Project

Correlating Evidence from Honeypot and NIDS for Improved Network Forensics

Goal: We identify certain attributes that are
common in the two datasets and then use it to link several other attributes. We use the notion of surjective mapping to
construct our proposed algorithm which reduces duplication in the aggregated data. Our method leads to a semi-automated
network forensic data correlation which is feasible without losing the key information. Our experiment also indicates that
forensics correlation is more effective when traces of intrusion are gathered from multiple sensors and analysed. Further,
using the data mining technique on the correlated dataset we are able to create Snort rules which help in avoiding specific
threats in future.

Updates
0 new
0
Recommendations
0 new
0
Followers
0 new
3
Reads
0 new
19

Project log

Samuel Omaji
added a research item
To learn more about attack pattern and attacker behaviour, the concept of electronic baits such as network resources, computer, routers, switches deployed to be probed, attacked and compromised are used in the area of information technology (IT) security under the name honeypot. These electronic baits lure in attackers and help in assessment of vulnerability. Gathering intrusion evidence from data scattered throughout the network, analysing and investigating them is a time-consuming and error-prone process and remain a fundamental issue for network forensics investigators. In the world of network forensics, correlation measure how two intrusion evidence data move in relation to each other, and also when two sets of data are strongly linked together. In this research, we propose a methodology for correlAting intruSion Evidence fRom hoNEypot and neTwork (ASERNET). With this, real-time evidence correlation, electronic feeds will be provided to organizations for protecting their resources. Further, this information will also be useful for investigating a particular intrusion. The experiment is carried out on six important phases and the evidence correlated is validated against the numerous antivirus engines automatically in order to avoid false positive. The research results also show that the extraction of Intrusion Detection System (IDS) rules is feasible using data mining technique, in particular decision tree and we present this as additional work.
Samuel Omaji
added 3 research items
Location aware devices are used extensively in many networking systems such as car navigation, IP traceback, the collected spatio-temporal data capture the detected movement information of the tagged objects, offering tremendous opportunities for data mining of useful knowledge.
This paper provide an automated way of correlAt- ing intruSion Evidence fRom hoNEypot and neTwork (ASERNET). With this evidence, electronic feeds can be provided to organizations for protecting their re- sources.
Network forensics have emerged as important procedures for collecting, analyzing, reporting, and documenting of critical situations that requires real-time investigation of network attack and evidence acquisition for decision making processes. Investigating network attack is a contemporary challenging issue. A vital number of several network attacks have been identified against numerous security tools and techniques in recent time. Finding the best option among feasible alternatives of network attacks, rating and prioritizing them for further investigation remains a fundamental issues for network forensics investigators. The nature of prioritizing network attack and risk selection can be treated as multiple criteria decision making (MCDM) problem. This paper proposes a technique for order preference by similarity to ideal solution (TOPSIS) method under the fuzzy environment for network forensics to address the MCDM problem. A set of predefined parameterized fuzzy triangular linguistic terms are used to evaluate the weights of various criteria and the ratings of individual alternative network attack. With this, the presented alternative network attacks can be prioritize according to Decision Makers (DMs) preference. An experimental examples are presented to determine the computation efficiency and feasibility of the proposed fuzzy TOPSIS method. To achieve the trustworthiness of the prioritize network attacks, we combine attack alternatives through the degree of belief derived from independent elements of attack using Dempster-Shafer theory.
Samuel Omaji
added a project goal
We identify certain attributes that are
common in the two datasets and then use it to link several other attributes. We use the notion of surjective mapping to
construct our proposed algorithm which reduces duplication in the aggregated data. Our method leads to a semi-automated
network forensic data correlation which is feasible without losing the key information. Our experiment also indicates that
forensics correlation is more effective when traces of intrusion are gathered from multiple sensors and analysed. Further,
using the data mining technique on the correlated dataset we are able to create Snort rules which help in avoiding specific
threats in future.