A scalable network forensics mechanism for stealthy self-propagating attacks

Network forensics supports capabilities such as attacker identification and attack reconstruction, which complement the traditional intrusion detection and perimeter defense techniques in building a robust security mechanism. Attacker identification pinpoints attack origin to deter future attackers, while attack reconstruction reveals attack causality and network vulnerabilities. In this paper, we discuss the problem and feasibility of back tracking the origin of a self-propagating stealth attack when given a network traffic trace for a sufficiently long period of time. We propose a network forensics mechanism that is scalable in computation time and space while maintaining high accuracy in the identification of the attack origin. We further develop a data reduction method to filter out attack-irrelevant data and only retain evidence relevant to potential attacks for a post-mortem investigation. Using real-world trace driven experiments, we evaluate the performance of the proposed mechanism and show that we can trim down up to 97% of attack-irrelevant network traffic and successfully identify attack origin.