Digesting Network Traffic for Forensic Investigation Using Digital Signal Processing Techniques
share
One of the most important practices of cybercrime investigations is to search a network traffic history for an excerpt of traffic, such as the disclosed information of an organization or a worm signature. In post-mortem investigations, criminals and targets are detected by attributing the excerpt to payloads of traffic flows. Since it is impossible to store the high volume of data related to long-term traffic history, payload attribution systems (PAS) based on storing a compact digest of traffic using Bloom filters have been presented in the literature. In these systems, querying the stored digest for an excerpt results in a low number of suspects instead of certain criminals. In this paper, we present a different PAS which is based on simple and widespread digital signal processing techniques. Our traffic digesting scheme has been inspired by DSP-based compression algorithms. The proposed payload attribution system, named DSPAS, not only results in a low false positive rate but also outperforms previous schemes in response to wildcard queries which are essentially applicable for complex excerpts such as the signature of polymorphic worms. Our theoretical analysis and practical evaluations show that DSPAS results in a significantly lower false positive rate and also a lower processing time for wildcard queries in comparison to previous works. Moreover, our PAS can prevent a malicious insider from evading the PAS by its ability to find strings similar to a queried excerpt.
READ FULL TEXT