cash. 4.3.2 Industrial Cyber Espionage The rise of the information economy has meant that the valuable property of firms is increasingly Stored in digital form on corporate networks. This has made it easier for competitors to remotely gain unauthorized access to proprietary information. Such industrial espionage can be difficult to detect, since simply reading the information does not affect its continued use by the victim. Nonetheless, a few detailed cases of espionage have been uncovered. In 2005, 21 executives at several large Israeli companies were arrested for hir- ing private investigators to install spyware that stole corporate secrets from competitors. In 2009, the hotel operator Starwood sued Hilton, claiming that a Hilton manager electronically copied 100,000 Starwood documents, includ- ing market research studies and a design for a new hotel brand. Researchers at the Universities of Toronto and Cambridge uncovered a sophisticated spy ring targeting the Tibetan government in exile (Information War Monitor 2009, Nagaraja and Anderson 2009). 4.3.3 Critical Infrastructure Protection It is widely known that the process control systems that control critical infras- tructures such as chemical refineries and the power grid are insecure. Why? Protocols for communicating between devices do not include any authenti- cation, which means that anyone that can communicate on these networks is treated as legitimate. Consequently, these systems can be disrupted by receiving a series of crafted messages. The potential for harm was demon- strated by researchers at Idaho National Laboratory who remotely destroyed 13
  • 15. a large diesel power generator by simply issuing SCADA commands. In order to carry out an attack, the adversary needs to know quite a bit of specialist knowledge about the obscure protocols used to send the messages, as well as which combination of messages to select. She also needs access to the system. This latter requirement is becoming easier for an attacker to meet due to the trend over the past decade to indirectly connect these control systems to the Internet. The main motivation for doing so is to ease remote administration. 14
  • 16. Chapter 5 Cyber Forensics & Information Security As new technological innovations continue to proliferate in our society, so do the opportunities for technology exploitation. Once a mere nuisance, hackers now threaten private citizens, businesses, and government agencies. Government and law enforcement agencies need skilled professionals who can join the fight against cyber crime, cyber terrorism, identity theft, and the exploitation of minors. Companies and other private sector organizations need skilled professionals with both business acumen and technology skills for recognizing and mitigating vulnerabilities. Information is like the lifeblood for organizations of all sizes, types and industry sectors. It needs to be managed and protected, and when there is a breach or crime committed involving leaked or stolen information, the perpetrators must be identified and prosecuted. Cyber forensics, also called computer forensics or digital forensics, is the process of extracting information and data from computers to serve as digital evidence - for civil purposes or, in many cases, to prove and legally prosecute cyber crime. With technology changing and evolving on a daily basis, cyber forensic professionals must continually keep pace and educate themselves on the new techniques to collect this data. They are tasked with being an expert in forensic techniques and procedures, standards of practice, and legal and ethical principles that will assure the accuracy, completeness and reliability of the digital evidence. 15
  • 17. 5.1 CCFP - Certified Cyber Forensics Pro- fessional Certification CCFP certification is a comprehensive, professional-level credential that vali- dates experienced practitioners expertise in the field of cyber forensics, which encompasses digital and computer forensics. It is the first certification avail- able within the forensics discipline that reflects internationally accepted prac- tices while accommodating the specific knowledge required by forensics pro- fessionals at a national level. 16
  • 18. Chapter 6 Conclusion Cyber Black Box is constructed with two subsystems, CBS (Cyber Black Box Sensor), CBM (Cyber Black Box Manager) and the roles for each subsystem is to collect traffic and data by CBS and analyze collected data and informa- tion by CBM. Since the intrusion cannot be avoided fully, the deployment of intrusion forensics system is needed. As described above, in a related re- search against a cyber-attack, since several months or more are expended in only analyzing a cause of an intrusion event and there is no information necessary for analyzing an attack cause, it is unable to know the cause of attack even after the intrusion event occurs. 17
  • 19. Chapter 7 References 1. Yangseo Choi and Joo-Young Lee, “Introduction to a Network Forensics System for Cyber Incidents Analysis,”ICACT2016, Jan 2016. 2. M. Tanviruzzaman, S.I. Ahamed, C.S. Hasan, and C. Obrien, “ePet: When Cellular Phone Learns to Recognize Its Owner,”Communications of ACM, pp. 13-17, Nov. 2009. 3. Y. Ijiri, M. Sakuragi, and S. Lao, “Security Management for Mobile De- vices by Face Recognition,”Electronics & Communication Engineering Journal, pp. 49-55, May 2006. 4. H. A. Shabeer and P. Suganthi, “Mobile Phones Security Using Biomet- rics,”Electronics & Communication Engineering Journal, pp. 270-272, Dec. 2007. 5. A. K. Jain, A. Ross, S. Prabhakar, “An Introduction to biometric recog- nition,”IEEE Transactions on Circuits and Systems for Video Technol- ogy, 14(1):4-20, 2004. 6. G. Parziale, “Touchless fingerprinting technology,”Advances in biomet- rics, 25-48, 2008. 7. Y. Adini, Y. Moses, S. Ullman, “Face recognition: the problem of compensating for changes in illumination direction,”IEEE Transactions on Pattern Analysis and Machine Intelligence, 19(7):721-732, 1997. 18
  • 20. 8. National Science and Technology Council: Introduction to biometrics. 2007. http://www.biometrics.gov/documents/biofoundationdocs.pdf 9. A.K. Jain, A. Ross, S. Prabhakar, “Biometrics: a tool for informa- tion security,”IEEE Transactions on Information Forensics and Secu- rity, 1(2):125-143, 2006. 10. J.P. Campbell, “Speaker recognition: a tutorial,”Proceedings of the IEEE, 85(9):1437-1462, 1997. 19