International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(4): 382-390

The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001
Network Forensics for Detecting Flooding Attack on
Internet of Things (IoT) Device

Randi Rizal 1, Imam Riadi 2 and Yudi Prayudi 3

[1,3]
Department of Informatics, Universitas Islam Indonesia, Yogyakarta, Indonesia
2
Department of Information System, Universitas Ahmad Dahlan, Yogyakarta, Indonesia
[email protected], [email protected], [email protected]

ABSTRACT communicating with each other. These all the

Today is the era of the Internet of Things (IoT),
devices are connected with the sensor to detect
millions of devices such as smart city, smart home, the particular surrounding condition and analyze
smart retail, automotive, automatic car tracking, the situation and work accordingly. Devices are
smartphone detection, smart lighting, temperature also programmed to take the decision
monitoring etc. are being connected to the Internet. automatically or inform according to the user so
There are various devices which are interconnected to that the user can make the best decision.
the other devices on the internet of things which This interconnected network can bring lot of
share different techniques and the different standards. advancement in the technology of application
The emergence of new technology in various fields it and services that can bring economic benefit to
also brings up challenges in the area of the forensic the global business development. Many devices
investigation. As there will be many new challenges
are connected to the internet to share the local
to the forensic investigators. The latest tools and the
information to the cyberspace. The US National
process flow carried out will not fulfill distributed
and current IoT infrastructure. The Forensic Intelligence Council (NIC) suspects that by 2025
researcher will have a lot of challenges to face in Internet nodes will be on of our peripheral things
collecting the piece of evidence from the infected food packages, furniture, paper documents, and
component on the IoT device and also will face many more [3]. In accord with a report by
complication to analyze those evidence. Gartner, in next five years there will be 26
In this research, we will do the network forensics billion IoT devices [4]. International Data
investigation for detecting flooding attack on the Corporation (IDC) estimates that the IoT trade
Internet of Things (IoT) device. will reach $3.04 trillion and there will be 35
billion connected things in 2020 [5]. Processing
KEYWORDS
and computation power, communication
Internet of Things, Network Forensics, IoT Device medium, dimension, etc. these things are varied
Forensics, Flooding Attack, Digital Investigations. with different attributes[6].
According to the analysis report, since many
1. INTRODUCTION devices will be connected to the IoT which
The Internet of Things (IoT) results from ultimately turns the attention to the hacker in
internet progress and the innovative evolution of breaking the security mechanism[2]. IoT
the smart devices leads to the development of the Forensics used to investigate attacks such as we
new computing prototype. IoT is calculated the need to implement the digital forensics aspects
coming estimation of the internet which works in the IoT parameter [1].
on the Machine to Machine (M2M) In fact the Digital Forensics in the IoT device
communication and the Radio Frequency is very challenging and varied, the traditional
Identification (RFID) [1]. The primary purpose model of the forensics does not match with the
of the IoT is to allow a secure data exchange current IoT Environment. A large number of the
between the real world devices and applications. devices will also bring new challenges for the
The Internet of Things (IoT) has become quite data management. An infinity of IoT devices
famous in the recent years. Many of the daily generating large data also makes it difficult for
routine devices are getting connected with us the investigator to analyze the data.
that covers many capabilities like sensing,
autonomy and contextual awareness [6]. IoT 2. BASIC THEORY
devices include personal computers, laptop, 2.1 Digital Forensics
smartphone, tablet, and other home embedded Digital Forensics is a part of science which
devices [2]. These devices are connected to each involve the return to an original state and
other and share a same network for investigation of stuff which is found in digital
382
 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(4): 382-390
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001

