Hindawi

Security and Communication Networks

Volume 2021, Article ID 8871230, 13 pages
https://doi.org/10.1155/2021/8871230

Research Article
Analysis of Challenges in Modern Network Forensic Framework

Sirajuddin Qureshi ,1 Jianqiang Li ,1 Faheem Akhtar ,2 Saima Tunio ,1

Zahid Hussain Khand ,2 and Ahsan Wajahat1
1
Faculty of Information Technology, Beijing University of Technology, Beijing 100124, China
2
Department of Computer Science, Sukkur IBA University, Sukkur 65200, Pakistan

Correspondence should be addressed to Faheem Akhtar; [email protected]

Received 3 September 2020; Revised 15 July 2021; Accepted 13 August 2021; Published 29 August 2021

Academic Editor: Neetesh Saxena

Copyright © 2021 Sirajuddin Qureshi et al. ,is is an open access article distributed under the Creative Commons Attribution
License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is
properly cited.
Network forensics can be an expansion associated with network security design which typically emphasizes avoidance and
detection of community assaults. It covers the necessity for dedicated investigative abilities. When you look at the design, this
indeed currently allows investigating harmful behavior in communities. It will help organizations to examine external and
community this is undoubtedly around. It is also important for police force investigations. Network forensic techniques can be
used to identify the source of the intrusion and the intruder’s location. Forensics can resolve many cybercrime cases using the
methods of network forensics. ,ese methods can extract intruder’s information, the nature of the intrusion, and how it can be
prevented in the future. ,ese techniques can also be used to avoid attacks in near future. Modern network forensic techniques
face several challenges that must be resolved to improve the forensic methods. Some of the key challenges include high storage
speed, the requirement of ample storage space, data integrity, data privacy, access to IP address, and location of data extraction.
,e details concerning these challenges are provided with potential solutions to these challenges. In general, the network forensic
tools and techniques cannot be improved without addressing these challenges of the forensic network. ,is paper proposed a
thematic taxonomy of classifications of network forensic techniques based on extensive. ,e classification has been carried out
based on the target datasets and implementation techniques while performing forensic investigations. For this purpose, qualitative
methods have been used to develop thematic taxonomy. ,e distinct objectives of this study include accessibility to the network
infrastructure and artifacts and collection of evidence against the intruder using network forensic techniques to communicate the
information related to network attacks with minimum false-negative results. It will help organizations to investigate external and
internal causes of network security attacks.

1. Introduction performing a criminal investigation [4]. ,e intentions and

procedures followed in these kinds of network investigations
Modern research on network forensics has identified several are different; however, one of the common objectives is to
investigation techniques through which vulnerabilities and analyze the traffic observed during network susceptibilities.
security breaches can be highlighted. Most of these inves- ,ese investigations are carried out in response to the
tigation techniques depend on discovering, capturing, and network attacks and explain such attacks’ impact on the
analyzing traffic passing through the infrastructure and networks. ,e investigation also analyzes the digital events
network devices [1]. It is necessary to determine the ob- that occur after the suspected event has occurred [5]. It helps
jective of investigating network forensics when network in analyzing the pattern of events that occurred during the
security suspects are present. ,e research indicates several attack on the network. ,e network forensics also involves
ways of conducting an investigation, which may include a capturing the network traffic to reconstruct the entire attack
retort to a specific network incident [2], analysis of archives and then transmitting the traffic to another device to un-
in case of internal corporate investigation [3], and derstand the attack [6, 7]. However, this process may lead to
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/8871230 by Cochrane Peru, Wiley Online Library on [25/10/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
2 Security and Communication Networks

time delays in carrying out forensics because it requires

Collection

Digital forensics process

transmitting a large quantity of data from one device to
another [8]. Besides, this process also affects the incident
response because network forensics performance is abysmal. Examination
It means that forensic experts need to identify more efficient
ways of performing network forensics and improving net- Analysis
work security. ,e authors in [9–11] proposed a number of
different network forensic methods over the years, which Reporting
can enhance network forensic techniques’ efficiency. One of
these techniques’ key and common objectives is to extract Figure 1: Digital forensics.
legal evidence from network communication channels and
network security devices.
Admissible evidence plays a vital role in identifying the for further research within network forensics and identifying
origin of the attack. For example, Jeong and Lee[12] pro- the most effective techniques.
posed capturing the evidence by extracting the traffic from
the router. ,is data can help identify the origin of the attack
and the potential intruder. Regardless of the number of 1.1. Related Work and Significance of Network Forensics.
studies that scholars performed on network forensic tech- One of the key motivational factors that emerged within the
niques, Pilli et al. [3] are the only one to survey network forensic network domain includes the emergence of the
forensics. ,is study outlined the tools used in network information technology (IT) industry and its apprehension
forensics, the process models, and the implementation on security. Most of the world’s modern organizations are
frameworks. ,e scholars have not yet explored the modern concerned about the safety of their data and networks be-
network forensic techniques, specifically a comprehensive cause of the cybersecurity attacks observed in the last decade
cybercrime investigation with network forensic techniques. [13]. In the previous decade, many attempts were made on
Similarly, no evidence was found in which the scholars different social media websites, including Twitter, Facebook,
emphasized the implementation frameworks and the target and Google Blogger.
datasets of the network forensic techniques. ,is particular Disgruntled users have attacked different social media
study has been conducted considering the diverse nature of websites using DDoS, and the principal objective of these
digital evidence and the difficulties that arise from the digital attacks was to crash the functioning of these platforms. Some
evidence’s diverse nature while analyzing different kinds of of these attacks can be categorized as phishing attacks in
attacks in the networks. ,e distinct objectives of this study which the intruders attack to acquire personal information,
include accessibility to the network infrastructure and ar- that is, bank account passwords, to steal money from the
tifacts and collection of evidence against the intruder using bank accounts. It is a criminal activity, and the conviction of
network forensic techniques to communicate the informa- these intruders requires digital shreds of evidence. ,e
tion related to network attacks with minimum false-negative purpose of raising security is to stop such attacks from
results. Setting these objectives highlights the digital evi- intruders. Perry [14] argued that the network traffic flow
dence, which indicates that the intruder has to invest more passes through the Internet service providers (ISPs), so the
time and effort in carrying out the attack. ,is study also ISPs should be held responsible for attacks from outside
aims to highlight the state-of-the-art challenges existing in networks. Furthermore, the ISPs should stop the malicious
carrying out network forensic techniques. ,is study is a key packets of data, which may result in network attacks. Most of
contribution specifically for the security agency committees the world’s large companies are utilizing the online business
and the legislators because it can help to develop standard transactions and face a higher threat of breach in the se-
legal frameworks. curity. Most of such business operations are very large, and
,is study’s significance is that it explores the basic any breach of security may push these businesses to file for
structure of network forensic techniques (i.e., represented in financial bankruptcy. ,e scholars argue that cybersecurity
Figure 1) and how they work to assess the nature and impact is the backbone of large and small companies and is the
of network attacks. ,is paper also proposed a thematic primary concern for these companies in the current and
taxonomy of classifications of network forensic techniques future time. Federal Information Security has defined
based on an extensive literature review. ,e classification has comprehensive cybersecurity programs. Federal Informa-
been carried out based on the target datasets and imple- tion Security has defined comprehensive cybersecurity
mentation techniques while performing forensic investiga- programs (Management Act (FISMA) for the federal
tions. For this purpose, qualitative methods have been used agencies). [15]. Similarly, the healthcare data is also sus-
to develop thematic taxonomy. ,e similarities and differ- ceptible to malicious attacks, and the Health Insurance
ences between different network forensic techniques have Portability and Accountability Act (HIPAA) has defined
been carried out based on their objective functions, exe- security plans for healthcare organizations (1996). Different
cution definition, investigation time, forensic processing, companies have developed their market portfolios based on
target instance, target dataset, mechanism, and nature of the the security of their e-business, e-transactions, and other
framework. Finally, this study has discussed the open re- Internet-based activities, and they are using their portfolios
search challenges that may occur while selecting the domain to attract more customers. ,ese companies claim that they
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/8871230 by Cochrane Peru, Wiley Online Library on [25/10/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 3

