Skip to Main content Skip to Navigation
Conference papers

Collecting Network Evidence Using Constrained Approximate Search Algorithms

Abstract : Intrusion detection systems are defensive tools that identify malicious activities in networks and hosts. In network forensics, investigators often study logs that store alerts generated by intrusion detection systems. This research focuses on Snort, a widely-used, open-source, misuse-based intrusion detection system that detects network intrusions based on a pre-defined set of attack signatures. When a security breach occurs, a forensic investigator typically starts by examining network log files. However, Snort cannot detect unknown attacks (i.e., zero-day attacks) even when they are similar to known attacks; as a result, an investigator may lose evidence in a criminal case.This chapter demonstrates the ease with which it is possible to defeat the detection of malicious activity by Snort and the possibility of using constrained approximate search algorithms instead of the default Snort search algorithm to collect evidence. Experimental results of the performance of constrained approximate search algorithms demonstrate that they are capable of detecting previously unknown attack attempts that are similar to known attacks. While the algorithms generate additional false positives, the number of false positives can be reduced by the careful choice of constraint values in the algorithms.
Document type :
Conference papers
Complete list of metadata

Cited literature [13 references]  Display  Hide  Download

https://hal.inria.fr/hal-01988834
Contributor : Hal Ifip <>
Submitted on : Tuesday, January 22, 2019 - 9:44:24 AM
Last modification on : Tuesday, February 23, 2021 - 7:22:03 PM
Long-term archiving on: : Tuesday, April 23, 2019 - 1:37:30 PM

File

472401_1_En_9_Chapter.pdf
Files produced by the author(s)

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Ambika Chitrakar, Slobodan Petrovic. Collecting Network Evidence Using Constrained Approximate Search Algorithms. 14th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2018, New Delhi, India. pp.141-160, ⟨10.1007/978-3-319-99277-8_9⟩. ⟨hal-01988834⟩

Share

Metrics

Record views

77

Files downloads

31