devices, related to computer crime. In the digital  Detection Stage : Generate a warning or an
forensics, we will first be including on the alert which indicate security offense.
network forensics.  Incident Response Stage : Usable only when
Network forensics is defined in [8] as capture, the investigation is beginning in the course of
recording, and analysis of network events in the attack.
order to discover the source of security attacks or  Collection Stage : The most complicated
other problem incidents. In other words, network section because the data streams quickly and
forensics involves capturing, recording and is no possibility to generate later traces of the
analyzing of network traffic. Serves to collect of same thing.
information, evidence gathering and detect  Preservation Stage : Original Evidence is
attacks. The process of investigation occurred in kept secure through with computed hashes.
the network with handling the traffic and  Examination Stage : Examines the previous
activity. Differ from the other method, the phase. All hidden or altered data is to be
network forensics related to dynamic uncovered which is done by the attacker.
information that is easily lost. Network Forensics  Analysis Stage : Collected evidence is
has two functions, the first outline to security, analyzed to locate the source of the mixing.
belonging traffic monitoring network which aims
 Investigation Stage : Use information
to get the evidence given is the lack of evidence gathered in the analysis phase and focus on
in the network so that the investigation could not finding the attacker.
walk. Second, regarding law enforcement that
 Presentation Stage : Final stage for
analysis on capturing of network traffic may
processing the model. Here the
contain sending a file, searching for keywords,
documentation is made and the report is
and breakdown in communications made as in
generated and is shown to the higher
email and chat.
authority.
2.2 Network Forensics Process Model
In a paper called “A Generic Framework for 2.3 Forensic in IoT Environment
Network Forensics” the author proposed a model The IoT Forensics is also one of the
of the network forensics investigation. This specialized branch in the digital forensics where
proposed model consists of many different stages all the phases discussed deals with the IoT
of network forensics investigation. The figure 1 infrastructure to find facts about the crime
represents the design of network forensics which happened in IoT environment. The IoT Forensics
has nine stages figured [9]. is carried out in the three levels of forensics :
Cloud level forensics, network level forensics,
device level forensics this can be explained in
Figure 2 [1].

Figure 1. Generic Framework for Network Forensics

 Preparation Stage : The main objective is to

acquire the fundamental authorization and
legitimate guaranteed. Figure 2. IoT Forensics

383
 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(4): 382-390
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001

 Device level forensics : At this level, a The conventional tools and technologies are
forensic investigator needs to collect data first not deliberated completely to bring out forensic
from the local memory contained in the IoT in the IoT environment as it faces many
device to be analyzed. It is necessary to use challenges [11]. In this part, we will recognize
the IoT device that is missed in analyzing data the challenges we are facing for the forensic
on the forensic level device. investigation in the IoT environment [1].
 Network level forensics : To detect various a. Compromised device identification in IoT.
sources of attacks can be identified from The criminal. For e.g., there are number of
network traffic logs. Thus, the log traffic devices in the college and if any of the devices
network can be very important to determine gets compromised and gets breach on the
the guilt or freedom of the suspect. IoT network and extract some of the personal files it
infrastructure includes various forms of will be very hard to find the source of the device
networks, such as Body Area Networks which got infected. This challenge is like finding
(BAN), Personal Area Networks (PAN), the needle in the haystack.
Home / Hospital Area Networks (HAN), b. Gathering and analysis of data.
Local Area Networks (LAN) and Wide Area After identification there comes the analysis
Networks (WAN). Important evidence and gathering which is quite a challenging task
obtained is collected from one of these to find the piece of evidence. This phase is very
networks so that network forensics. crucial phase and depends on the other phase
 Cloud level forensics : Cloud forensics is one also resulting the error to other phase.
of the most important part in the IoT forensic c. Data Organization
domain. Why? Due to the fact that most The IoT devices produce the wide variety of
existing IoT devices have low storage and data makes the collection and analysis stage
computing capacity, data generated from IoT challenging. The proper logs need to be
devices and IoT networks are stored and organized in order to avoid the complication of
processed in the cloud. This is because cloud the data and files.
solvents offer a variety of advantages d. Preservation of Evidence
including convenience, large capacity, The last step of the forensic investigation is
scalability, and accessibility on request. that the forensic examiner presents information
that has been analyzed and use as digital
We seen that how the IoT Forensics evidence in front of the court of law. As in
environment works and the three level of comparison, giving traditional forensic evidence
forensics needs to be carried out in the IoT is easy than IoT Environmental forensics
scenario to find out the actual source of the becouse it is a challenging task as the jury
infected device or the network breach[1]. Here in members don’t have enough knowledge as
this section we will do the comparison of the compared to the technical person.
different parameters how the how the actual
system works and how the proposed solution is 2.4 Attacks in IoT
to be carried out [10]. Over time, the domain of security Attacks
on IoT devices is growing rapidly. The attacks
on IoT Systems are summarized in the following
figure 2 [12].
Attack on IoT Device

