Kulesh Shanmugasundaram

Fornet: a distributed forensics network

Networks are vulnerable to attacks and misuse. Firewalls and Intrusion Detection Systems are in place to protect the networks. Despite these defenses we still witness many security incidents. To guarantee the safety and survivability of networks we must complement the defensive mechanisms with a monitoring mechanism capable of aiding forensics when the security mechanisms fail. State-of-the-art solutions to support network forensics often collect raw network data but lack the ability to retain large volumes of collected data for prolonged periods of time. This reduces the longevity of evidence collected which in turn inhibit postmortems. Furthermore, these solutions also do not scale well for large inranets and wide area networks. This dissertation describes the design and the development of a distributed network forensics system called ForNet. Unlike the state-of-the-art solutions, ForNet uses a concept called synopses to reduce raw network traffic to succinct form such that sufficient data useful for forensics is captured and archived for prolonged periods of time. The dissertation also describes the architecture of ForNet in which we introduce the concept cascading data collection and the integration of monitoring and privacy policies into the system itself. The use of synopses and cascading collection of data together allow ForNet to scale better for large networks as well. We also introduce some useful synopses in this dissertation. The first synopsis, called a Hierarchical Bloom Filter, represents payloads in a succinct form. The synopsis is then extended and used in ForNet to be able to attribute bit strings to their sources and destinations. The second set of synopses keep track of flow aggregates and flow compositions. This synopsis uses the statistical properties of payloads to identify the content type of flows independent of port bindings or application headers. We conclude the dissertation with the description of ForNets deployment in an intranet and with the evaluation of its synopses in tracking real security incidents in the intranet.

Automatic reassembly of document fragments via context based statistical models

Reassembly of fragmented objects from a collection of randomly mixed fragments is a common problem in classical forensics. We address the digital forensic equivalent, i.e., reassembly of document fragments, using statistical modelling tools applied in data compression. We propose a general process model for automatically analyzing a collection fragments to reconstruct the original document by placing the fragments in proper order. Probabilities are assigned to the likelihood that two given fragments are adjacent in the original using context modelling techniques in data compression. The problem of finding the optimal ordering is shown to be equivalent to finding a maximum weight Hamiltonian path in a complete graph. Heuristics are designed and explored and implementation results provided which demonstrate the validity of the proposed technique.

Automated reassembly of fragmented images

In this paper we address the problem of reassembly of images from a collection of their fragments. The image reassembly problem is formulated as a combinatorial optimization problem and image assembly is then done by finding an optimal ordering of fragments. We present implementation results showing that images can be reconstructed with high accuracy even when there are thousands of fragments and multiple images involved.

Nabs: a system for detecting resource abuses via characterization of flow content type

One of the growing problems faced by network administrators is the abuse of computing resources by authorized and unauthorized personnel. The nature of abuse may vary from using unauthorized applications to serving unauthorized content. Proliferation of peer-to-peer networks and wide use of tunnels makes it difficult to detect such abuses and easy to circumvent security policies. This paper presents the design and implementation of a system, called Nabs, that characterizes content types of network flows based solely on the payload which can then be used to identify abuses of computing resources. The proposed method does not depend on packet headers or other simple packet characteristics hence is more robust to circumvention.

Data masking: a secure-covert channel paradigm

It is well known that encryption provides secure channels for communicating entities. However, due to lack of covertness on these channels, an eavesdropper can identify encrypted streams through statistical test and capture them for further cryptanalysis. Hence, the communicating entities can use steganography to achieve covertness. In this paper, we propose a new form of multimedia steganography called data masking. Instead of embedding a secret message into a multimedia object, as in traditional multimedia steganography, we process the entire secret message using an inverse Wiener filter to make it look like a multimedia object itself. Thereby we foil an eavesdropper who is primarily applying statistical tests to detect encrypted communication channels. We show that our approach can potentially give a covert channel capacity, which is an order of magnitude higher than traditional steganography.

Integrating Digital Forensics in Network Infrastructures

This paper explores the idea of integrating digital forensic capabilities into network infrastructures. Building a forensic system for wide area networks has generally been considered infeasible due to the large volume of data that potentially has to be processed and stored. However, it is opportune to revisit this problem in the light of recent advances in data streaming algorithms, the abundance of cheap storage and compute power and, more importantly, increased threats faced by networked infrastructures. This paper discusses the challenges involved in building reliable forensic systems for wide area networks, including the Internet itself. Also, it describes a prototype network forensic system that is currently under development.

Network monitoring for security and forensics

Networked environment has grown hostile over the years. In order to guarantee the security of networks and the resources attached to networks it is necessary to constantly monitor and analyze network traffic. Increasing network bandwidth, however, prohibits the recording and analysis of raw network traffic. In this paper we discuss some challenges facing network monitoring and present monitoring strategies to alleviate the challenges.

Network abuse detection via flow content characterization

One of the growing problems faced by network administrators is the abuse of computing resources by authorized and unauthorized personnel. The nature of abuse may vary from using unauthorized applications to serving unauthorized content. Proliferation of peer-to-peer networks and the availability of proxies for tunneling makes it difficult to detect such abuse and easy to circumvent security policies. This paper presents a novel method to detect abuse of resources on a network based solely on the payload content type. The proposed method does not depend on packet headers and other simple packet characteristics and hence is able to better detect incidents of abuse.

String matching on the internet

We consider a variant of the “string searching in database” problem where the string database comes on a data stream, and processing the data is at a premium but querying is not a runtime bottleneck. Speci.cally, the strings to be searched into (lets call them the documents) have to be processed online very e.ciently, meaning the documents have to be added to some string searching data structure one by one in time proportional to their length. Of course, we desire this data structure to be small, i.e. at most linear space, and hopefully exhibit a tradeo. between storage/processing cost and accuracy. Upon some query string, the data structure must return whether that string is contained in a document (the presence query), and must also be able to return a list of the documents which contain the query (the attribution query). We may require that the query be large enough and that only portions of it may match (pattern matching). In practice, it is acceptable that the data structure return a superset of the answer, as long as no document from the answer is missing and there are only few false positives; either the false positives can be .ltered (by actual veri.cation if the document texts are available in a repository), or a small number of false positives are acceptable for the application (e.g. network forensics, see below).

Protocol Masking to Evade Network Surveillance

In this paper we present the notion of protocol masking. Protocol masking is the process of transforming a protocol that is not allowed by a use-policy into a protocol that is allowed by the policy in order to evade policy enforcement mechanisms. We present the design and implementation architecture of a tool for protocol masking. The tool can be used to test the efficacy of policy enforcement mechanisms.