Fingerprinting Encrypted Tunnel Endpoints

Izadinia, Vafa Dario

09 June 2005

Operating System fingerprinting is a reconnaissance method used by Whitehats and Blackhats alike. Current techniques for fingerprinting do not take into account tunneling protocols, such as IPSec, SSL/TLS, and SSH, which effectively `wrap` network traffic in a ciphertext mantle, thus potentially rendering passive monitoring ineffectual. Whether encryption makes VPN tunnel endpoints immune to fingerprinting, or yields the encrypted contents of the VPN tunnel entirely indistinguishable, is a topic that has received modest coverage in academic literature. This study addresses these question by targeting two tunnelling protocols: IPSec and SSL/TLS. A new fingerprinting methodology is presented, several fingerprinting discriminants are identified, and test results are set forth, showing that endpoint identities can be uncovered, and that some of the contents of encrypted VPN tunnels can in fact be discerned. / Dissertation (MSc (Computer Science))--University of Pretoria, 2005. / Computer Science / unrestricted

Fingerprinting

Network forensics

Protocol analysis

Ipsec

Ike

UCTD

On the Feasibility of Profiling, Forecasting and Authenticating Internet Usage Based on Privacy Preserving NetFlow Logs

Sarmadi, Soheil

05 November 2018

Understanding Internet user behavior and Internet usage patterns is fundamental in developing future access networks and services that meet technical as well as Internet user needs. User behavior is routinely studied and measured, but with different methods depending on the research discipline of the investigator, and these disciplines rarely cross. We tackle this challenge by developing frameworks that the Internet usage statistics used as the main features in understanding Internet user behaviors, with the purpose of finding a complete picture of the user behavior and working towards a unified analysis methodology. In this dissertation we collected Internet usage statistics via privacy-preserving NetFlow logs of 66 student subjects in a college campus was recorded for a month long period. Once the data is cleaned and split into different groups based on different time windows, we have used Statistical Analysis and we found that Internet usage of each user exhibits statistically-strong correlation with the same user's Internet usage for the same day over multiple weeks while it is statistically different from that of other Internet users. In another attempt we have used Time Series Forecasting in order to forecast future Internet usage based on the previous statistics. Subsequently, using state-of-the-art Machine Learning algorithms, we demonstrate the feasibility of profiling Internet users by looking at their Internet traffic. Specifically, when profiled over a time window of 227-second, subjects can be classified by 93.21% precision accuracy. We conclude that understanding Internet usage behavior is valuable and can help in developing future access networks and services.

Classification

Machine Learning

Network Forensics

Time Series

User Behavior

Computer Engineering

Computer Sciences

Detection and analysis of connection chains in network forensics

Almulhem, Ahmad

06 April 2010

Network forensics is a young member of the bigger family of digital forensics discipline. In particular, it refers to digital forensics in networked environments. It represents an important extension to the model of network security where emphasis is traditionally put on prevention and to a lesser extent on detection. It focuses on the collection, and analysis of network packets and events caused by an intruder for investigative purposes. A key challenge in network forensics is to ensure that the network itself is forensically-ready, by providing an infrastructure to collect and analyze data in real-time. In this thesis, we propose an agent-based network forensics system, which is intended to add real-time network forensics capabilities into a controlled network. We also evaluate the proposed system by deploying and studying it in a real-life environment. Another challenge in network forensics arises because of attackers ability to move around in the network, which results in creating a chain of connections; commonly known as connection chains. In this thesis, we provide an extensive review and taxonomy of connection chains. Then, we propose a novel framework to detect them. The framework adopts a black-box approach by passively monitoring inbound and outbound packets at a host, and analyzing the observed packets using association rule mining. We assess the proposed framework using public network traces, and demonstrate both its efficiency and detection capabilities. We, finally, propose a profiling-based framework to investigate connection chains that are distributed over several ip addresses. The framework utilizes a simple yet extensible hacker model that integrates information about a hacker's linguistic, operating system and time of activity. We establish the effectiveness of the proposed approach through several simulations and an evaluation with real attack data.