Physical Side Chanel Environmental Cryptanalysis Software Network

Attack Attack Attacks Attacks Attacks Attacks

- Virus
- Timing Analysis - Trojan Horse
- Power Analysis - Logic Bombs
- Fault Analysis - Worms
- Electromagnetic Analysis - Denial of Service

- Monitor and Eaves dropping

- Ciphertext-only Attack - Traffic Analysis
- Known plain Attack - Camouflage
Micro Probing - Denial of Service Attacks
Reverse Eng. - Chosen plaintext Attack
- Man in the midle Attack - Node Subversion, Node Malfunction
Etc. - Node Capture, Node Outage
- Message Comption, False Node
- Replication Attacks, Routing Attacks

Table 1. Comparison of Traditional and IoT Forensics Figure 3. Attacks on IoT Device

384
 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(4): 382-390
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001

Cyber attacks on IoT devices have been e. The Violation of Privacy

classified into a few categories as discussed in With this, the adversary can collect private
[13],[14],[15] and [16] as the following : data from diverse sources. For example are meta
information and activity investigation which is
a. Node Tampering the main target of the attack.
An rival can transform the device and place a
cheater to the system. Thus, the device will not f. Buffer Overflow
purpose as it is expected to be work on. This A buffer overflow which using this kind of
kind of attack generally uses to swipe attack lets an adversary to authority or crash the
information and abuse the software and the processor to modify its core element. If the
hardware of IoT devices. program is enough wealthy, thus the adversary
can control the host.
b. Denial of Service (DoS)
DoS attack can be undertaked by mishandle g. SQL Injection
the device, operating its software and Security attack in this case, a malicious code
application, or upseting the communication injection method used to attack the information-
channel [13]. One of the DoS attack is the driven applications, operating a security
breakdown attack where the enemy is able to weakness in an application's software, license
disable the sensor communication channel from the adversary to cheat identity, modify data
carrying alerts by generating accidents. The which may cause the rejection issues.
accidents will be caused by the transmission The glucose monitoring system for diabetic
request interrupted. patients becomes another case study of attacks.
DDoS Attack The October 2016 report explained that Johnson
& Johnson branch Animas produces the device
reads user blood glucose levels through a meter
Active Attack Passive Attack
before the pump uses these readings by
Packet Dropping "communicating wirelessly" in the 900 MHz
band to deliver insulin. One of the main security
Bandwidth Depletion Resource Depletion faults there is a lack of encryption between these
components. This opens the door for
Protocol Exploit Malformed Packet
eavesdroppers to capture information such as
Flooding Amplification
Attack Attack Attack Attack dosage data and blood glucose results. Attackers
TCP SYN
IP Address can easily detect the remote or pump key and
PUCH+ACK
UDP ICMP SMURF FRAGGLE IP Packet Option then cheat being the remote or the pump.
Figure 4. DDoS Attacks Another vulnerability is the communication line
where it is taking place between the pump and
c. Distributed DoS meter has no timestamps or sequence numbers
In the case of Mirai attack. The Mirai and no defence opposed to replay attacks.
malware is outlined to use an existing
vulnerability within IoT devices for DDoS 2.5 Arduino UNO
attacks .There are millions of IoT devices on the The Arduino UNO is a small and cheap
trade that are misconfigured and set to continue device that bring through you to easily connect
request via the Transmission Control Protocol. some electronic thing you have made to your
computer and to the internet. It brings all kind of
d. Spoofing rash invention to the Internet Of Things (IoT).
The credential information become the Arduino is an open source computer hardware
method used by adversary usually which belongs and software enterprise, project and user
to others to get access to the unapproachable community that designs and productions single-
service. This credentials can be located from the board microcontrollers and microcontroller kits
device it self, eavesdropping on the for frame digital devices and interactive aims
communication line or from the reconnaissance that can sense and control aims in the physical
activities. and digital globe.
385
 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(4): 382-390
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001

