Article Preview
Top1. Introduction
Information security over networks has become more challenging due to the new hacking and anti-forensics techniques. Sensitive information should be treated confidentially in any system as it represents high risk to its owners if exposed to the public. This information is risky for several reasons, such as human and technical errors, accidents and disasters, fraud, commercial espionage, and malicious damage.
According to Yunos, Ahmad, & Sahib (2015), unauthorized access damages computer data or programs, obstructs the functioning of computer systems or networks, and intercepts data. Acts of computer espionage are categorized as network attacks. They are broad in scope and are defined as attacks that involve a computer or network used to commit crimes. It is essential to inspect all network activity, both incoming and outgoing, and detect suspicious patterns which might be evidence of a network or system attack. Network attacks are categorized into unauthorized access, malicious code (malware), and service interruptions. Figure 1 shows common types of network threats.
Figure 1. Common types of network threats
As stated by Lahre, Diwan, Kashyap, & Agrawal (2013), intrusions are classified into attempted break-ins, masquerade attacks, penetration of security control systems, leakage, denial of service, and malicious use. Fortunately, there are techniques to detect intrusions, anomaly detection and misuse detection. Anomaly detection assumes that all intrusive activities are necessarily anomalous and finds patterns in data that do not comply with expected behaviour (Chandola, Banerjee, & Kumar, 2009; Ahmed & Zaman, 2017). Misuse detection embodies attacks in the form of a pattern or a signature so that variations of the same attack are detected.
Network forensics is a part of network security that works with the laws and guiding principles prescribed by the judicial system to deal with cyber criminals. There are two approaches in network forensics, reactive and proactive. Reactive network forensics is a traditional approach that deals with network attacks cases after a period of time. Reactive forensic approach consumes a considerable amount of time during the investigation phase. Proactive network forensics is different from the reactive approach. Proactive forensic is a new approach in network forensics that deals with a live investigation during an attack (Rasmi & Al-Qerem, 2015).
Figure 2 shows frameworks for the generic process model in network forensics that splits phases into two groups. The first group relies on actual time and includes preparation, detection, incident response, collection, and preservation. The second group relies on post-investigation phases.
Figure 2. Framework of generic process model
Rasmi, Jantan, & Al-Mimi (2013) classify the first group as proactive and the second group as reactive. The proactive phase saves time and money during the investigation process as they work throughout the occurrence of an attack. In contrast, reactive phases begin with the examination phase to integrate trace data and identify attack indicators. The indicators are prepared for the analysis phase, which reconstructs the attack indicators using soft computing or statistical or data mining techniques to classify and correlate attack patterns.
Attack intention is the ultimate attack goal that the attacker attempts to achieve by executing various attack methods or techniques. It is difficult for an expert human to predict attack methods. An attacker achieves his goal through a sequence of tactical steps, using sophisticated techniques to hide and cover his activities.