can protect the interest of their customers. ,ese companies signature scan detection. In anomaly detection techniques,
continuously analyze the traffic to detect the potential the system creates patterns of behavior of the user and the
malicious attacks as soon as possible and deal with them in network’s resources. ,e irregular pattern of traffic is de-
time. tected as malicious by the anomaly detection technique [20].
,e term “malicious” may refer to the malicious packets ,e signature scan is one of the detection techniques in
of data or malicious traffic programs. ,e malicious traffic which traffic signatures are stored in the network’s database.
programs are irregular traffic patterns. Malicious data Recognition of irregular patterns is performed with the help
packets can be identified as those that violate network of passive scans [21]. ,e malicious activity is detected when
communication principles. ,ese malicious packets attack the signature matches the one stored in the database. ,is
the network by exploiting the vulnerabilities of the devices technique is particularly useful when the attackers in the
installed for security purposes, which may occur, including system are known. ,e intrusion detection systems work
the gateways and the attempts to gain unauthorized access in based on statistical anomaly and matching patterns [22]. ,e
the network. In the case of malicious packets, various packet 136 malicious traffic is detected using statistical anomaly
fields contain forged information, that is, port numbers, when the usage patterns deviate from the normal usage
TCP flags, and IP address [16]. For example, IP spoofing is a patterns. ,e system forms the standard usage patterns, and
specific kind of attack in which the attacker uses a spoofed the purpose of creating them is to identify any deviation
IP, and it may appear as a trusted node. ,e attacker can be from the standard usage patterns. Access control list is a
connected with the victim node by registering as a trusted technique in which the rules for determining malicious
user on the network [17]. ,e land attack is another form of activities are predefined, and the intruders are detected
spoofing in which the intruder uses the victim’s destination based on matching packet headers [23]. ,e honeypot
and source of IP addresses. ,e victim of this attack enters technique is the one that acts as the trap for the intruders. It
into a loop of self-connection attempts. ,e intruder can prevents users from entering the secure areas of the network
alter the TCP flags to indicate several events, including [21]. ,e trap that honeypot forms is a disguise whose role is
pushing off the data, highest priority of data, starting of to protect the server by replicating and persuading the at-
connection, and ending. ,e SYN TCP flag indicates the tacker to interact with the network. ,e honeypot requires
starting of the connection, and the FIN TCP flag indicates open ports to invite the intruder, and the attack is detected
the ending of the connection. A combination of these two when the intruder interacts with one of these ports. Network
flags, that is, SYN-FIN, can be used by the intruder to avoid forensics reconstructs the sequence of attacks and detects the
detection by the system’s security. Most of the available intrusion based on historical network data [9]. It collects and
intrusion detection systems detect the connection’s starting captures the network packets to form emails, FTP traffic,
(SYN TCP flag) or ending (FIN TCP flag). ,erefore, any messages, and other communication forms. Network fo-
attempts to start or stop the connection are 112 considered rensics is significant to detect attacks in identifying the
unauthorized. ,e intruders can also attack by altering the problems in critical business systems. Some of the other
packet’s port numbers for source and destination ports and functions performed by the network forensics may include
can communicate the packets abnormally. ,e networking monitoring the workflow regularly for corporate defiance,
device discards the packet if the intruder assigns the same enhancing the network’s performance, shielding against the
port numbers to both of the ports. ,e communication also viruses, and locating the device that has the potential to
becomes suspicious when the intruder tampers with the generate an attack.
packet or performs fragmentation of the packets [18]. ,e
packet fragmentation is performed when the packet’s size is 2. Research Methodology
too large to be transmitted. ,e intrusion can be conducted
in the form of tiny fragment attacks; two TCP fragments are 2.1. Classification of Modern Forensic Techniques. ,is sec-
formed from each packet. Each of these fragments contains tion consists of the proposed taxonomy of network forensic
little information, and they are transmitted in the form of techniques; their evaluation, implementation, and the crit-
tiny fragments. ,e network devices cannot detect the tiny ical review of these techniques are presented as presented in
fragments, and bypassing the security protocols is the related domain [24–28]. Figure 2 shows the components of
outcome of such transmission. On the other hand, some modern forensic techniques.
intruders use large packets of information to perform an
attack. ,e packets are reassembled at the receiving device;
however, when the reassembled packets become too large, 2.2. Traceback-Based Network Forensic Technique.
the reassembling process becomes disturbed, affecting the Traceback is a specific term used when the origin of the
entire network. Such an attack is known as the Ping of Death packet is to be identified in a network. It is also known as the
Attack. ,e intruder uses echo request messages, and the size IP traceback [12]. IP tracing is a useful tool for analyzing and
of packets in such a message is larger than the regular size attribution of network assaults, Figure 3. ,is technique
packets [19]. ,e network operators carry out active mon- determines the origin of the attack by identifying the device
itoring of the events to detect malicious programs and from where packets are generated. ,e traceback technique
packets. Anomaly detection is one of the techniques of active is useful when packets’ origin is to be identified in case of
monitoring. Some other techniques also include honey pots, spoofing attacks and DDoS attacks [29]. ,e DDoS and
access control lists, intrusion detection systems, and botnet attacks are mostly observed in the distribution
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/8871230 by Cochrane Peru, Wiley Online Library on [25/10/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
4 Security and Communication Networks

Digital Media
Stegenography
Covert Data
Storage

Modern Information Hiding

File/File System/Mass
Storage/information
Hiding

Network
Stegenography/
Covert Chennels
Covert Data
Communication
Local and out-of band
Chennels

Figure 2: Components of modern forensic techniques.

