Loading...

Improving Payload Attribution Techniques

Sasan Narkes Abadi, Zeynab | 2016

463 Viewed
  1. Type of Document: M.Sc. Thesis
  2. Language: Farsi
  3. Document No: 48756 (19)
  4. University: Sharif University of Technology
  5. Department: Computer Engineering
  6. Advisor(s): Kharrazi, Mehdi
  7. Abstract:
  8. One of the most important steps in the process of network forensics is attacker attribution and tracing the victims of the attack. In some situations, there is no other information to track the attacker except the payload of packet. Network security professionals have introduced payload attribution techniques to attribute this type of attacks. In payload attribution techniques, a history of network traffic is stored so that after the attack, it can be queried to trace the source and destination of excerpts. Due to the high volume of traffic in today's networks, payload attribution techniques should be able to store traffic in compressed format so that querying on this data be done easily at the appropriate time. Also the payload attribution methods should protect the privacy of network users. Various payload attribution techniques are proposed that these methods met the above requirements. The main idea of all these techniques is the use of hash functions and Bloom filter data structure. In Bloom filters data reduction ratio and privacy is obtained as a result of false-positive error. Until now, various studies are presented to improve the data reduction ratio and false-positive error rate but according to the reports being presented in this research, it can be concluded that these techniques don't have operational readiness. The large number of incorrect flow IDs in results and non-operationalty in long-term investigations are the major problems in payload attribution techniques. To improve the performance of payload attribution techniques a solution has been suggested based on hierarchy of time in this research. This solution substantially reduce the number of incorrect flow IDs and false positive rate. The proposed solution has improved the average number of incorrect flow IDs up to 1.42 times compared with the pervious methods. Also, given that the new method reduces the total number of false-positive errors, attribution for a longer duration can be done
  9. Keywords:
  10. Network Forensics ; Network Security ; Payload Attribution ; Digital Forensics ; Operational Payload Attribution

 Digital Object List

 Bookmark

No TOC