BROWSE
Detail
Conference Paper
A Cyber Blackbox for Collecting Network Evidence
Cited - time in 
Share 
Share
- Authors
- Jooyoung Lee, Sunoh Choi, Yangseo Choi, Jonghyun Kim, Ikkyun Kim, Youngseok Lee
- Issue Date
- 2015-11
- Citation
- SRI Security Congress 2015, pp.141-147
- Language
- English
- Type
- Conference Paper
- Abstract
- In recent years, the hottest topics in the security field are related to the advanced and persistent attacks. As an approach to solve this problem, we propose a cyber blackbox which collects and preserves network traffic on a virtual volume based WORM device, called EvidenceLock to ensure data integrity for security and forensic analysis. As a strategy to retain traffic for long enough periods, we introduce a deduplication method. Also this paper includes a study on the network evidence which is collected and preserved for analyzing the cause of cyber incident. Then, a method is proposed to suggest a starting point for incident analysis to a forensic practitioner who has to investigate on the vast amount of network traffic collected using the cyber blackbox. Experimental results show this approach is effectively able to reduce the amount of data to search by dividing doubtful flows from normal traffic. Finally, we discuss the results with the forensically meaningful point of view and present further works.
- KSP Keywords
- Data Integrity, Incident analysis, Normal traffic, Starting point, cyber blackbox, cyber incident, forensic analysis, network traffic