R7

HOST1
R4

R6 R2 R1 VICTIM

ATTACKER

R3

R5

HOST2

Attack Path: A R6 R3 R2 R1 V
Trackback: V R1 R2 R3 R6 A
Figure 3: Network forensic using IP traceback.

networks, and the traceback technique is useful in such monitoring system. However, investigation of post-
attacks. ,e distributed networks are more susceptible to mortem captures packet is operated offline
attack because they collaborate with the Internet, and the Source of data: flow-based process mainly collects
atmosphere is favorable for the attacks by the bot-masters statistical records in the form of the flow of network
[30]. ,e network requires various traceback systems to traffic where packet-based tool includes thorough
overcome these attacks efficiently: packet inspection
Network forensics: the employment of scientifically
proved processes to gather, fuse, determine, examine, 2.3. Converge Network-Based Network Forensic Technique.
correlate, evaluate, and document evidence from this is Converge network-based network forensic techniques are
undoubtedly electronic, definitely processing and specifically useful in identifying the digital evidence found in
transmitting digital resources for the intended purpose the converged networks. ,e VoIP communication is a
of uncovering facts related to the planned intent or specific example of the converged network. VoIP requires a
assessed success of unauthorized tasks supposed to medium for data communication due to which it faces
interrupt, corrupt, and/or compromise system com- several kinds of vulnerabilities, security threats, and attacks.
ponents too as providing information to help in re- ,e communication signals in VoIP are divided into the
sponse to or recovery from these tasks form of frames, and these frames are embedded as voice
Analysis time: forensics covers real-time and includes codes in the data packets. ,ese data packets are commu-
security for live network surveillance and its nicated as simple voice packets on the IP network. When the
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/8871230 by Cochrane Peru, Wiley Online Library on [25/10/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 5

voice packets are transmitted from a sender to a receiver ,e interaction and visualization framework is used in
without any modification and interference, they are known the attack graphs, and the purpose of using this framework is
as 181 normal voice packets. Typically, the voice packets are to study the intrusion behavior of the attack. ,ere are
transmitted over the IP networks using H.3231 and SIP thousands of edges and vertices, and it is a very time-
protocols [31]. ,e port and IP addresses information is consuming process to identify those susceptible to attack.
enclosed in the voice packets, assisting the communication Many research studies have depicted the attack graphs that
protocols. ,e communication protocols act as session can be used for different aspects, including critical systems,
control 184 protocols. ,e ports and IP addresses attached in data reduction, attack dependency graph, virtual exploita-
the voice packets are not encrypted because the address tion information, and others. However, only a few studies
translation devices have to translate the voice packets. ,e have emphasized the visualization process. ,e attack graphs
lack of encryption of the voice packets makes them sus- are very complex in large integrated networks, and RAVEN
ceptible to attacks from intruders. ,e intruder can exploit architecture was proposed to embed the visualization feature
the voice packets during transmission, which changes the in the attack graphs. ,e principal purpose of introducing
normal voice packets to the 188 malicious voice packets. ,e this architecture was to reduce the graphs’ complexity in
malicious voice packets may take several forms including the large networks. ,e RAVEN architecture has a visualized
exploitation of VoIP devices, degrading call integrity, pri- interface, and the investigators can interact with it with less
vacy leakage, eavesdropping, man-in-the-middle, buffer complexity due to this visualized interface. RAVEN has a
overflow, hijack calls, and flooding. Figure 4 can be referred collaborative environment that is analytical, and it has
for details. several gesture controls as well. ,e RAVEN architecture has
VoIP network forensic analysis involves identifying the a human-computer interaction platform that allows the
malicious packets from the normal packets [10]. ,e in- investigators to manage the attack graph more effectively. A
truders inject malicious or abnormal packets during the multitouch technology was integrated into the human-
transmission process. Lin et al. [10] offered a solution to such computer interaction platform to make it easier for the
attacks by collecting digital shreds of evidence while per- investigator to view each node and how they interact with
forming a forensic investigation. ,e digital proof is in the the entire network. Some of the other vital features of the
form of information received from packet value, TTL, RAVEN architecture include non-real-time visual support
service type, protocol, and the packet’s payload. A change in the real-time environment. However, the RAVEN does
found in the packets means that alteration has occurred, and not have a composite layout, due to which the investigators
the packet becomes malicious. ,e scholars have identified cannot observe the multiple attack paths in parallel. Another
different fields of voice packets to differentiate between disadvantage of using RAVEN is that it cannot mine the
different types of VoIP-NFDE. However, a common issue is related information from the network efficiently. Assaults
scalability, which is considered during the investigation of tend to be foiled by the utilized services and products, and
large integrated networks. Another problem is that the in- novel attacks still circumvent prevention services and
vestigation process may be prolonged because of the rees- products without being detected. During these circum-
tablishment of a communication link between IP phone stances, examining the assaults is just a task; this is certainly
users and the SIP registrar on its disconnection. Reestab- very challenging. Quite often, severe attackers tend to be
lishing the connection is time-consuming, and some useful skillful at concealing evidence. Consequently, firewall logs
data may be lost during the process. Similarly, storage re- and intrusion detection notifications may totally miss these
sources are also required to investigate the attack patterns assaults or may prove to be insufficient for the examination.
collected from the voice data. ,is is certainly extensive, especially when the target is to
apprehend the perpetrator.