Network forensics

Packets

Events

Hackers

Foundational Forensic Techniques for Cellular and Ad Hoc Multi-hop Networks

Zhao, Xiwei

26 March 2008

The Internet has become an integral part of our nation's critical socio-economic infrastructure. With its heightened use and growing complexity however, organizations are at greater risk of cyber crimes. To aid in the investigation of crimes committed on or via the Internet, a network forensics analysis tool pulls together needed digital evidence. It provides a platform for performing deep network analysis by capturing, recording and analyzing network events to find out the source of a security attack or other information security incidents. Existing network forensics work has been mostly focused on the Internet and fixed networks. But the exponential growth and use of wireless technologies, coupled with their unprecedented characteristics, necessitates the development of new network forensic analysis tools. This dissertation fostered the emergence of a new research field in cellular and ad-hoc network forensics. It was one of the first works to identify this problem and offer fundamental techniques and tools that laid the groundwork for future research. In particular, it introduced novel methods to record network incidents and report logged incidents. For recording incidents, location is considered essential to documenting network incidents. However, in network topology spaces, location cannot be measured due to absence of a 'distance metric'. Therefore, a novel solution was proposed to label locations of nodes within network topology spaces, and then to authenticate the identity of nodes in ad hoc environments. For reporting logged incidents, a novel technique based on Distributed Hash Tables (DHT) was adopted. Although the direct use of DHTs for reporting logged incidents would result in an uncontrollably recursive traffic, a new mechanism was introduced that overcome this recursive process. These logging and reporting techniques aided forensics over cellular and ad-hoc networks, which in turn increased their ability to track and trace attacks to their source. These techniques were a starting point for further research and development that would result in equipping future ad hoc networks with forensic components to complement existing security mechanisms.

network security

network forensics

peer to peer

mobile ad hoc network

Zpracování síťové komunikace v distribuovaném prostředí / Distributed Network Traffic Processing

Letavay, Viliam

January 2018

Expansion of computer networks and availability of internet connection enables our society to grow faster then ever before. However, at the same time it opens up a new opportunuties for a cybercrime activities. That's why there is an increasing need of security administrators and law enforcing agencies for existence of a tools to analyze the captured data flows. This master thesis deals with ways of analysis of captured network traffic in a distributed environment, which would allow scaling of available analysis power and therefore adapt to ever increasing volumes of data transmitted over the computer networks.

Prieskum a taxonómia sieťových forenzných nástrojov / Network Forensics Tools Survey and Taxonomy

Zembjaková, Martina

January 2021

Táto diplomová práca sa zaoberá prieskumom a taxonómiou sieťových forenzných nástrojov. Popisuje základné informácie o sieťovej forenznej analýze, vrátane procesných modelov, techník a zdrojov dát používaných pri forenznej analýze. Ďalej práca obsahuje prieskum existujúcich taxonómií sieťových forenzných nástrojov vrátane ich porovnania, na ktorý naväzuje prieskum sieťových forenzných nástrojov. Diskutované sieťové nástroje obsahujú okrem nástrojov spomenutých v prieskume taxonómií aj niektoré ďalšie sieťové nástroje. Následne sú v práci detailne popísané a porovnané datasety, ktoré sú podkladom pre analýzu jednotlivými sieťovými nástrojmi. Podľa získaných informácií z vykonaných prieskumov sú navrhnuté časté prípady použitia a nástroje sú demonštrované v rámci popisu jednotlivých prípadov použitia. Na demonštrovanie nástrojov sú okrem verejne dostupných datasetov použité aj novo vytvorené datasety, ktoré sú detailne popísane vo vlastnej kapitole. Na základe získaných informácií je navrhnutá nová taxonómia, ktorá je založená na prípadoch použitia nástrojov na rozdiel od ostatných taxonómií založených na NFAT a NSM nástrojoch, uživateľskom rozhraní, zachytávaní dát, analýze, či type forenznej analýzy.