Various microprocessors and controllers are out it. Basically, bluetooth HC-05 can only be
used to design arduino boards. Set digital and configured as slave can not be used as master.
analog input / output (I / O) pins to complement Here is the physical form of bluetooth HC-05 :
the Arduino board which can be connected to
various extension boards or Breadboards
(shields) and other circuits. Arduino boards
display serial communication interfaces,
including Universal Serial Bus (USB) on several
models, and are also used to create programs
from personal computers.
The arduino platform consists of arduino
board, shield, arduino programming language,
and arduino development environment. Arduino
board usually has a basic chip ATmel AVR
microcontroller ATmega8 following derivatives.
The simplified arduino board diagram is shown Figure 6. The physical shape of bluetooth HC 05
in Figure 3. Shield is a board that can be
mounted on the arduino board to increase the 3. METHODOLOGY
ability of the arduino board. 3.1 Bluetooth Arduino Configuration Scheme
Preparing arduino package which is the main
package needed in the system, the package used
is arduino driver package that can be installed
directly. Configuring arduino with Bluetooth Hc-
05 is a preliminary configuration for the purpose
of detecting and analyzing Traffic log file data
contained in arduino. Here is the Arduino
configuration scheme with Bluetooth HC-05 :

Figure 5. Block Diagram of Arduino Board

2.6 Bluetooth HC05
The Internet of Things (IoT) architecture
consists of hardware, communication, software Figure 7. Bluetooth Arduino Configuration Scheme with
systems and application layers, with Bluetooth
being used to act as a communication layer. The Some configurations in Arduino is connect
communication layer is a serious overpass Arduino to a computer, perform serial
between the layers and contains of a multi-layer communication such as sending and receiving
stack, comprising data link, network or transport, sensor data via serial terminal on Arduino IDE
and session protocols. Bluetooth is one part of via USB Connector. Power Jack : Input voltage
the data link layer, connecting the sensor to the to turn on Arduino, IC ATMEGA328p : ATMel
sensor or sensor to the gateway. This network microcontroller IC with Arduino booth loader.
layer, on the other hand, is responsible for Digital I / O is used for digital inputs and
routing or moving packets across the network, outputs, at pin 3,5,6,9,10,11 has a sign (~)
using the most appropriate path. The session indicating that the pin in addition to having
layer protocol allows messaging on various Digital I / O facility also has PWM (Pulse Width
elements of the IoT communication subsystem. Modulation) with range the output value of 8 bits
Bluetooth HC05 is a bluetooth that has or equivalent value between 0-255. Next is the
UART serial communication in the reception and Analog Input used for sensor data input,
delivery of its data. Bluetooth HC05 allows to potentiometer and other analog input devices.
communicate directly with the microcontroller Then Power is used to take power 5V, 3.3V,
through TX and RX lanes contained on the pin GND.
386
 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(4): 382-390
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001

Configuration is also done on bluetooth attacks. The investigator forensic performs an

device HC-05. When doing the bluetooth analysis of the IoT device to finding the attack
configuration then bluetooth position in a state packets.
not related to arduino device that uses wireless. System case simulation
So it will be absolutely certain that bluetooth is Flooding attack on IoT device

