Network forensics supports capabilities such as attacker identification and attack reconstruction, which complement traditional intrusion detection and perimeter defense techniques in building a robust security mechanism. Attacker identification pinpoints attack origin to deter future attackers, while attack reconstruction reveals attack causality and network vulnerabilities. In this work, we discuss the problem and feasibility of back tracking the origin of a self-propagating stealthy attack when given a network traffic trace for a sufficiently long period of time. We propose a network forensics mechanism that is scalable in computation time and space while maintaining high accuracy in attack origin identification. We further develop a data reduction method to filter out attack irrelevant data and only retain evidence relevant to potential attacks for post-mortem investigation. Using real-world trace driven experiments, we evaluate the performance of the proposed mechanism and show that we can trim down up to 97% attack-irrelevant network traffic and successfully identify attack origin.
Schematic representation of scalable network forensics mechanism.