Cybercrime and Network Traffic Investigations

The nature of information in a network is volatile and dynamic, some precious evidence might be missed. The real-world situations need a quick classification decision before the flow finishes, especially for security and network forensic purposes. Therefore, monitoring network traffic requires a real-time and continuous analysis, to collect valuable evidence such as instant evidences that might be missed with post-mortem analysis (dead forensics). Network traffic classification is considered the first line of defence where a malicious activity can be filtered, identified and detected. In addition, it is the core component in evidence collection and analysis that uses filtered evidence and helps to reduce redundancy. However, most of the existing approaches that deal with collecting evidence from networks are based on post- mortem analysis. Therefore, this research investigates different classification techniques using Machine Learning (ML) algorithms, seeking to identify ways to improve classification methods from a forensic investigator standpoint.

IEEE Transactions on Information Forensics and Security

The manual forensics investigation of security incidents is an opaque process that involves the collection and correlation of diverse evidence. In this work we conduct a complex experiment to expand our understanding of forensics analysis processes. During a period of four weeks we systematically investigated 200 detected security incidents about compromised hosts within a large operational network. We used data from four commonly-used security sources, namely Snort alerts, reconnaissance and vulnerability scanners, blacklists, and a search engine, to manually investigate these incidents. Based on our experiment, we first evaluate the (complementary) utility of the four security data sources and surprisingly find that the search engine provided useful evidence for diagnosing many more incidents than more traditional security sources, i.e., blacklists, reconnaissance and vulnerability reports. Based on our validation, we then identify and make available a list of 138 good Snort signatures, i.e., signatures that were effective in identifying validated malware without producing false positives. In addition, we compare the characteristics of good and regular signatures and highlight a number of differences. For example, we observe that good signatures check on average 2.14 times more bytes and 2.3 times more fields than regular signatures. Our analysis of Snort signatures is essential not only for configuring Snort, but also for establishing best practices and for teaching how to write new IDS signatures.

With the wide range of internet, cybercrime attacks are increased against the networked system and raised the importance of network security. More and more cyber threats are confronting organizations. The malicious threats in an enterprise make use of the network for industrial spying. It is important to examine the data in the context of packets being transmitted across the network to recognize the suspect's behaviors. Network administrators must be able to analyze and examine the networking traffic to understand how the events occur and to execute immediate reactions in case of an unexpected attack. Network forensics is like a camera for monitoring, correlating, checking and investigating network traffic for different objectives such as a gathering of information, forensic evidence, or ids (intrusion detection system). This paper proposes a Network forensics analysis framework to identify malicious threats in network traffic using Wireshark and generate alert using snort. An algorithm is proposed to find the attack intentions. Wireshark is used to diagnosis of the protocols in the network and used to identify network-based attacks such as port scanning, TCP based attacks, and HTTP based attacks. Snort is used to detect network-based attacks using some rules and all activities on network traffic are recorded on Snort are stored in a log file.

From work on the EPSRC-funded Cyberprofiling project, the authors have proposed an algorithmic approach to profiling of illicit activity online. The model is informed by profiling methodologies from Criminal and Geographic profiling of offenders. A useful basic dataset has been considered and how that data may be collected. The collection of data from existing sources and new sources are outlined. The need for large-scale network monitoring to create a data corpus that provides useful results is highlighted. The initial work on the project examined the available technology for network data monitoring and evaluted various forms of network "honeypot" which permitted the non-invasive generation of network abuse traffic data. The technical issues of implementing a set of such network monitoring instruments are also discussed. It is well known and understood, in the network communications industries, that routine monitoring of network usage can provide information necessary to ...

Journal of King Saud University - Computer and Information Sciences

This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Applied Sciences

The increased interest in secure and reliable communications has turned the analysis of network traffic data into a predominant topic. A high number of research papers propose methods to classify traffic, detect anomalies, or identify attacks. Although the goals and methodologies are commonly similar, we lack initiatives to categorize the data, methods, and findings systematically. In this paper, we present Network Traffic Analysis Research Curation (NTARC), a data model to store key information about network traffic analysis research. We additionally use NTARC to perform a critical review of the field of research conducted in the last two decades. The collection of descriptive research summaries enables the easy retrieval of relevant information and a better reuse of past studies by the application of quantitative analysis. Among others benefits, it enables the critical review of methodologies, the detection of common flaws, the obtaining of baselines, and the consolidation of best...

The 16th International Conference on Availability, Reliability and Security

The paper discusses means to identify potential impacts of data flows on customers' security, and privacy during online payments. The main objectives of our research are looking into the evolution of cybercrime new trends of online payments and detection, more precisely the usage of mobile phones, and describing methodologies for digital trace identification in data flows for potential online payment fraud. The paper aims to identify potential actions for identity theft while conducting the Reconnaissance step of the kill chain, and documenting a forensic methodology for guidance and further data collection for law enforcement bodies. Moreover, a secondary objective of the paper is to identify, from a user's perspective, transparency issues of data sharing among involved parties for online payments. We thus declare the transparency analysis as the incident triggering a forensic examination. Hence, we devise a semi-automated traffic analysis approach, based on previous work, to examine data flows, and data exchanged among parties in online payments. For this, the main steps are segmenting traffic generated by the process payment, and other sources, subsequently, identifying data streams in the process. We conduct three tests which include three different payment gateways: PayPal, Klarna-sofort, and Amazon Pay. The experiment setup requires circumventing TLS encryption for the correct identification of forensic data types in TCP/IP traffic, and potential data leaks. However, it requires no extensive expertise in mobile security for its installation. In the results, we identified some important security vulnerabilities from some payment APIs that pose financial and privacy risks to the marketplace's customers. CCS CONCEPTS • Applied computing → Evidence collection, storage and analysis; Network forensics; • Security and privacy → Economics of security and privacy. This work is licensed under a Creative Commons Attribution International 4.0 License.

Zizek 2002

2007

El cimiento de la historia que se construye es siempre la historia destruida" Andrea Carandini, Historias en la tierra, 1997, 257 El coloquio Villa 2. Ciudades y campo en la Tarraconense y en al-Andalus (ss. VI-XI): la transición, coordinado por Philippe Sénac, se concibió en torno a la problemática histórica de la transición en la región nororiental de la Península Ibérica -las tierras de la Tarraconense devenidas en Marca Superior-y los territorios confinantes del sur de la Galia en la Alta Edad Media. Este escenario es por fuerza diverso y alejado de aquel otro donde vengo desarrollado mis trabajos, el sudeste de la Cartaginense devenido en nuestro caso en la Cora de Tudmır, si bien mi experiencia en otra región periférica al Estado cordobés podría servir de contrapunto en la discusión.