Summary: A Proposed Architecture for Network Forensics Systems in Large Scale Networks

This is the Summary of Research paper that published in Iran Telecommunication Research Center.

The frequency of cyber-attack has increase enormously due to increase in technology. Most of cyber-attack take place on network. In order to get the answer of who, why, when, where and how we use Network forensics. There are many models and standard procedures available already but they lack reliability as the network size grow. Therefore, there is a need of a generic architecture for network forensics systems in larger networks so that forensic process carried out properly.

We can classify existing architectures as following distributed system frameworks, dynamic network framework, soft computing based framework and graph based frameworks.

Net witness is an existing framework architecture consisting of following steps Network collection subsystem, data processing subsystem, data synchronization subsystem, indexing subsystem and analysis subsystem. Silk is another open source system used to process flow records gathered in binary format. Silk include filtering, displaying, sorting, classifying, processing, storing statistical data, labeling based on ports and IP address. Silent Runner is another tool used to collect and analyze network data. It includes correlating network traffic with log and alert files, analysis of content and pattern and analysis of requested security incident.

We proposed our network forensics system framework architecture as following, it mainly consist of five components. Network collection and indexing subsystem, analysis subsystem, Database management subsystem, SOC communication part and Database.

In Network collection and Indexing subsystem the traffic from network interface or data from import files is received then it is stored, indexed and filters are applied to use in future. In Network traffic collection, we can collect data with two methods one using span/mirror ports having ability to copy data from all ports to single port and second is Rap device monitor to collected data between any two points in the network. For this purpose network, filters and parser are also used. In the analysis subsystem, stored data in database is analyzed. It mainly consist Analysis and investigation system, report, alert and visualization system and malware analysis system. In Reporting and alerting Subsystem, each subsystem is connected to various databases. In this Subsystem, a graphical view of network traffic and protocol is created. File content and different protocols are extracted and shown in visualization unit and different reports are created. In malware, analysis system any program that could be reason of crime is thoroughly investigate and analyzed. It mainly consist of four parts as following: File signature control unit, Network anomalous behavior detection unit, automatic sand box and domain knowledge unit. In database Management response of quires delivered as quickly as possible for example, if security oppression center find an anomalous traffic behavior it would send request database management to check the pattern of the same in database. Database management must reply the SOC within very short interval. In database, we store our all information whether it is original data or extracted information and evidence. There are two method to store the data. In our architecture we use cluster storage due to its advantage namely integration of traffic stored, reducing setup and maintenance cost and increased system security.