Scalable Long-term Network Forensics for Epidemic Attacks

Network forensics supports capabilities such as attacker identification and attack reconstruction, which complement traditional intrusion detection and perimeter defense techniques in building a robust security mechanism. Attacker identification pinpoints attack origin to deter future attackers and attack reconstruction can reveal attack causality and network vulnerabilities. In this paper, we study the problem of investigating the origin of stealthy epidemic attacks which may have long lifespan. We propose a network forensics mechanism which is scalable in time and space while maintaining high accuracy in attack origin identification. We propose a data reduction method to filter out irrelevant data and only retain evidence relevant to potential attacks for postmortem investigation. Using real trace-driven experiments, we evaluate the performance of the proposed mechanism and show that we can achieve low false positive and false negative rates in data reduction and support high scalability and accuracy in long-term network forensics.