2.4. Attack Graphs-Based Network Forensic Technique.

Attack graph-based network forensic technique utilizes the 2.5. Distributive-Based Network Forensic Technique.
attack graphs to recognize all the potential attack paths Distributive-based network forensic techniques can dis-
which an intruder used while performing the attack. ,is tribute the data agent systems and forensic network servers
process requires analyzing networks, hosts, and other se- to resolve scalability for network forensic techniques. ,e
curity devices [32]. An attack graph constitutes vertices, and forensic network servers for analysis collect the data from
each vertical is a potential attack node. ,e edges in Figure 5 different data server agents located at various locations in the
represent the state transitions between different attack network. ,e distributive network forensic technique per-
nodes. ,e attack graphs are very useful in network forensics forms the evidence collection process, recognizes the origin
because they visualize the nodes that can be attacked and of the attack, and performs investigation [35]. ,e distrib-
highlight the worst paths with the most significant threat of utive network forensic technique keeps the server secured
attack [5]. Identifying such nodes can help the network from the attackers by creating an overhead. ,e forensic
administrator design the security before the actual attack servers are distributed throughout the network, and they are
occurs. ,e attack graphs are used for several other pur- susceptible to attack. A distributed framework proposed by
poses, including the cost-benefit security harden [33], evi- [36] works with different network devices and records their
dence collection [33], recognizing multistage network network logs. ,e network logs are stored at various loca-
attacks [29], and impact analysis [34]. tions in a network environment. ,e normal process is to
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/8871230 by Cochrane Peru, Wiley Online Library on [25/10/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
6 Security and Communication Networks

Packet
Probabilistic Logging
Packet Marking SPIE
PPM AAPM DLLT AMN
APM HITS
SNITCH
FIT

AAST
ASEM AS-SPT

DPM LDPM
Deterministic DERM Proposed
Packet Marking

AS-Overlay

Autonomous
Systems based
Figure 4: Relationship among traceback techniques.

creation among different hosts, maintaining port connection

Preparation records and IP connections. However, an essential feature of
the For Net framework is the storage of raw data regarding
Collection and preservation of evidences networks, specifically in an extensive integrated network.
However, the intrusion detection system on For Net is
lightweight and cannot detect some attacks. Most of these
Analysis of anti-investigation attacks
attacks are DDoS, which sends the rogue queries, and the
Searching for anti-forensic attacks purpose of sending queries is to utilize the resources of the
investigating servers. ,e intruder can perform modification
of packets during this process. Furthermore, the intruders
Identification of affected evidences
can also modify the logs which are transmitted through
insecure 260 communication channels.
Cancelling the effects of anti-forensic attacks

2.6. NFT Using Intrusion Detection System. ,e intrusion

Analysis of regular attacks detection system is a network forensic technique that
monitors and prevents malicious attacks, especially when the
Presentation and reporting
intruder tries to exploit the network [37]. ,e IDS detects the
intrusion and triggers the alert system in the form of a
Figure 5: Flow of process of attack graph-based forensic technique. message. ,e IDS informs the management system of the
network to take appropriate actions. ,e IDS is especially
essential when the intrusion threatens the confidentiality
analyze the host and packet logs manually. ,e manual and integrity of the network [37]. IDS uses the logging
analyses create several problems because of delays in the approach to analyze the network intrusion, reliability of the
response time, synchronization among records, improper evidence, and dynamic forensics and to describe the fo-
logging mechanism, and low response time. For Net rensics. If an incoming packet label is in NFT, as shown in
framework is the Network Forensic Framework that im- Figure 6, the packet is routed normally. Several network
proves evidence collection and resolves most of the forensic techniques use the IDS to identify the network
abovementioned issues. ,e pieces of evidence are collected breaches and assist the forensic process.
from the network devices such as the routers and switches by Sy [38] proposed Analytical Intrusion Detection
installing an application on each network. ,is application is Framework (AIDF) by merging the message alert system
known as SynApps. ,is application does not only collect the from the IDS and forensic analysis conducted due to in-
data but also summarize the information collected over a trusion. ,e outcome of AIDF is a forensic explanation
long period of time. Evidence regarding the network’s based on unreported signature rules and observed IDS alerts.
vulnerabilities is taken from the packet header, which is AIDF uses a probabilistic approach to minimize the number
more credible than data collected from the payload data [37]. of attacks that unfolds the hidden information and model
For Net uses bloom filter tracking to investigate session the attacks. ,e AIDF recognizes the intrusions hidden in
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/8871230 by Cochrane Peru, Wiley Online Library on [25/10/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 7

Incoming pockets with Destination

to Victim Arrive

Matching Records Yes Do normal Routine

with NFT

No

Matching Records Yes

with SFT

No Timer out Yes

Matching Records Yes

with PDT
Sampling per 1ms Calculate NCAS
No
Continue
Add flow ID to SFT,
Timer Start
Begin sampling per 1ms Update pkt
Yes
Countining
Yes No NCAS <= reshold
Filtering Continue ?
Add flow ID to PDT

No Yes

End dropping & Flush Add flow ID to NFT

all tables Drop Packets

Figure 6: NFT network forensic.

the network traffic using the signature rule, which compares software-defined networks. Following are the open chal-
the packets with the already encoded packets. ,e proba- lenges extracted from review analysis and are in line with the
bilistic inference process is carried out through using Snort, network forensic techniques.
which triggers the rule when a specific packet matches the
pattern prerecorded in the signature rule. ,ese rules assist
the investigators in recognizing the potential attacks on the 2.8. High-Speed Data Transmission. High-speed data
network, and they also help the investigators to define new transmission is one of the biggest challenges for network
rules to prevent future attacks. AIDF also has some disad- forensics because it cannot capture and record all the packets
vantages; for example, the AIDF does not know based on the network because of high speed. Millions of data
modules because it cannot store hidden and untreated data. packets are transmitted on networks within a short period,
AIDF cannot be used to prevent future attacks because of and these packets pass through a vast number of inter-
this disadvantage. ,e storage of unprocessed information connected devices. ,e network devices can play a signifi-
can save a lot of time during the investigation process, and it cant role as evidence as the network data transmit through
can help to generate precise results. ,is mechanism can be them. To identify the network data’s susceptibilities, it is
used in creating intrusion detection alerts that can be used in necessary to record the data packets at high speed; however,
real-time situations. it is a very time-consuming process. Most companies en-
hance and expand their network structures. For this pur-
pose, the companies connect distributive infrastructures to
2.7. Review Analysis of Modern Network Forensics. ,is their high-speed networks. However, in most cases, network
section of the paper discusses the open challenges faced by traffic is not entirely captured by the distributive infra-
modern network forensic techniques (Figure 7). ,ese structures, and incomplete logs of network information are
challenges are significant to be studied while investigating obtained. ,e reconstruction of suspicious attacks becomes
large integrated networks such as cloud computing and more difficult because of these incomplete logs, and it
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/8871230 by Cochrane Peru, Wiley Online Library on [25/10/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
8 Security and Communication Networks