Towards Automation in Digital Investigations : Seeking Efficiency in Digital Forensics in Mobile and Cloud Environments

Homem, Irvin

January 2016

Cybercrime and related malicious activity in our increasingly digital world has become more prevalent and sophisticated, evading traditional security mechanisms. Digital forensics has been proposed to help investigate, understand and eventually mitigate such attacks. The practice of digital forensics, however, is still fraught with various challenges. Some of the most prominent of these challenges include the increasing amounts of data and the diversity of digital evidence sources appearing in digital investigations. Mobile devices and cloud infrastructures are an interesting specimen, as they inherently exhibit these challenging circumstances and are becoming more prevalent in digital investigations today. Additionally they embody further characteristics such as large volumes of data from multiple sources, dynamic sharing of resources, limited individual device capabilities and the presence of sensitive data. These combined set of circumstances make digital investigations in mobile and cloud environments particularly challenging. This is not aided by the fact that digital forensics today still involves manual, time consuming tasks within the processes of identifying evidence, performing evidence acquisition and correlating multiple diverse sources of evidence in the analysis phase. Furthermore, industry standard tools developed are largely evidence-oriented, have limited support for evidence integration and only automate certain precursory tasks, such as indexing and text searching. In this study, efficiency, in the form of reducing the time and human labour effort expended, is sought after in digital investigations in highly networked environments through the automation of certain activities in the digital forensic process. To this end requirements are outlined and an architecture designed for an automated system that performs digital forensics in highly networked mobile and cloud environments. Part of the remote evidence acquisition activity of this architecture is built and tested on several mobile devices in terms of speed and reliability. A method for integrating multiple diverse evidence sources in an automated manner, supporting correlation and automated reasoning is developed and tested. Finally the proposed architecture is reviewed and enhancements proposed in order to further automate the architecture by introducing decentralization particularly within the storage and processing functionality. This decentralization also improves machine to machine communication supporting several digital investigation processes enabled by the architecture through harnessing the properties of various peer-to-peer overlays. Remote evidence acquisition helps to improve the efficiency (time and effort involved) in digital investigations by removing the need for proximity to the evidence. Experiments show that a single TCP connection client-server paradigm does not offer the required scalability and reliability for remote evidence acquisition and that a multi-TCP connection paradigm is required. The automated integration, correlation and reasoning on multiple diverse evidence sources demonstrated in the experiments improves speed and reduces the human effort needed in the analysis phase by removing the need for time-consuming manual correlation. Finally, informed by published scientific literature, the proposed enhancements for further decentralizing the Live Evidence Information Aggregator (LEIA) architecture offer a platform for increased machine-to-machine communication thereby enabling automation and reducing the need for manual human intervention.

Computer forensics

network forensics

mobile devices

mobile forensics

cloud computing

semantic web

hypervisors

virtualization

remote acquisition

automation

evidence analysis

correlation

P2P

bittorrent

Computer Sciences

Datavetenskap (datalogi)

Model-Based Autonomic Security Management of Networked Distributed Systems

Chen, Qian

13 December 2014

This research focuses on the development and validation of an autonomic security management (ASM) framework to proactively protect distributed systems (DSs) from a wide range of cyber assaults with little or no human intervention. Multi-dimensional cyber attack taxonomy was developed to characterize cyber attack methods and tactics against both a Web application (Web-app) and an industrial control system (ICS) by accounting for their impacts on a set of system, network, and security features. Based on this taxonomy, a normal region of system performance is constructed, refined, and used to predict and identify abnormal system behavior with the help of forecasting modules and intrusion detection systems (IDS). Protection mechanisms are evaluated and implemented by a multi-criteria analysis controller (MAC) for their efficiency in eliminating and/or mitigating attacks, maintaining normal services, and minimizing operational costs and impacts. Causes and impacts of unknown attacks are first investigated by an ASM framework learning module. Attack signatures are then captured to update IDS detection algorithms and MAC protection mechanisms in near real-time. The ASM approach was validated within Web-app and ICS testbeds demonstrating the effectiveness of the self-protection capability. Experiments were conducted using realworld cyber attack tools and profiles. Experimental results show that DS security behavior is predicted, detected, and eliminated thus validating our original hypothesis concerning the self-protection core capability. One important benefit from the self-protection feature is the cost-effective elimination of malicious requests before they impede, intrude or compromise victim systems. The ASM framework can also be used as a decision support system. This feature is important especially when unknown attack signatures are ambiguous or when responses selected automatically are not efficient or are too risky to mitigate attacks. In this scenario, man-in-the-loop decisions are necessary to provide manual countermeasures and recovery operations. The ASM framework is resilient because its main modules are installed on a master controller virtual machine (MC-VM). This MC-VM is simple to use and configure for various platforms. The MC-VM is protected; thus, even if the internal network is compromised, the MC-VM can still maintain “normal” self-protection services thereby defending the host system from cyber attack on-thely.

