Authors: Ahmad Almulhem, Issa Traore
Addresses: ISOT Research Laboratory, Department of Electrical and Computer Engineering, University of Victoria, Victoria, BC V8W 3P6, Canada. ' ISOT Research Laboratory, Department of Electrical and Computer Engineering, University of Victoria, Victoria, BC V8W 3P6, Canada
Abstract: A key challenge in network forensics arises because of |attackers| ability to move around in the network, which results in creating a chain of connections; commonly known as connection chains. They are widely used by attackers to stay anonymous and/or to confuse the forensic process. Investigating connection chains can be further complicated when several IP addresses are used in the attack. In this paper, we highlight this challenging problem. We then propose a solution through hacker profiling. Our solution includes a novel hacker model that integrates information about a hacker|s linguistic, operating system and time of activity. It also includes an algorithm to operate on the proposed model. We establish the effectiveness of the proposed approach through several simulations and an evaluation with a real attack data.
Keywords: network security; connection chains; stepping stones; alert correlation; network forensics; spatial hacking; fingerprinting; hacker profiling; simulation; network attacks.
International Journal of Communication Networks and Distributed Systems, 2008 Vol.1 No.1, pp.4 - 18
Published online: 18 Feb 2008 *Full-text access for editors Access for subscribers Purchase this article Comment on this article