becomes tough to recognize the origin of the attack. ,is data system become low. Several causes of little integrity may
problem can be resolved only when capturing, indexing, include frequent mobility of data, system malfunctioning,
preserving, and analyzing the data packets on a network are malicious attacks, software errors, and hardware errors. ,e
carried out in a real-time situation. A review of the literature process of network forensic is adversely affected when the
suggests three distinct solutions for the aforementioned data loses its integrity because of deliberate and intentional
problems. ,ese solutions include distributive-based solu- efforts [5]. Data integrity is an essential factor while pros-
tions, software-based solutions, and hardware-based solu- ecuting the intruder in the court of law.
tions [19]. ,e hardware-based solution requires installing a ,e data integrity should be maintained using the end-
separate high-speed network traffic capturing device. ,is to-end approach. It means that the use of software, as well as
device can obtain specific data, and it can carry out a real- the hardware, should be seamless. Modern networks are
time analysis. ,e response time of this device is quick. ,e growing at a breakneck pace, and it is necessary to get early
software-based solution requires installing software on the updates about the problems and resolving the issues of the
network. ,e nCap library is the software that is specifically network as soon as possible. Standards and appropriate
designed to capture high-speed traffic on a network. ,is methodologies are required to efficiently achieve the ob-
software is used to program the customized hardware for jective of cost-effectiveness to maintain the integrity of data,
this purpose. ,is software is installed using the space of the specifically in large and distributed networks. Reference [5]
user rather than utilizing kernel space. ,e programmers can proposed a GUI-based monitoring system in which the
quickly deploy this software, and it can perform the func- server carries out the analysis of the network packets and
tions of capturing and carrying out analysis quickly. ,e then transmits them to client nodes for storage. It is a reliable
distributed solution involves using a distributed packet system because it improves the data packets’ analysis on the
capturing technique on high-speed networks. ,is technique network with real-time characteristics 348 and then stores
provides the load balance within different nodes and min- them in the storage spaces owned by the clients where they
imizes the cost of CPU cycles and memory. are safe from different kinds of vulnerabilities.

2.9. Data Storage on the Network Devices. ,e amount of data 2.11. Data Privacy. Data privacy holds one of the critical
captured and stored on the network for carrying out the positions within the realm of network forensics. ,e
investigation is tremendous. Such a large amount of data problem mentioned above can be resolved using a forensic
creates problems for forensic experts while retrieving rele- attribution solution. ,e forensic investigator can have a
vant information from these networks [39]. ,e inter- look at the particular data but only by verifying the signa-
connectivity devices’ storage capacity is low, and huge ture. ,is process is known as forensic attribution in any
storage space is required to store the captured data packets. network. Cryptographical tools can be used for this purpose,
Apart from this, the problem is resolved by designing a which may include BBS short group signatures and group
framework for capturing data by a machine based on time signatures. It means that anyone of the group members can
[9]. ,is framework minimizes the need for a massive create a signature, which is verifiable by the rest of the group;
storage speed and can also enhance the investigation however, the identification of the creator cannot be per-
process’s pace. formed without authentication from the rest of the members
Moreover, the General Processing Unit (GPU) offloads of the group. BBS small signature group has short signatures
the indexing packets when it carries out a compressed as compared to the group-signature scheme. It is in the form
bitmap index in real-time. ,e GPU performs determinis- of a clue that is associated with the optimization of the
tically, which results in parallel operations at the same speed evidence. ,e cryptographical tools used for this purpose
because of the advance and faster memory interfaces. ,e ensure that only known parties have awareness about the
storage speed reaches approximately a million records per hardware’s physical identity, which is transmitting the IP
second. In addition to this infrastructure, n2disk architec- packets on a network. In contrast, others cannot identify
ture can also be used for this purpose. It can be used for their physical status. As a result, the issue of data privacy is
single and multiple threat packet consumers, and it can resolved, which arises while analyzing the integrated
search the packets from the dump files efficiently. ,is in- networks.
frastructure can resolve the issue of storage space in high-
speed networks.
2.12. Access to IP Addresses. Identification of the IP address
of the attacker is an essential step in carrying out network
2.10. Data Integrity. Data integrity is one of the major forensics. ,e IP address of the source provides information
concerns for the investigators while performing the network about the origin of the attack [12]. Identifying the IP address
forensics. Data integrity means that the network must have can lead the investigators to the intruder and prevent future
the most consistent, complete, and accurate data. Analyzing attacks from the same intruder. ,e intruders use several
data integrity on the networks is one of the most challenging techniques to hide their IP addresses from the various de-
and critical tasks for the investigators. Maintaining data vices installed on the network. Spoofing the IP address is one
integrity is difficult, considering several factors, including such technique in which the intruder can show a fake IP
velocity, size, and scope of data. Network complications address to the devices registered on the network. Spoofing is
become higher when the trust and integrity of the data and the technique that is mostly used in DDoS attacks. ,e
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/8871230 by Cochrane Peru, Wiley Online Library on [25/10/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 9

