Network Forensic System for ICMP Attacks

Abstract: Network forensics is capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. This paper addresses the major challenges in collection, examination and analysis processes. We propose a model for collecting network data, identifying suspicious packets, examining protocol features misused and validating the attack. This model has been built with specific reference to security attacks on ICMP protocol. The packet capture file is analyzed for… Show more

“…Such packets are marked as suspicious and are kept separate. This helps in reducing the amount of data that needs to be analysed, as the main focus will be on the marked packets [10]. This action needs to occur in parallel with the protocol decoding and packet extraction actions.…”

“…Based on the marked packets, the evidence can be classified in order of relevancy. Evidence with most suspicious packets will be prioritised in the analysis phase and so reduce the data to be analysed [10]. It should be noted that analysis of the prioritised evidence may eventually lead to a need to analyse evidence that has not been prioritised.…”

“…If the evidence has been transported through physical storage media, it has to be stored according to how it is presented in [10]. If evidence is stored online, the environment needs to be secure with highly restricted remote access.…”

“…There are efforts by other researchers [8][9][10] aimed at standardising network forensic procedures but they leave a lot to be desired. In the next section we present a harmonised digital forensic process on which the procedures proposed in this paper are based.…”

“…This action involves extraction of IP and ICMP attributes from IP packets [10] and their storing in a database. The attributes may be helpful in the analysis phases for easier identification of IP addresses that were involved in a communication.…”

Guidelines for procedures of a harmonised digital forensic process in network forensics

“…Such packets are marked as suspicious and are kept separate. This helps in reducing the amount of data that needs to be analysed, as the main focus will be on the marked packets [10]. This action needs to occur in parallel with the protocol decoding and packet extraction actions.…”

“…Based on the marked packets, the evidence can be classified in order of relevancy. Evidence with most suspicious packets will be prioritised in the analysis phase and so reduce the data to be analysed [10]. It should be noted that analysis of the prioritised evidence may eventually lead to a need to analyse evidence that has not been prioritised.…”

“…If the evidence has been transported through physical storage media, it has to be stored according to how it is presented in [10]. If evidence is stored online, the environment needs to be secure with highly restricted remote access.…”

“…There are efforts by other researchers [8][9][10] aimed at standardising network forensic procedures but they leave a lot to be desired. In the next section we present a harmonised digital forensic process on which the procedures proposed in this paper are based.…”

“…This action involves extraction of IP and ICMP attributes from IP packets [10] and their storing in a database. The attributes may be helpful in the analysis phases for easier identification of IP addresses that were involved in a communication.…”

Guidelines for procedures of a harmonised digital forensic process in network forensics

Defense Strategy against Network Worms Causing ICMP Attacks and Its Forensic Analysis

A study on Automated Cyberattacks Detection and Visualization