This project proposes to address the lack of effective tools for aiding investigation of malicious activity on the Internet and other private IP based networks such as corporate and government networks. The broad goal of this project is to study and demonstrate the technical feasibility of building an appropriate network forensics system and establish the technical foundations for such an infrastructure. Although the vision and motivation behind a network forensics system may be compelling, the algorithms and techniques that will make it possible are challenging endeavors.
A proof of concept prototype network forensics system will be built. The prototype system will consist of forensics modules called SynApps that will create and store intelligent synopses of packet traffic entering and leaving a network. Multiple such forensics modules will be networked via a Forensics Server. The Forensics Servers are then networked across an intranet or the Internet to result in a Forensics Network (ForNet).
The activities of the project will be carried out in co-operation with experts in criminal justice, and a small prototype system networked between the communities will be built and deployed. The Information Systems and Internet Security (ISIS) Laboratory at Polytechnic University will be used as the vehicle for integration of the proposed research activity into class projects and undergraduate research projects done on the security testbed in ISIS.
The ForNet will be able use synopsized network traffic to answer questions in investigations of many varieties of attacks against networks and systems.