Summary: Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligent Techniques

This is the Summary of the research paper that published in  international Journal of Digital Evidence

Network Forensic is the study and analysis of network traffic to determine the source of security violation. There exist many models and techniques for Network forensic analysis. This paper focus on artificial intelligence techniques for offline intrusion analysis to maintain and preserve the integrity and confidentiality of the information infrastructure. Usually two artificial intelligence techniques are used one is Artificial Neural Networks and other is Support Vector Machines. It is show that SVM is superior to ANN in following aspects: SVM train and run faster than ANN runs, SVM scale much better and SVM give higher classification accuracy.

Most of the current network forensics system works on the bases of audit trail. This kind of system try to detect known patterns, deviation from the normal behavior or security policy violation. They reduce large amount of data into chunks of important and relevant data. Logs are collected and converted into meaningful format, this require large amount of disk space and CPU resources and human expertise.

In 1998, DARPA an intrusion detection and evaluation program classified attack type as following: Probing, Denial of services, Unauthorized access to local super user and Unauthorized access from remote machine.

Support Vector Machines or SVM are learning machines that plot the training vector in high dimensional feature space labeling each vector in its class. Support Vector Machines classify data by determining set of support vectors based set of training inputs. It provides the generic mechanism to fit the surface of the hyper plan through Kernel functions. User can provide function through input like polynomial, linear or sigmoid to SVM during training process. The speed is another reason why we use SVMs because real time performance has much importance in intrusion detection systems. Scalability is one another reason why we prefer SVMs on ANNs. Support Vector Machines are relatively intensive to the number of data points and classification complexity does not depend upon dimensionality of feature space so Support Vector machines potential can learn easily and larger set of patterns and scale better comparing to the Artificial Neural Networks

Artificial Neural Networks or ANNs consist of collection of processing elements that are highly connected and transform a set of desired outputs and the result of transformation is determine by the characteristics of the elements and the weights associated with them. ANN conducts an analysis of information of the model it is being trained. It gains the experience of recognizing the input and output with the passage of time.

Based on the study of both model and different experiments we conclude and summarize the following results: The Support Vector Machines or SVMs outperforms in the important aspect of scalability (ANNs take more time if we increase training input volume compare to SVMs), training time and running prediction accuracy. Support Vector Machines easily achieve higher accuracy roundabout 99% in approximately given all five-pattern classes.