Abstract
This paper introduces ForNet, a distributed network logging mechanism to aid digital forensics over wide area networks. We describe the need for such a system, review related work, present the architecture of the system, and discuss key research issues.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Axelsson, S.: Research in intrusion-detection systems: A survey. Technical Report No 98–17 (December 1998)
Axelsson, S.: The base-rate fallacy and its implications for the difficulty of intrusion detection. In: Proceedings of the ACM Conference on Computer and Communication Security (November 1999)
Babcock, B., Babu, S., Datar, M., Motwani, R., Widom, J.: Models and issues in data stream systems. In: Symposium on Principles of Database Systems, Madison, Wisconsin, USA, June 2002. ACM SIGMOD (2002)
Babcock, B., Datar, M., Motwani, R.: Sampling from a moving window over streaming data. In: Proceedings of 13th Annual ACM-SIAM Symposium on Discrete Algorithms (2002)
Babu, S., Subramanian, L., Widom, J.: A data stream management system for network traffic management. In: Workshop on Network-Related Data Management (2001)
Bellovin, S.M., Leech, M., Taylor, T.: ICMP traceback messages. In: Internet Draft draft-ietf-itrace-01.txt (Work in progress). IETF (October 2001)
Bhattacharyya, M., Hershkop, S., Eskin, E., Stolfo, S.J.: Met: An experimental system for malicious email tracking. In: Proceedings of the 2002 New Security Paradigms Workshop (NSPW-2002), Virginia Beach, VA (September 2002)
Bloom, B.: Space/time tradeoffs in in hash coding with allowable errors. In: CACM, pp. 422–426 (1970)
Broder, A., Mitzenmatcher, M.: Network applications of bloom filters: A survey. In: Annual Allerton Conference on Communication, Control, and Computing, Urbana-Champaign, Illinois, USA (October 2002)
Burch, H., Cheswick, B.: Tracing anonymous packets to their approximate source. In: Proc. USENIX LISA (December 2000)
Datar, M., Gionis, A., Indyk, P., Motwani, R.: Maintaining stream statistics over sliding windows. In: ACM Symposium on Discrete Algorithms, pp. 635–644 (2001)
Dean, D., Franklin, M., Stubblefield, A.: An algebraic approach to IP traceback. In: Proceedings of NDSS (February 2001)
Debar, H., Dacier, M., Wepsi, A.: A revised taxonomy for intrusion-detection systems. IBM Research Report (1999)
Domingos, P., Hulten, G.: Mining high-speed data streams. In: Proc. SIGKDD Int. Conf. Knowledge Discovery and Data Mining (2000)
Sanstorm Enterprises. Netintercept (February 2003), http://www.sandstorm.com/products/netintercept/
Frank, J.: Artificial intelligence and intrusion detection: Current and future directions. In: Proceedings of the 17th National Computer Security Conference (1994)
Gibbons, P., Matias, Y.: Synopsis data structures for massive data sets. In: DIMACS: Series in Discrete Mathematics and Theoretical Computer Science: special Issue on External Memory Algorithms and Visualization (1999)
Gilbert, K., Kotidis, Y., Muthukrishnan, S., Strauss, M.: Surfing wavelets on streams: one pass summaries for approximate aggregate queries. In: Proc. ACM Conf. Very Large Databases. VLDB (2001)
Guha, S., Koudas, N., Shim, K.: Data streams and histograms. In: Proc. ACM Symp. Theory Comput. STOC (2001)
Hulten, G., Spencer, L., Domingos, P.: Mining time-changing data streams. In: Proc. SIGKDD Int. Conf. Knowledge Discovery and Data Mining (2001)
Ilgun, K., Kemmerer, R.A., Porras, P.A.: State transition analysis: A rulebased intrusion detection approach. IEEE Transactions on Software Engineering (March 1995)
Javitz, H.S., Valdes, A.: The sri ides statistical anomaly detector. In: Proceedings of the IEEE Symposium on Research in Security and Privacy (1991)
Kumar, S., Spafford, E.H.: An application of pattern matching in intrusion detection. Purdue University Technical Report CSD-TR-94-013 (1994)
Mankin, A., Massey, D., Wu, C.L., Wu, S.F., Zhang, L.: On design and evaluation of “intention-driven” ICMP traceback. In: Proc. IEEE International Conference on Computer Communications and Networks (October 2001)
Manku, G.S., Rajagopalan, S., Lindsay, B.G.: Approximate medians and other quantiles in one pass and with limited memory. In: Proc. of the ACM Intl Conf. on Management of Data, SIGMOD (June 1998)
Manku, G.S., Rajagopalan, S., Lindsay, B.G.: Random sampling techniques for space efficient online computation of order statistics of large datasets. In: Proc. of the ACM Intl Conf. on Management of Data. SIGMOD (June 1999)
Mitchell, A., Vigna, G.: Mnemosyne: Designing and implementing network short-term memory. In: International Conference on Engineering of Complex Computer Systems. IEEE, Los Alamitos (December 2002)
Motwani, R., Widom, J., Arasu, A., Babcock, B., Babu, S., Datar, M., Manku, G., Olston, C., Rosenstein, J., Varma, R.: Query processing, resource management, and approximation in a data stream management system. In: Proc. of the 2003 Conference on Innovative Data Systems Research , CIDR (January 2003)
Paxson, V.: Bro: A system for detecting network intruders in real-time. In: 7th Annual USENIX Security Symposium (January 1998)
Porras, P.A., Neumann, P.G.: Emerald: Event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the National Information Systems Security Conference (1997)
Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: Eluding network intrusion detection. In: Secure Networks, Inc. (January 1998)
Roberts, P.: Nai goes forensic with infinistream. In: InfoWorld (February 2003), http://www.infoworld.com/article/03/02/10/HNnai_1.html
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. In: Proceedings of the 2000 ACM SIGCOMM Conference, Stockholm, Sweden, pp. 295–306 (August 2000)
Shanmugasundaram, K., Memon, N., Savant, A., and Bronnimann, H.: Efficient monitoring and storage of payloads for network forensics (May 2003) (unpublished manuscript)
Shanmugasundaram, K., Memon, N., Savant, A., Bronnimann, H.: Fornet: A distributed forensics system (May 2003) (unpublished manuscript)
Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., Strayer, W.T.: Hash-based IP traceback. In: ACM SIGCOMM, San Diego, California, USA (August 2001)
Song, D., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. IEEE Infocomm (2001)
Thaper, U., Guha, S., Indyk, P., Koudas, N.: Dynamic multidimensional histograms. In: Proc. ACM Int. Symp. on Management of Data. SIGMOD (2002)
Winter, R., Auerbach, K.: The big time: 1998 winter vldb survey. Database Programming Design (August 1998)
Yasinsac, A., Manzano, Y.: Policies to enhance computer and network forensics. In: Workshop on Information Assurance and Security, United States Military Academy, West Point, NY. IEEE, Los Alamitos (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Shanmugasundaram, K., Memon, N., Savant, A., Bronnimann, H. (2003). ForNet: A Distributed Forensics Network. In: Gorodetsky, V., Popyack, L., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2003. Lecture Notes in Computer Science, vol 2776. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45215-7_1
Download citation
DOI: https://doi.org/10.1007/978-3-540-45215-7_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40797-3
Online ISBN: 978-3-540-45215-7
eBook Packages: Springer Book Archive