Intrusion Mitigation and Response System

Self-Protection

Autonomic Computing

Intrusion Detection/Protection System

Network Forensics

Cyber Attack Taxonomy

Cyber Security

Intrusion Estimation

Security Model-based Validation

Exploring IoT Security Threats and Forensic Challenges: A LiteratureReview and Survey Study

Al Allaf, Abdulrahman, Totonji, Waseem

January 2023

Internet of Things (IoT) devices have increased rapidly in recent years, revolutionizing many industries, including healthcare, manufacturing, and transportation, and bringing benefits to both individuals and industries. However, this increase in IoT device usage has exposed IoT ecosystems to numerous security threats and digital forensic challenges. This thesis investigates the most common IoT security threats and attacks, students’ awareness of them and their mitigation strategies, and the key challenges associated with IoT forensic investigations. A mixed-method approach is adopted in this thesis combining a literature review and a survey study. The survey assesses students’ knowledge of IoT security threats, mitigation techniques, and perceptions of the most effective ways to enhance IoT security. The survey also emphasizes the importance of user training and awareness in mitigating IoT threats, highlighting the most effective strategies, such as stronger regulations and improved device security by manufacturers. The literature review provides a comprehensive overview of the most common IoT security threats and attacks, such as malware, malicious code injection, replay attacks, Man in the Middle (MITM), botnets, and Distributed Denial of Service Attacks (DDoS). The mitigation techniques to these threats are overviewed as well as real-world incidents and crimes, such as the Mirai botnet, St. Jude Medical implant cardiac devices hack, and the Verkada hack, are examined to understand the consequences of these attacks. Moreover, this work also highlights the definition and the process of digital and IoT forensics, the importance of IoT forensics, and different data sources in IoT ecosystems. The key challenges associated with IoT forensics and how they impact the effectiveness of digital investigations in the IoT ecosystem are examined in detail. Overall, the results of this work contribute to ongoing research to improve IoT device security, highlight the importance of increased awareness and user training, and address the challenges associated with IoT forensic investigations.

Internet of Things

IoT security

IoT threats

IoT attacks

Digital forensics

IoT forensic

IoT forensic challenges

Cloud forensics

Network forensics

Computer and Information Sciences

Data- och informationsvetenskap

Exploring the value of computer forensics in the investigation of procurement fraud

Themeli, Aluwani Rufaroh

01 1900

The research problem for this study was that forensic investigators in the Forensic Services (FS) of the City of Tshwane (CoT) are unable to successfully deal with procurement fraud as a result of the lack of knowledge, skills and resources required to conduct computer forensics during the investigation of procurement fraud. This research was conducted to ascertain the value of computer forensics in the investigation of procurement fraud. Further, the study sought to determine how to improve the CoT forensic investigators’ knowledge and competence regarding the application of computer forensics in the investigation of procurement fraud. The purpose of this study was to explore the procedures that should be followed by CoT forensic investigators when conducting computer forensics during the investigation of procurement fraud. The research also aimed to discover new information, not previously known to the researcher, related to computer forensics during the investigation of procurement fraud by exploring national and international literature. In addition, the study explored existing practices so as to use this information to improve the current CoT procedure, within the confines of the legislative requirements. The overall purpose of this study is to provide practical recommendations for best practices, based on the results of the data analysis, which address the problem and enhance the investigative skills of CoT forensic investigators. The study established that it is imperative and compulsory to apply computer forensics in any procurement fraud investigation in order to efficiently track down cyber criminals and solve complicated and complex computer crimes. It was also established that forensic investigators within the FS in the CoT lack the necessary computer skills to optimally investigate procurement fraud. It is therefore recommended that CoT forensic investigators acquire the necessary skills and essential training in computer forensics in order to improve their knowledge and competence regarding the application and understanding of the value of computer forensics in the investigation of procurement fraud. / School of Criminal Justice / M.Tech. (Forensic Investigation)

Forensic investigation

Computer forensics

Procurement fraud

Computer investigation

Red flags

Computer evidence

Network forensics

Kickbacks

Conflict of interest

Bid rigging

363.2596309682275