HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Conference papers

Collecting Network Evidence Using Constrained Approximate Search Algorithms

Abstract : Intrusion detection systems are defensive tools that identify malicious activities in networks and hosts. In network forensics, investigators often study logs that store alerts generated by intrusion detection systems. This research focuses on Snort, a widely-used, open-source, misuse-based intrusion detection system that detects network intrusions based on a pre-defined set of attack signatures. When a security breach occurs, a forensic investigator typically starts by examining network log files. However, Snort cannot detect unknown attacks (i.e., zero-day attacks) even when they are similar to known attacks; as a result, an investigator may lose evidence in a criminal case.This chapter demonstrates the ease with which it is possible to defeat the detection of malicious activity by Snort and the possibility of using constrained approximate search algorithms instead of the default Snort search algorithm to collect evidence. Experimental results of the performance of constrained approximate search algorithms demonstrate that they are capable of detecting previously unknown attack attempts that are similar to known attacks. While the algorithms generate additional false positives, the number of false positives can be reduced by the careful choice of constraint values in the algorithms.
Document type :
Conference papers
Complete list of metadata

Cited literature [13 references]  Display  Hide  Download

Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Tuesday, January 22, 2019 - 9:44:24 AM
Last modification on : Tuesday, February 23, 2021 - 7:22:03 PM
Long-term archiving on: : Tuesday, April 23, 2019 - 1:37:30 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Ambika Chitrakar, Slobodan Petrovic. Collecting Network Evidence Using Constrained Approximate Search Algorithms. 14th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2018, New Delhi, India. pp.141-160, ⟨10.1007/978-3-319-99277-8_9⟩. ⟨hal-01988834⟩



Record views


Files downloads