Title: Evidential structures and metrics for network forensics

Authors: Ahmad R. Amran, Raphael C-W. Phan, David J. Parish, John N. Whitley

Addresses: High Speed Networks Research Group, Department of Electronic and Electrical Engineering, Sir David Davies Building, Loughborough University, Ashby Road, Loughborough LE11 3TU, UK. ' High Speed Networks Research Group, Department of Electronic and Electrical Engineering, Sir David Davies Building, Loughborough University, Ashby Road, Loughborough LE11 3TU, UK. ' High Speed Networks Research Group, Department of Electronic and Electrical Engineering, Sir David Davies Building, Loughborough University, Ashby Road, Loughborough LE11 3TU, UK. ' High Speed Networks Research Group, Department of Electronic and Electrical Engineering, Sir David Davies Building, Loughborough University, Ashby Road, Loughborough LE11 3TU, UK

Abstract: Evaluation of forensics evidence is an essential step in proving the malicious intents of an attacker or adversary and the severity of the damages caused to any network. This paper takes a step forward showing how security metrics can be used to sustain a sense of credibility to network evidence gathered as an elaboration and extension to an embedded feature of network forensic readiness (NFR) – redress that is defined as holding intruders responsible. We propose a procedure of evidence acquisition in network forensics where we then analyse sample of packet data in order to extract useful information as evidence through a formalised intuitive model, based on capturing adversarial behaviour and layer analysis. We also discuss the evidential structure and corresponding database design. We then apply the common vulnerability scoring system (CVSS) metrics to show that a forensics metrics system could assess the severity of network attacks committed, thus giving a degree of credibility to the evidence gathered. This way, hard evidence could be objectively collected to lend support to the resource-intensive process of investigation and litigation, leading to successful conviction, while reducing effort expended on the process.

Keywords: evidential structure; evidential database; common vulnerability scoring system; CVSS; network forensic readiness; NFR; network forensics; security metrics; network evidence; network attacks.

DOI: 10.1504/IJITST.2010.037404

International Journal of Internet Technology and Secured Transactions, 2010 Vol.2 No.3/4, pp.250 - 270

Available online: 06 Dec 2010

Full-text access for editors Access for subscribers Purchase this article Comment on this article