A Network Forensic Framework for Port Scan Attack based on Efficient Packet Capturing

2019 VOLUME-8 ISSUE-10, AUGUST 2019, REGULAR ISSUE  
In the last two decades the networks become larger in scale, more complex in structure and more diversified in traffic. Which generate huge amount of network packets such as TCP, UDP and HTTP etc. Log files are repository for captured packets and play a vital role in investigation. However, a significant and obvious limitation of current packet logging is that, data storage volume increases rapidly depending on factors such as network bandwidth and the number of points in the network that need
more » ... o be tapped. Forensic investigator needs to back up these recorded data to free up recording media and to preserve the data for future analysis. The objective of the proposed work is to build a network forensics framework that precisely scrutinizes only the relevant packets .In this work, a network forensic framework is developed subjected to port scanning attack to mitigate evidence gathering challenges faced by forensic investigator. It captures and processes only fine-grained evidences present in the network traffic stream. Moreover, in the captured relevant log, attack specific discovery is carried out to mine the exact packets utilized to execute the network attack. Hypotheses being developed to validate each machine against attack specific criteria's. Only those machine who full fill the criteria will be scrutinizes for further analysis. To test and validate the effectiveness of the proposed framework two scenario have been developed, It is observed that developed system preciously securitizes the attack patterns and improved decrement in the log size is observed for both scenario developed that is about 93.12% and 95.65% respectively. It is also observed that only 6.09% and 1.93% of total traffic being scrutinized for NULL, FIN and XMAS attack in scenario 1 and 2 respectively. Similarly 19.88% and 13.42% packets of total packets are scrutinized for TCP Connect and SYN (Half open) scanning variant in scenario 1 and 2 respectively
doi:10.35940/ijitee.l3850.1081219 fatcat:uhocjpcedvazppmdfeacjsg5ya