Abstract
We present an approach to network forensics that makes it feasible to trace the content of all traffic that passed through the network via packet content fingerprints. We develop a new data structure called the “Rolling Bloom Filter” (RBF), which is based on a generalization of the Rabin-Karp string-matching algorithm. This merges the two key advantages of space efficiency and an efficient content matching mechanism. This also achieves analytically predictable False Positive Rates that can be controlled by tuning the RBF parameters. Leveraging upon these insights, we have designed and implemented a practical Network Forensic System that gives the ability to reconstruct the sequence of events for post-incident analysis.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
“Network Forenics”, searchSecurity.com Definitions, http://searchsecurity.techtarget.com.
NIKSUN, NetDetector, http://www.niksun.com.
Computer Associates, eTrust Network Forensics, http://www3.ca.com.
Sandstorm Enterprises, NetIntercept, http://www.sandstorm.com.
T. Nisase, M. ItohNetwork, “Forensic Technologies Utilizing Communication Information”, NTT Technical Review, Vol. 2, No. 8, Aug 2004.
B. Bloom, “Space/time tradeoffs in hash coding with allowable errors”, Communications of the ACM, 13(7):422–426, 1970.
A. Broder and M. Mitzenmacher, “Network Applications of Bloom Filters: A Survey”, Internet Mathematics, 1(4):485–509, 2004.
M. Mitzenmacher, “Compressed bloom filters”, Proceedings of the 20th Annual ACM Symposium on Principles of Distributed Computing, pages 144–150, 2001.
A. C. Snoeren, et. al, “Hash-based IP traceback”, ACM SIGCOMM, San Diego, California, USA, August 2001, pp. 3–14, 2001.
K. Shanmugasundaram, H. Brönnimann, N.D. Memon, “Payload attribution via hierarchical bloom filters”, ACM CCS 2004, pp 31–41.
R. M. Karp, M. O. Rabin, “Efficient randomized pattern-matching algorithms”, IBM Journal of Research and Development 31(2), 249–260, March 1987.
R. S. Boyer and J. S. Moore, “A fast string searching algorithm”, Communications of the ACM, 20:762–772, 1977.
Knuth D.E., Morris (Jr) J.H., Pratt V.R., “Fast pattern matching in strings”, SIAM Journal on Computing 6(l):323–350, 1977.
House of Dabus, “Microsoft Windows Plug-and-Play remote overflow universal exploit that is related to MS05-039”, http://www.packetstormsecurity.org/.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 International Federation for Information Processing
About this paper
Cite this paper
Cho, C.Y., Lee, S.Y., Tan, C.P., Tan, Y.T. (2006). Network Forensics on Packet Fingerprints. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds) Security and Privacy in Dynamic Environments. SEC 2006. IFIP International Federation for Information Processing, vol 201. Springer, Boston, MA. https://doi.org/10.1007/0-387-33406-8_34
Download citation
DOI: https://doi.org/10.1007/0-387-33406-8_34
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-33405-9
Online ISBN: 978-0-387-33406-6
eBook Packages: Computer ScienceComputer Science (R0)