The network forensic analysis process involves preparation, collection, preservation, examination, analysis, investigation and presentation phases. The proposed system addresses the major challenges in collection, examination and analysis processes. The model is for collecting network data, identifying suspicious packets, examining protocol features misused and validating the attack. This model has been built with specific reference to security attacks on ICMP protocol that enables forensic experts to analyze the marked suspicious network traffic, thus facilitating cost effective storage and faster analysis of high bandwidth traffic. The ICMP attacks initiated by worms can be detected using this system. The ability of worms to spread at rates that effectively preclude human-directed reaction has elevated them to a first-class security threat to distributed systems. Thus worm detection has become a vital part in the Intrusion Detection Systems. A reaction mechanism that seeks to automatically patch vulnerable software is also proposed. This system employs a collection of sensors that detect and capture potential worm infection vectors. The size of the log file generated by different sensors, used for detecting worm infection vectors can be efficiently reduced by the forensic architecture. It automatically tests the effects of these vectors on appropriately-instrumented sandboxed instances of the targeted application, trying to identify the exploited software weakness. Network forensics relates to the monitoring and analysis of computer network traffic for the purpose of information gathering, legal evidence or intrusion detection. © 2011 Springer-Verlag.
cited By (since 1996)0; Conference of org.apache.xalan.xsltc.dom.DOMAdapter@363737d ; Conference Date: org.apache.xalan.xsltc.dom.DOMAdapter@76331547 Through org.apache.xalan.xsltc.dom.DOMAdapter@13ba24f1; Conference Code:85619
K. S. Aathira and Kutty, T. N., “Defense strategy against network worms causing ICMP attacks and its forensic analysis”, Communications in Computer and Information Science, vol. 196 CCIS, pp. 23-34, 2011.