purpose of conducting DDoS attacks is to bombard the network is called the intercloud network between two or
network with enormous traffic from different suspect sys- more clouds. ,is network deploys a high capacity and high-
tems. Identifying the original IP address in case of spoofed IP speed line rate fiber optics network. ,e intercloud network
address becomes very difficult for forensic investigators, is used when one domain migrates or transfers an appli-
specifically in large integrated networks. A Source Address cation for execution or storage to another domain. ,e
Validation Improvement (SAVI) solves the problem men- intercloud network provides a dedicated network, and
tioned above, as it binds the source host Mac address, IP through the protocol, optimization increases the transfer
address, and uplink port properties. It prevents intruders speed. Table 3 provides a brief overview of each network
from spoofing the IP address by restricting the attached position within MCC. All network positions in MCC are
nodes to stay connected with the same uplink. Additionally, considered vulnerable to NFF attacks. Due to vulnerabilities,
the SAVI uses traceback and antispoofing for IPv4/IPv6 no network is safe from a 411 attack, which requires further
transition by 377 extracting common and crucial properties. investigation to find the attack’s origin.
In short, this system works very effectively to prevent
(i) Scalability
spoofing.
(ii) Overhead computational
(iii) Data storage
2.13. Location of Data Extraction. ,e process of network
forensics becomes challenging due to the virtualized char- (iv) Data accuracy
acteristics and distributive nature of networks. It becomes (v) Complexity
difficult for forensic experts to identify the device and ap- (vi) Privacy/security
propriate location for extracting data. It is almost impossible
(vii) Adaptability
to handle all links and the connected devices on the networks
where thousands of devices are connected and millions of ,e data is analyzed using SPSS (version 16), and all the
packets of data pass through each device every second. graphical illustrations of study variables are interpreted
Extracting data from any location in such networks becomes accordingly. Moreover, the description of codes is as follows:
a radical challenge for network forensics because they may scalability: horizontal (HT), vertical (VT), both (BT), and
breach privacy or affect data integrity at any point. Besides, not applicable (N/A); overhead computational: high (H),
many devices on a network are designed to extract and moderate (M), low (L), and not applicable (N/A); data
analyze the data for network forensics, including packet storage: high (H), moderate (M), low (L), and not applicable
sniffers, protocol analyzers, network forensic analysis tools, (N/A); data accuracy: high (H), moderate (M), low (L), and
firewalls, IDS, and routers. ,e appropriate placement of not applicable (N/A); complexity: implementation (IM),
these devices to extract and analyze data from the data analysis (AL), collection (CL), and investigation (IV); pri-
network is a key challenge for network forensics. vacy/security: high (H), moderate (M), low (L), and not
applicable (N/A); adaptability: difficult (D), high (H),
moderate (M), low (L), and not applicable (N/A).
2.14. Forensic Networks in Mobile Cloud Computing (MMC).
MCC network cloud services are obtained by smart device
users associated with long-term evolution networks via Wi-
Fi, WLAN, and 3G/4G/5G. ,ese networks must be very 2.15. Data Analysis Results. Frequency analysis is suitable for
quick and protected enough to send user requests to parallel categorical data of the current study. ,e data size is 22
computing clouds and return results to connected devices’ covering each theme of Network Forensic Framework (NFF)
users. However, attackers target these networks to connect for each variable of the study. ,e variables are analyzed as
and get access in the form of a network attack. ,e current shown in the outputs as follows. Table 4 shows the exper-
security plan covers the use of firewalls and IDS to detect and imentation results. It can be perceived that the scalability is
identify attack patterns. However, smart attacks use these the highest for the horizontal category having 50%, whereas
security approaches to spread malicious network activities. both-sided scalability is very less and is 1%. Besides, over-
Protection systems should be smart enough to detect smart head shows the maximum percentage for moderate (45.5%)
attacks that threaten the system. ,e network position shows while the minimum percentage exists for low (22.7%).
a network address, which connects two entities in MCC. Furthermore, the output (data storage) represents 435 that
MCC generally includes these networks: data center, cloud out of the total themes of NFF; moderate and low data
access, and intercloud networks [40], as shown in Table 1. storage is at the same percentage of 40.9% and is very less for
,e value of the forensics process lies in every aspect of high and not appropriate, showing 9.1%. Data accuracy
MCC’s network channels of communication. NFF must shows the minimum percentage for the category high and is
monitor malicious activity through network packets if a 9.1%, whereas not applicable is 50%, and 27.3% of the data is
smart device user is connected to mobile clouds or data accurate for NFF, which is low. Besides, the highest com-
centers are connected or linked to other cloud data centers. plexity proportion exists for implementation and analysis
NFIs have limited or no access to examine various network both together and is 40.9%. In contrast, data complexity
susceptibilities [41]; therefore, the forensic investigation collection and analysis are less. ,is paper proposed a
should become a permanent service for MCC users via thematic taxonomy of classifications of network forensic
channels and secure cloud resources (Table 2). ,e linking techniques based on extensive. ,e category was performed
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/8871230 by Cochrane Peru, Wiley Online Library on [25/10/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
10 Security and Communication Networks

Table 1: Various positions using mobile cloud computing (MCC).

Network
Positioning Entities link Example Objective
accessibility
Cloud access User cloud
Internet, NGN, and 4G Dynamic routing and accessibility to cloud Possible
network services
Load balancing, virtualization, and intensive
Data center network Data center Cluster computing CSP
computing
Cloud resource
Intercloud network Cloud system Cloud collaboration CSP
migration

Table 2: Various problems in current network forensic and mobile cloud computing (MCC).
Issues Current network forensic MCC network forensics
Data acquisition No Yes
Access of artifacts No Yes
Bandwidth utilization No Yes
Chain of custody No Yes
Data integrity No Yes
Privacy No Yes
Real-time analysis No Yes
Volatile data No Yes
Forensics tools No Yes

Table 3: Network position within the MCC.

NFF techniques Scalability Overhead computational Data storage Data accuracy Complexity Privacy Adaptability
N/A H H L IM L N/A
HT H M M AL M D
Traceback VT L L H IV L M
HT M N/A N/A IM N/A D
N/A H H M IM M D
N/A H L L IM, AL L D
Converge network N/A M M N/A IM, CL, AL L D
HT M M N/A IM, AL L N/A
HT M M N/A IM, AL N/A D
HT H L N/A IM, AL N/A D
Intrusion
N/A H L N/A AL L D
N/A L L L IM, AL L D
HT M L N/A AL L L
N/A M L N/A IM, CL, AL M L
N/A H M L IM, AL M D
Attack-based graph
HT M M H AL M M
HT L L M AL M H
HT L N/A N/A AL H M
VT M M N/A CL, AL L M
BT M M N/A AL L L
Distributive
HT M M L CL, AL L L
HT L L L IM, CL, AL L M

considering the target information units and execution availability to the system infrastructure and artifacts and
strategies while doing investigations is forensic. ,e quali- collection of research against the intruder system that uti-
tative practices were made use of to develop thematic tax- lizes practices to communicate the information regarding
onomy for this function. ,e objectives of this study include community attacks with minimal false-negative issues.
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/8871230 by Cochrane Peru, Wiley Online Library on [25/10/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 11

Table 4: Analyzed results of the selected variables using IBM SPSS (version 16).
Frequency Percent Valid percent Cumulative percent
Scalability
HT (horizontal) 11 50.0 50.0 50.0
VT (vertical) 2 9.1 9.1 59.1
Valid BT (both) 1 4.5 4.5 63.6
N/A (not applicable) 8 36.4 36.4 100.0
Total 22 100.0 100.0
Overhead
High (H) 7 31.8 31.8 31.8
Moderate (M) 10 45.5 45.5 77.3
Valid
Low (L) 5 22.7 22.7 100.0
Total 22 100.0 100.0
Data storage
High (H) 2 9.1 9.1 9.1
Moderate (M) 9 40.9 40.9 50.0
Valid Low (L) 9 40.9 40.9 90.9
Not applicable (N/A) 2 9.1 9.1 100.0
Total 22 100.0 100.0
Data accuracy
High (H) 2 9.1 9.1 9.1
Moderate (M) 3 13.6 13.6 22.7
Valid Low (L) 6 27.3 27.3 50.0
Not applicable (N/A) 11 50.0 50.0 100.0
Total 22 100.0 100.0
Complexity
Implementation (IM) and analysis (AL) 9 40.9 40.9 40.9
Implementation (IM), collection (CL), and analysis (AL) 4 18.2 18.2 59.1
Valid Analysis (AL) 6 27.3 27.3 86.4
Collection (CL) and analysis (AL) 3 13.6 13.6 100.0
Total 22 100.0 100.0
Privacy/security
High (H) 1 4.5 4.5 4.5
Moderate (M) 6 27.3 27.3 31.8
Valid Low (L) 12 54.5 54.5 86.4
Not applicable (N/A) 3 13.6 13.6 100.0
Total 22 100.0 100.0