active without a connection. Next is done Investigator

Forensics
Default Bluetooth settings are Baudrate : 9600 IoT Device
Attacker 1

bps Name : linvor Pairing Code : 1234. Any

configuration changes above will be saved even VICTIM
Attacker 2
Arduino UNO Bluetooth
when the power is turned off. All commands sent
to Buetooth do not have to be with new line
Attacker 3
characters. Therefore we recommend to use
'Serial Monitor' on Arduino IDE to configure the Figure 9. Network Forensic Architecture on IoT Devices
Bluetooth module.
Next the procedure to do that bluetooth A. Implemetation Model Process Forensics
configuration is connecting Bluetooth to PC, Implementation of network forensic process
LED should blink, open Arduino IDE software, model in the design of network forensic
choose correct COM port that Bluetooth architecture to detect attacks on IoT devices with
connected. Bluetooth Arduino. Detection of flooding attacks
on the case of a process that is trying applied IoT
3.2 Flooding Attack Scenario device. Thus the log file will be stored in the
Phase flooding attack scenario was data logger file. So researchers will analyze to
established to implement network forensics on find evidence by using Wireshark in
the Internet of Things (IoT) device. The system reconstructing the data log file contained in
simulation purposes to perform network forensic Bluetooth Arduino UNO.
testing of the IoT Bluetooth Arduino device in
detecting flooding attacks. The simulation is
done using the LOIC tool used to detect flooding
attacks. The exercise starts with the IP packet
delivery on the target and the port will be
attacked.
Here is a figure of the system simulation case
of flooding attack against IoT device :
System case simulation
Flooding attack on IoT device

Attacker 1
IoT Device

Attacker 2
VICTIM
Arduino UNO Bluetooth
Figure 10. IoT Device Forensics

Attacker 3
B. Model Process Forensic
Figure 8. Simulation Flooding Attack Level Forensic Device on device inspection,
network forensics to analyze and record traffic.
4. IMPLEMENTATION AND RESULT IoT devices will produce very large data. And do
Phase implementation on network forensic to add up the data network. Because the amount
research is in the design of forensic network of data evidence will be very large and it will be
architecture such as the image shown in Figure very difficult to analyze data and it is difficult to
9. Which is the forensic architecture of the identify evidence that can be used to identify
network on the IoT device on detecting flooding digital forensics in finding flood attacks and

387
 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(4): 382-390
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001

monitoring so that it can identify the source of  Collection of Network Traces

the attack that the device is infected with. The Collection evidence in this study used
results of this analysis have nine stages of the recordings of traffic log on IoT device. The
Forensic Process Model: process of taking payload as flooding attack file
in this study as figure 4.
 Preparation and Authorization
At this phase, network forensic investigations Investigator
Forensics
apply to environments where network security IoT Device
devices such as packet analyzers, traffic stream
evaluation software are located at various
planned points on the network to detect flooding VICTIM
Arduino UNO Bluetooth
attacks on IoT devices. The personnel treatment
these devices must be trained to make sure that Figure 12. Data Collection Stage
maximum and quality evidence may be collected
in order to facilitate attribution of the crime. The  Protection and Preservation
required authorizations to monitor the network The original data acquired in the form of
traffic are acquired and a well-defined security shreds of evidence and logs are kept on a backup
approach is in a location so that the privacy of device. A hash of all the clue data is taken and
individuals and the organization is not breaked. the data is protected. Chain of custody is hardly
imposed so that there is no unauthorized use or
 Detection of Incident tampering. Another copy of the data will be used
Various security tools generate warnings, for analysis and the originally collected network
indicating a security offense or policy violation traffic is protected. In this stage will use the FTK
are observed. Any unwarranted events and Imager application for made a hash of data.
unusual activity noticed will be analyzed. The
confirmation of an incident results in two aims
that incident response and collection of data.
IoT Device

Monitoring
Phase

Abnormal No
Activity
Figure 13. Hash Evidence of Log Traffic
Yes
 Examination
Star Collecting data traffic log
identified Start Storing Forensic investigators in examining the log
the Findings
file found on the traffic log of bluetooth in the
Figure 11. Detection of Findings Log capture (p.cap) by entering parameters to be
plugged. The examination process is going
 Incident Response capturing traffic with wireshark application.
In this phase, The response to the illegal act
or seizure detected is initiated based on the  Analysis
information collected to validate and evaluate the At this stage of the analysis of log files will
incident. The response starts up turns on the type be checked, the log files that have been
of attack identified and is guided by organization recovered will be examination one by one to
policy, legal and business. This phase is relevant determine changes in the network and to see a
only to cases where an investigation begins timestamp. Flooding attacks will be visible when
while the attack is underway and not notitia the request to the IoT device increased capture
criminis (after notification of crime). traffic that is an anomaly. Then flooding attacks

