ForNet: A Distributed Network Forensics System

Опубликовано 7 сентября 2016, 16:19

In this talk we postulate that the current methodologies for collecting evidence to support network forensics neither scale well for large networks nor can store evidence long enough to be useful. We then explore the idea of storing evidence in the form of `synopses` in order to reduce storage constraints and to increase the longevity of collected evidence. Synopses reduce raw network traffic to succinct forms such that information useful for postmortems can be stored for prolonged periods of time. Furthermore, we propose an architecture for a system, called ForNet, that collects and disseminates the necessary evidence to support postmortems of security incidents. We discuss the design and implementation of a prototype of the proposed architecture. ForNet is currently deployed at Polytechnic University and monitors network traffic around the clock. Finally, we demonstrate the feasibility of using synopses and ForNet in postmortems of security incidents by analyzing some events at the University.