Challenges in Modern Network Forensic Issues

100.00
90.00
80.00
70.00
60.00
(%) 50.00
40.00
30.00
20.00
10.00
0.00
Scalability Data Storage Overhead Data Accuracy Security

Frequency
Valid
Cumulative
Figure 7: Challenges in modern network forensic issues.
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/8871230 by Cochrane Peru, Wiley Online Library on [25/10/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
12 Security and Communication Networks

Among all categories showing a portion of the data storage [2] R. Bejtlich, ?e Practice of Network Security Monitoring:
88.6%, the percentage of security/privacy is highest, which is Understanding Incident Detection and Response, p. 469, No
88.5%, and is very less in the category of accuracy, which is high Starch Press, San Francisco, California, 2013.
showing 90%, which means that data is not secured and has [3] E. S. Pilli, R. C. Joshi, and R. Niyogi, “Network forensic
weak or no privacy system NFF. Lastly, the adaptability to frameworks: survey and research challenges,” Digital Inves-
MCC is very difficult in cloud computing. Data also shows the tigation, vol. 7, no. 1-2, pp. 14–27, 2010.
[4] M. Rasmi and A. Jantan, “A new algorithm to estimate the
percentage of 100%, which is the highest, is least for high
similarity between the intentions of the cyber crimes for
adaptability, and is 90.5%, respectively.
network forensics,” Procedia Technology, in Proceedings of the
4th International Conference on Electrical Engineering and
3. Conclusions and Future Research Informatics (Iceei 2013), vol. 11, pp. 540–547, Malaysia,
Malaysia, June 2013.
,is research reviewed the subject matter of network fo- [5] B. Cusack and M. Alqahtani, “Acquisition of evidence from
rensic techniques used to gather and investigate the legal network intrusion detection systems,” in Proceedings of the
information regarding the intruders. ,e investigators have 11th Australian Digital Forensics Conference, Perth, Western
to consider many factors, including the integrity and reli- Australia, December 2013.
ability of attack, the origin of the attack, the objectives [6] B.-C. Cheng, G.-T. Liao, H.-C. Huang, and P.-H. Hsu,
behind the attack, determining the worst path susceptible to “Cheetah: a space-efficient HNB-based NFAT approach to
attacks, and highlighting the actual attack paths. ,e net- supporting network forensics,” annals of telecommunications
work forensic goals can be achieved when forensic experts - annales des télécommunications, vol. 69, no. 7-8, pp. 379–
are well aware of the nature of the attack. Also, they are 389, 2014.
aware of the challenges of network forensics associated and [7] D. Wang, T. Li, S. Liu, J. Zhang, and C. Liu, “Dynamical
the tools they select to perform the network forensics. ,e network forensics based on immune agent,” in Proceedings of
network forensic techniques play a significant role in cap- the ?ird International Conference on Natural Computation
turing, identifying, recording, and analyzing the legal in- (ICNC 2007), vol. 3, pp. 651–656, IEEE, Haikou, China,
August 2007.
formation, specifically in integrated networks. Forensic
[8] M. Ibrahim, M. T. Abdullah, and A. Dehghantanha, “VoIP
experts face several challenges while performing forensics, evidence model: a new forensic method for investigating VoIP
and details about each of the 455 problems are provided in malicious attacks,” in Proceedings of the 2012 International
the paper’s previous sections. ,e network forensic experts Conference on Cyber Security, Cyber Warfare and Digital
need to emphasize developing more intelligent network Forensic (CyberSec), pp. 201–206, IEEE, Kuala Lumpur,
forensic tools instantly. ,is is the only way through which Malaysia, June 2012.
they can minimize the abovementioned challenges in net- [9] L. M. Chen, M. C. Chen, W. Liao, and Y. S. Sun, “A scalable
work forensics. Besides, they can also reduce the storage network forensics mechanism for stealthy self-propagating
requirements and delays in network forensics, can work in attacks,” Computer Communications, vol. 36, no. 13,
high-speed networks, and can also maintain the privacy and pp. 1471–1484, 2013.
integrity of data. ,e forensics should also explore cloud [10] I. L. Lin, Y. S. Yen, B. L. Wu, and H. Y. Wang, “VoIP network
computing networks, especially mobile cloud computing forensic analysis with digital evidence procedure,” in Pro-
because mobile devices will also be the most important and ceedings of the 485 ?e 6th International Conference on
widely used devices sooner. ,e classification has been Networked Computing and Advanced Information Manage-
carried out based on the target datasets and implementation ment, pp. 236–241, IEEE, Seoul, January 2010.
[11] W. Ren and H. Jin, “Distributed agent-based real time net-
techniques while performing forensic investigations. For this
work intrusion forensics system architecture design,” in
purpose, the qualitative methods have been used to develop Proceedings of the 19th International Conference on Advanced
thematic taxonomy. ,e objectives of this study include Information Networking and Applications (AINA’05), vol. 1,
accessibility to the network infrastructure and artifacts and pp. 177–182, IEEE, Taipei, Taiwan, March 2005.
collection of evidence against the intruder using network [12] E. Jeong and B. Lee, “An IP traceback protocol using a
forensic techniques to communicate the information related compressed hash table, a sinkhole router and data mining
to network attacks with minimum false-negative results. based on network forensics against network attacks,”
Future Generation Computer Systems, vol. 33, pp. 42–52,
Data Availability 2014.
[13] Y. Zhu, “Attack pattern discovery in forensic investigation of
Experimental data available within the article. network attacks,” IEEE Journal on Selected Areas in Com-
munications, vol. 29, no. 7, pp. 1349–1357, 2011.
Conflicts of Interest [14] S. Perry, “Network forensics and the inside job,” Network
Security, vol. 2006, no. 12, p. 13, 2006.
,e authors declare that they have no conflicts of interest. [15] D. M. White, “,e federal information security management
act of 2002: a Potemkin village,” Fordham Law Review,
References vol. 497, pp. 79–369, 2010.
[16] C. Wang, T. Feng, J. Kim, G. Wang, and W. Zhang, “Catching
[1] K. Jiang and R. Xuan, “Book review: guide to computer fo- packet droppers and modifiers in wireless sensor networks,”
rensics and investigations,” Journal of Digital Forensics, Se- in Proceedings of the 2009 6th Annual IEEE Communications
curity and Law, vol. 3, no. 5, p. 467, 2008. Society Conference on Sensor, Mesh and Ad 500 Hoc
 2037, 2021, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2021/8871230 by Cochrane Peru, Wiley Online Library on [25/10/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 13

