A Network Forensic Scheme Using Correntropy-Variation for Attack Detection

  • Nour MoustafaEmail author
  • Jill Slay
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 532)


Network forensic techniques help track cyber attacks by monitoring and analyzing network traffic. However, due to the large volumes of data in modern networks and sophisticated attacks that mimic normal behavior and/or erase traces to avoid detection, network attack investigations demand intelligent and efficient network forensic techniques. This chapter proposes a network forensic scheme for monitoring and investigating network-based attacks. The scheme captures and stores network traffic data, selects important network traffic features using the chi-square statistic and detects anomalous events using a novel correntropy-variation technique. An evaluation of the network forensic scheme employing the UNSW-NB15 dataset demonstrates its utility and high performance compared with three state-of-the-art approaches.


Network forensics cyber attacks correntropy-variation technique 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    M. Ambusaidi, X. He, P. Nanda and Z. Tan, Building an intrusion detection system using a filter-based feature selection algorithm, IEEE Transactions on Computers, vol. 65(10), pp. 2986–2998, 2016.Google Scholar
  2. 2.
    R. Bao, H. Rong, P. Angelov, B. Chen and P. Wong, Correntropy-based evolving fuzzy neural system, to appear in IEEE Transactions on Fuzzy Systems.Google Scholar
  3. 3.
    R. Brandom, A new ransomware attack is infecting airlines, banks and utilities across Europe, The Verge, June 27, 2017.Google Scholar
  4. 4.
    L. Chen, D. Divakaran, A. Ang, W. Lim and V. Thing, FACT: A framework for authentication in cloud-based IP traceback, IEEE Transactions on Information Forensics and Security, vol. 12(3), pp. 604–616, 2017.Google Scholar
  5. 5.
    Y. Chen and M. Chen, Using chi-square statistics to measure similarities for text categorization, Expert Systems with Applications, vol. 38(4), pp. 3085–3090, 2011.Google Scholar
  6. 6.
    N. Clarke, F. Li and S. Furnell, A novel privacy preserving user identification approach for network traffic, Computers and Security, vol. 70, pp. 335–350, 2017.Google Scholar
  7. 7.
    A. Diamah, M. Mohammadian and B. Balachandran, Network security evaluation method via attack graphs and fuzzy cognitive maps, Proceedings of the Fourth International Conference on Intelligent Decision Technologies, vol. 2, pp. 433–440, 2012.Google Scholar
  8. 8.
    B. Hazarika and S. Medhi, Survey of real-time security mechanisms in network forensics, International Journal of Computer Applications, vol. 151(2), 2016.Google Scholar
  9. 9.
    J. He, C. Chang, P. He and M. Pathan, Network forensic method based on evidence graph and vulnerability reasoning, Future Internet, vol. 8(4), article no. 9, 2016.Google Scholar
  10. 10.
    M. Ibrahim, M. Abdullah and A. Dehghantanha, VoIP evidence model: A new forensic method for investigating VoIP malicious attacks, Proceedings of the International Conference on Cyber Security, Cyber Warfare and Digital Forensics, pp. 201–206, 2012.Google Scholar
  11. 11.
    S. Khan, A. Ghani, A. Wahab, M. Shiraz and I. Ahmad, Network forensics: Review, taxonomy and open challenges, Journal of Network and Computer Applications, vol. 66, pp. 214–235, 2016.Google Scholar
  12. 12.
    S. Khan, M. Shiraz, A. Wahab, A. Ghani, Q. Han and Z. Rahman, A comprehensive review of the adaptability of network forensic frameworks for mobile cloud computing, The Scientific World Journal, vol. 2014, article id. 547062, 2014.Google Scholar
  13. 13.
    Y. Li, Y. Wang, F. Yang, S. Su and D. Yan, Deterministic packet marking based on the coordination of border gateways, Proceedings of the Second International Conference on Education Technology and Computers, vol. 2, pp. 154–161, 2010.Google Scholar
  14. 14.
    C. Liu, A. Singhal and D. Wijesekera, A probabilistic network forensic model for evidence analysis, in Advances in Digital Forensics XII, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 189–210, 2016.Google Scholar
  15. 15.
    H. Liu and H. Motoda, Computational Methods of Feature Selection, Chapman and Hall/CRC, Boca Raton, Florida, 2008.Google Scholar
  16. 16.
    J. Liu, G. Tian and S. Zhu, Design and implementation of a network forensic system based on intrusion detection analysis, Proceedings of the International Conference on Control Engineering and Communications Technology, pp. 689–692, 2012.Google Scholar
  17. 17.
    W. Liu, P. Pokharel and J. Principe, Correntropy: Properties and applications in non-Gaussian signal processing, IEEE Transactions on Signal Processing, vol. 55(11), pp. 5286–5298, 2007.Google Scholar
  18. 18.
    N. Moustafa and J. Slay, UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 Network Data Set), Proceedings of the Military Communications and Information Systems Conference, 2015.Google Scholar
  19. 19.
    N. Moustafa, J. Slay and G. Creech, Novel geometric area analysis technique for anomaly detection using trapezoidal area estimation in large-scale networks, to appear in IEEE Transactions on Big Data.Google Scholar
  20. 20.
    P. Saurabh and B. Verma, An efficient proactive artificial immune system based anomaly detection and prevention system, Expert Systems with Applications, vol. 60, pp. 311–320, 2016.Google Scholar
  21. 21.
    A. Shalaginov and K. Franke, Big data analytics by automated generation of fuzzy rules for network forensic readiness, Applied Soft Computing, vol. 52, pp. 359–375, 2017.Google Scholar
  22. 22.
    M. Srinivas and A. Sung, Identifying significant features for network forensic analysis using artificial intelligence techniques, International Journal of Digital Evidence, vol. 1(4), 2003.Google Scholar
  23. 23.
    T. Tafazzoli, E. Salahi and H. Gharaee, A proposed architecture for network forensic systems in large-scale networks, International Journal of Computer Networks and Communications, vol. 7(4), pp. 43–56, 2015.Google Scholar
  24. 24.
    Z. Tan, A. Jamdagni, X. He, P. Nanda and R. Liu, A system for denial-of-service attack detection based on multivariate correlation analysis, IEEE Transactions on Parallel and Distributed Systems, vol. 25(2), pp. 447–456, 2014.Google Scholar
  25. 25.
    S. Thompson, Sampling, John Wiley and Sons, Hoboken, New Jersey, 2012.Google Scholar
  26. 26.
    K. Wang, M. Du, Y. Sun, A. Vinel and Y. Zhang, Attack detection and distributed forensics in machine-to-machine networks, IEEE Network, vol. 30(6), pp. 49–55, 2016.Google Scholar
  27. 27.
    X. Wang and X. Wang, Topology-assisted deterministic packet marking for IP traceback, Journal of China Universities of Posts and Telecommunications, vol. 17(2), pp. 116–121, 2010.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  1. 1.Australian Centre for Cyber SecurityUniversity of New South WalesCanberraAustralia
  2. 2.La Trobe UniversityMelbourneAustralia

Personalised recommendations