388
 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(4): 382-390
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001

are sent from the attacker so that traffic will IP address 192.168.0.221 has a length (length)
increase. In addition to traffic conducted range in the 50s Bytes (57 Bytes). On the
investigator using wireshark to capturing the Internet Protocol Version 4, to read as
traffic, also can be in the graphic user requesting 192.168.0.221 IP source and destination IP
increased in figure 14. address visible 192.168.0.127 with 20 Bytes
header length and the total length of 43. On the
part of the user datagram protocol, source port
reads as 61924 and destination port read as 137.
If the filter is returned to the ip.src ==
168.192.0.221 and investigated in another frame,
the source port is immutable, but still in a great
range (ports 49775-63293). log file analysis
results obtained 3 IP address that has acted
illegally flooding attacks on IoT device.
In addition, the analysis continued with statistics
Figure 14 : IO Graph Traffic Log
module endpoint in Wireshark used to collect
After the log files are recorded, the log file will attack packets contained in log files during the
be taken and analyzed using Wireshark to have attack simulation. In Figure 9 below explains
this forensic evidence. In the picture seen that the IP address has a different load on each
demand exceed 15 packets in one second. As package and at different speeds in each of its
shown in figure 15. bytes.

Figure 17 :Statistic Endpoint

 Presentation
At the presentation stage is the last stage in
Figure 15 : Traffic Log in Wireshark the forensic process model. This stage was the
presentation of all the findings in this study.
 Investigation and Attribution Based on the analysis that has been done then
The information obtained from the evidence obtained 3 IP address which becomes the
traces is used to identify of the incident. This findings in this research scenario, as shown in
will help in source traceback, reconstruction of Table 2.
the attack scenario and attribution to a source.

Table 2. File Log Bluetooth Traffic

6. CONCLUSION
In this paper we provide different aspects than
those used for IoT and also use IoT devices. The
author has presented a network forensic model
for detecting attacks and identifying attacks.
Here's more about the flooding attack and found
Figure 16 : UDP Follow the infected IoT Bluetooth Arduino device. Log
From the collection of the line can have one line file data with p.cap extension can be analyzed by
to perform analysis on any part of the frame that network forensic investigation using wireshark
represents a frame in an attack packet flooding of application.
389
 International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(4): 382-390
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001