Communications and Networks, pp. 1–9, IEEE, Rome, Italy, [35] S. Anwar, J. M. Zain, M. F. Zolkipli, Z. Inayat, A. N. Jabir, and
June 2009. J. B. Odili, “Response option for attacks detected by intrusion
[17] S. Zander, G. Armitage, and P. Branch, “A survey of covert detection system,” in Proceedings of the 2015 4th International
channels and countermeasures in computer network proto- Conference on Software Engineering and Computer Systems
cols,” IEEE Communications Surveys & Tutorials, vol. 9, no. 3, (ICSECS), pp. 195–200, IEEE, Kuantan, Malaysia, August
pp. 44–57, 2007. 2015.
[18] H. Kim, “Protection against packet fragmentation attacks at [36] K. Shanmugasundaram, N. Memon, A. Savant, and
6LoWPAN adaptation layer,” in Proceedings of the 2008 In- H. Bronnimann, ForNet: A Distributed Forensics Network.
ternational 504 Conference on Convergence and Hybrid In- Computer Network Security, V. Gorodetsky, L. Popyack, and
formation Technology, pp. 796–801, IEEE, Wisła, Poland, V. Skormin, Eds., Springer Berlin Heidelberg, Berlin, Hei-
October 2008. delberg, 2003pp. 1–16, Lecture Notes in Computer Science.
[19] A. Sperotto, G. Schaffrath, R. Sadre, C. Morariu, A. Pras, and [37] M. Ponec, P. Giura, J. Wein, and H. Brönnimann, “New
B. Stiller, “An overview of IP flow-based intrusion detection,” payload attribution methods for network forensic investiga-
IEEE Communications Surveys & Tutorials, vol. 12, no. 3, tions,” ACM Transactions on Information and System Security,
pp. 343–356, 2010. vol. 13, no. 2, pp. 1–32, 2010.
[20] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly detec- [38] B. K. Sy, “Integrating intrusion alert information to aid fo-
tion,” ACM Computing Surveys, vol. 41, no. 3, pp. 1–58, 2009. rensic explanation: an analytical intrusion detection frame-
[21] P. Li, M. Salour, and X. Su, “A survey of internet worm work for distributive IDS,” Information Fusion, vol. 10, no. 4,
detection and containment,” IEEE Communications Surveys pp. 325–341, 2009.
& Tutorials, vol. 10, no. 1, pp. 20–35, 2008. [39] W. Wang and T. E. Daniels, “A graph based approach toward
[22] V. Igure and R. Williams, “Taxonomies of attacks and vul- network forensics analysis,” ACM Transactions on Informa-
nerabilities in computer systems,” IEEE Communications tion and System Security, vol. 12, no. 1, pp. 1–33, 2008.
Surveys & Tutorials, vol. 10, no. 1, pp. 6–19, 2008. [40] H. T. Dinh, C. Lee, D. Niyato, and P. Wang, “A survey of
[23] B. Yu and R. Wang, “Research of access control list in en- mobile cloud computing: architecture, applications, and ap-
terprise network management,” Lecture Notes in Electrical proaches,” Wireless Communications and mobile Computing,
Engineering, in Informatics and Management Science VI, vol. 13, no. 18, pp. 1587–1611, 2013.
pp. 121–129, Springer, Berlin, Germany, 2013. [41] S. Gupta, P. Kumar, and A. Abraham, “A profile based
[24] F. Akhtar, J. Li, M. Azeem et al., “Effective large for gestational network intrusion detection and prevention system for se-
age prediction using machine learning techniques with curing cloud environment,” International Journal of Dis-
monitoring biochemical indicators,” ?e Journal of Super- tributed Sensor Networks, vol. 9, no. 3, Article ID 364575,
computing, vol. 76, pp. 1–19, 2019. 2013.
[25] J. Li, D. Zhou, W. Qiu et al., “Application of weighted gene co-
expression network analysis for data from paired design,”
Scientific Reports, vol. 8, pp. 622–628, 2018.
[26] F. Akhtar, J. Li, Y. Pei et al., “Diagnosis and prediction of
large-for-gestational-age fetus using the stacked general-
izationmethod,” Applied Sciences, vol. 9, no. 20, p. 4317, 2019.
[27] A. Imran, J. Li, Y. Pei, J.-J. Yang, and Q. Wang, “Comparative
analysis of vessel segmentation techniques in retinal images,”
IEEE Access, vol. 7, pp. 114862–114887, 2019.
[28] J. Li, L. Liu, J. Sun et al., “Comparison of different machine
learning approaches to predict small for gestational age in-
fants,” IEEE Transactions on Big Data, vol. 6, no. 2, 2016.
[29] C. Liu, A. Singhal, and D. Wijesekera, “Using attack graphs in
forensic examinations,” in Proceedings of the 2012 Seventh
International 528 Conference on Availability, Reliability and
Security, pp. 596–603, IEEE, Prague, August 2012.
[30] A. Diamah, M. Mohammadian, and B. M. Balachandran,
“Network security evaluation method via attack graphs and
fuzzy cognitive maps,” in Intelligent Decision Technologies,
pp. 433–440, Springer, Berlin, Germany, 2012.
[31] A. B. Johnston, SIP: Understanding the Session Initiation
Protocol, Artech House, Norwood, Massachusetts, 2015.
[32] D. Saha, “Extending logical attack graphs for efficient vul-
nerability analysis,” in Proceedings of the 15th ACM conference
on Computer and communications security, pp. 63–74, New
York, NY, USA, October 2008.
[33] Y. Fen, Z. Hui, C. Shuang-shuang, and Y. Xin-chun, “A
lightweight IP traceback scheme depending on TTL,” Pro-
cedia Engineering, vol. 29, pp. 1932–1937, 2012.
[34] M. Albanese, S. Jajodia, A. Pugliese, and V. S. Subrahmanian,
“Scalable analysis of attack scenarios,” Computer Security-
ESORICS 2011. European Symposium on Research in Com-
puter Security, pp. 416–433, Springer, Berlin, Germany, 2011.