NETWORK FORENSIC FRAMEWORK FOR MANAGING SECURITY INCIDENTS

Abstract

Network forensics is a science of determining and retrieving evidential information in a computer networked environment about a criminality in such a way as to make it admissible. The established computer networks forensic field lays strong foundation for network forensics as standard security frameworks, tools and techniques are in place for detection, collection, preservation and presentation of evidence phases. However, little has been done to address challenges in examination, analysis and investigation phases. The challenges identified on these respective phases were identification and correlation, multidata fusion, trace back and attribution to source of incident. The study objectives were to investigate, develop and evaluate a network forensic framework which addresses the challenges in examination, analysis and investigation phases. The research methodologies were interrogative literature review, quantitative approach and evaluation based on datasets prototype implementation which addresses the challenges in examination, analysis and investigation phases. The proposed technique in examination phase was identification and correlation. The identification provided attempts made in compromising a system and assist during reconstruction of intruded information. The correlation validated the particular intrusion and guide in decision to proceed with investigation. The techniques resulted in confirmation of DDoS, Portscan and XSS attacks dataset. The proposed techniques in analysis phase were combination of multidata fusion security sensors and integration algorithm. Sensors relies alerts attacked network events evidence which was subjected to confusion matrix and FAR metrics to validate the evidence accuracy. The Algorithm resulted in minimizing evidence file size from 100% to 92.96% saving the system storage capacity by 7.04%. The proposed techniques in investigation phase were trace back and attribution techniques based on ASDPM, DIRM and marking algorithm. The techniques resulted in marking and logging of attacked packets or hybrid both towards particular source of attack and recorded accurate attached evidence based on evaluation metrics set by ISP.