Browse > Article
http://dx.doi.org/10.13089/JKIISC.2012.22.4.719

Network Forensic Evidence Generation and Verification Scheme  

Kim, Hyung-Seok (Graduate School of Information Security, Korea University)
Kim, Eun-Jin (Department of International Industrial Information, Kyonggi University)
Kim, Huy-Kang (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.22, no.4, 2012 , pp. 719-731 More about this Journal
Abstract
One of the most important point in the Internet crime investigation is tracing back and pointing out a criminal host. However, criminals can forge a crime record stored in the crime host, or can utilize malicious applications in order not to leave a crime record. In addition, criminals can change the source IP address of a crime host and deny their involvement. In this study, we suggests the Network Forensic Evidence Generation and Verification Scheme (NFEGVS) to rectify the current limitation of Network Forensic technologies. This scheme can prove who and when the crime has occurred. In addition, this prevents leaking of symmetric key for guaranteeing certification and integrity of Forensic Evidence by proposing the Timestamp Secret Key Distribution Scheme, and minimizes performance degradation of router when generating forensic evidence with the Flow-Based Selection Scheme. In this paper, we implement the proposed scheme and evaluate overall performance of the proposed system.
Keywords
Network forensic; Internet Crime; IP traceback; Packet Marking; Network Security;
Citations & Related Records
연도 인용수 순위
  • Reference
1 E. Casey, "Network traffic as a source of evidence: tool strengths, weaknesses, and future needs," Digital Investigation, vol. 1, no. 1, pp. 28-43, Feb. 2004.   DOI   ScienceOn
2 N. Meghanathan, S.R. Allam, and L.A. Moore, "Tools and techniques for Network Forensics," International Journal of Network Security and its Applications, vol. 1, no. 1, pp. 14-25, 2009.
3 Web Historian, http://www.mandiant.com/products/free_software/web_historian
4 Index.dat Analyzer, http://majorgeeks.com/Index.dat_Analyzer_d5259.html
5 eMailTrackerPro. http://www.emailtrackerpro.com
6 TCPDUMP, http://www.tcpdump.org
7 Wireshark, http://www.wireshark.org
8 Z. Gao, and N. Ansari, "Tracing cyber attacks from the practical perspective," Communications Magazine IEEE, vol. 43, no. 5, pp. 123-131, May. 2005.
9 R. Stone, "CenterTrack: An IP Overlay Network for Tracking DoS Floods," Ninth USENIX Security Symp (Security '00), pp. 199-212, 2000.
10 S.M. Bellovin, "ICMP traceback Messages," Internet Draft: draft-bello-vin-itrace-00.txt, Mar. 2000.
11 A. C. Snoeren et al, "Hash-based IP traceback," in Proc. ACM SIGCOMM, vol. 31, no. 4, pp. 3-14, Oct. 2001
12 S. Savage et al., "Network Support for IP traceback," ACM/IEEE Trans. Networking, vol. 9, no. 3, pp. 226-237, Jun. 2001.   DOI   ScienceOn
13 D.X. Song and A. Perrig, "Advanced and Authenticated Marking Schemes for IP traceback," Proc. IEEE INFOCOM '01, pp. 878-886, 2001.
14 A. Belenky and N. Ansari, "IP traceback with Deterministic Packet Marking," IEEE Comm. Letters, vol. 7, no. 4, pp. 162-164, Apr. 2003.   DOI
15 Y. Xiang, W. Zhou and M. Guo. "Flexible deterministic packet marking: an IP traceback system to find the real source of attacks," IEEE Transactions on Parallel and Distributed Systems, vol. 20, no. 4, pp. 567-580, Apr. 2009.   DOI
16 H. Aljifri, "IP traceback : A New Denial-of-Service Deterrent," IEEE Security and Privacy, vol. 1, no. 3, pp. 24-31, May. 2003.   DOI   ScienceOn
17 George Tsirtsis and Pyda Srisuresh, "Network Address Translation - Protocol Translation (NAT-PT)," RFC 2766, Feb 2000.
18 L. T. Heberlein and M. Bishop, "Attack class: Address spoofing," in Natl. Information Systems Security Conf, pp. 371-378, Oct. 1996
19 B. A. Forouzan. TCP/IP Protocol Suite, 4th Ed., McGraw Hill, 2009
20 H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed-hashing for message authentication," RFC 2104, Feb 1997.
21 J. Postel, "Internet protocol," RFC 791, Sep 1981.
22 netflow, http://www.cisco.com
23 libipq, http://www.netfilter.org/projects/index.html
24 OpenSSL, http://www.openssl.org
25 libpcap, http://www.tcpdump.org
26 mausezahn, http://www.perihel.at/sec/mz
27 C. Fraleigh, et al, "Packet-level traffic measurements from the sprint IP backbone," IEEE Network, vol. 17, no. 6, pp. 6-16, Nov. 2003.   DOI   ScienceOn