Based on the analysis that has been done, it [14] Hachem, S., Teixeira, T. & Issarny, V., 2012.
was found that 3 IP addresses committed illegal Ontologies for the internet of things. Proceedings of
the 8th Middleware Doctoral Symposium on - MDS
actions, which led to overload traffic. By ’11, pp.1–6.
applying a forensic process model, it can be used [15] Huuck, R., 2015. IoT: The Internet of Threats and
to detect flooding attack on IoT devices. Static Program Analysis Defense. EmbeddedWorld
2015: Exibition & Conferences, p.493.
REFERENCES [16] Borgohain, T., Kumar, U. & Sanyal, S., 2015. Survey
[1] Zawoad, Shams, and Ragib Hasan. "FAIoT: of Security and Privacy Issues of Internet of Things.
Towards Building a Forensics Aware Eco System for arXiv preprint arXiv:1501.02211, p.7. Available at :
the Internet of Things." Services Computing (SCC), http://arxiv.org/abs/1501.02211.
2015 IEEE International Conference on. IEEE, 2015. [17] Mualfah, D. and Riadi, I. “Network Forensics For
[2] Hossain, Md Mahmud, Maziar Fotouhi, and Ragib Detecting Flooding Attack On Web Server” (IJCSIS)
Hasan. "Towards an Analysis of Security Issues, International Journal of Computer Science and
Challenges, and Open Problems in the Internet of Information Security, Vol.15, 2017.
Things." Services (SERVICES), 2015 IEEE World [18] Iswardani, A. and Riadi, I. “Denial Of Service Log
Congress on. IEEE, 2015. Analysis Using Density K-Means Method,” vol. 83,
[3] L. Atzori, A. Iera, and G. Morabito, “The internet of no. 2, pp. 299–302, 2016.
things: A survey,” Computer networks, vol. 54, no. [19] Oriwoh, Edewede, and Paul Sant. "The Forensics
15, pp. 2787–2805, 2013. Edge Management System: A Concept and Design."
[4] www.gartner.com, “Gartner Says the Internet of Ubiquitous Intelligence and Computing, 2013 IEEE
Things Will Transform the Data Center,” 10th International Conference on and 10th
http://www.gartner.com/newsroom/id/2684616, International Conference on Autonomic and Trusted
2014. Computing (UIC/ATC). IEEE, 2013.
[5] www.idc.com, “Finding Success in the New IoT [20] Bandyopadhyay, Debasis, and Jaydip Sen. "Internet
Ecosystem: Market to Reach $3.04 Trillion and 30 of things: Applications and challenges in technology
Billion Connected ”Things” in 2020, IDC Says ,” and standardization." Wireless Personal
http://www.idc.com/getdoc.jsp?container Communications 58.1 (2011): 49-69.
Id=prUS25237214, 2014. [21] T. A. Cahyanto and Y. Prayudi, “Web Server Logs
[6] Y. Huang and G. Li, “A semantic analysis for internet Forensic Investigation to Find Attack’s Digital
of things,” in Intelligent Computation Technology Evidence Using Hidden Markov Models Method ,”
and Automation (ICICTA), 2010 International Snati, pp. 15–19, 2014.
Conference on, vol. 1. IEEE, 2010, pp. 336–339. [22] P.F. Moh, P. Yudi & R. Imam, “Comparison of
[7] E.S. Pilli, R.C. Joshi, & R. Niyogi. “A Generic Attribute Based Access Control (ABAC) Model and
Framework for Network Forensics”. International Rule Based Access (RBAC) to Digital Evidence
Journal of Computer Applications (IJCA) (0975 – Storage (DES)” International Journal of Cyber-
8887) Volume 1 – No. 11, 2012. Security and Digital Forensics (IJCSDF) 7(3): 275-
[8] Nguyen, K., Tran, D., Ma., & Shama, D. (2014) An 282, 2018.
Approach to Detect Network Attacks Applied for [23] U. Rusydi, R. Imam & Z.M. Guntur. “Mobile
Network Forensics, 655-660. Forensic Tools Evaluation for Digital Crime
[9] E.S. Pilli, R.C. Joshi, & R. Niyogi. “A Generic Investigation” International Journal on Advanced
Framework for Network Forensics”. International Science Engineering Information Technology, Vol.8-
Journal of Computer Applications (IJCA) (0975 – no.3, 2018.
8887) Volume 1 – No. 11, 2013. [24] K. Ade and R. Imam, “Detection and Analysis Cerber
[10] Oriwoh, Edewede, et al. "Internet of Things Ransomware Based on Network Forensics
Forensics: Challenges and approaches." Behavior”, International Journal of Network
Collaborative Computing: Networking, Applications Security, Vol.20, No.5, PP.836-843, 2017.
and Worksharing (Collaboratecom), 2013 9th
International Conference Conference on. IEEE,
2013.
[11] Buric, J., and D. Delija. "Challenges in Network
forensics." Information and Communication
Technology, Electronics and Microelectronics
(MIPRO), 2015 38th International Convention on.
IEEE, 2015.
[12] Ramjee Prasad, Antonietta Stango, Neeli Prasad &
Sachin Babar.”Proposed Embedded Security
Framework for Internet of Things (IoT)”. 2011.
[13] Atamli, A.W. & Martin, A., “Threat-Based Security
Analysis for the Internet of Things”. International
Workshop on Secure Internet of Things, pp.35–43.
2014

390