|
| Frameworks | Functions |
|
| Traceback | NFEA [71] | Proposes effective tracking range to provide admissible digital evidence with guarantee of integrity and authenticity of track data. Further, it marks packets at edge router which increase efficiency and decrease loss of data. |
| LWIP [9] | Considers only time to live (TTL) field of IP header to trace out attack path in DDoS attacks. It used three algorithms that address three steps to make proposed scheme efficient, robust, and simple such as (a) embeds TTL value in IP header, (b) performed soon as DDoS attack occur, and (c) attack tree analysis algorithms is executed. |
| Scalable NF [16] | Proposes scalable network forensics scheme for stealthy self-propagating attacks to traceback the origin of attack. Moreover, scheme is scalable in terms of computational time and space to accurately discover origin of attack. In addition, data reduction mechanism is used to identify deviations of each host and it acts as indication for a potential attack which is further process for forensics investigation. |
| HB-SST [85] | Presents generic hopping based spread spectrum technique for network forensics traceback in anonymous communication networks. It provides randomized effect to mark network traffic in both time and frequency domains. |
| ITP [8] | A protocol is design to traceback attacks in real time as well as periodically using compressed hash table in the router. Further, it addresses replay attacks through timestamp attached to the messages and its integrity is verified through using hash function. Moreover, it enhances detection rate of attacks by updating attack list periodically in routers. |
|
| Converged network | PBNF [87] | Proposes VoIP network forensics patterns that use to collect and analyze voice traffic in a systematic way. |
| VoIP-NFDE [88] | A digital evidence procedure for VoIP network forensics is proposed especially for internet phone. Evidence is identified by comparing normal and abnormal packets in voice communication. |
| VoIPEM [62] | Model based forensics method is proposed to identify malicious attacks in VoIP communication that formalize hypothesis through information gathering. Moreover, attack path is reconstructed by adapting secure temporal logic of action (S-TLA+) which provide clear evidence about attacks. |
|
| Intrusion detection system | AIDF [91] | An analytical intrusion detection framework proposed, based on probability model discovery approach & inference mechanism. It provides forensics explanation not only on intrusion alerts, but also on unidentified signature rules. Moreover, it integrates intrusion alerts from disseminated IDS sensors. |
| DFITM [92] | Intrusion tolerance base dynamic forensics modeling is performed to enhance availability of forensics server in case of an attack. Modeling is conducted with finite state machine and forensics server availability is analyzed through numerical analysis. |
| IIFDH [93] | Steganography is applied to identify alteration in log files performed by an intruder after his malicious attack. It maintains reliability and completeness of the evidence for future decisions. |
| NFIDA [94] | Network forensics based on intrusion detection static and dynamic analysis is performed to provide complete record of data and logs while ensuring credibility and reliability. |
|
| Attack graphs | SA [95] | Proposes a framework that performs scalable analysis of attack scenarios by analyzing massive amount of alerts in real-time situation. Moreover, it also addresses individual attacks and its impacts on the enterprise. |
| MLL-AT [96] | It identifies multistage network attacks and analyzes system risk by evaluating various security threads that occurs due to attack sequences. |
| AGFE [97] | Integrates antiforensics mechanism with attack graph to fully observe intruders while deleting certain traces after attack performed. |
| FCM [98] | Generate fuzzy cognitive map from attack graph with the help of genetic algorithm to find a worst attacks in the network. It simples a situation for network investigator to tackle such attacks with great concern. |
| CSBH [17] | A probabilistic approach is proposed that integrates attack graph with hidden Markov model for exploring system states and its observation. It identifies the root cause of attack with providing automation, adaptability, and scalability in large network for cost benefit security hardens. |
| AGVI [99] | RAVEN framework is proposed that reduces sophistication in large attack graphs by providing interactive visualize interfaces for user to illustrate attack graphs easily. |
|
|
Distributive | ForNet [100] | Proposes distributive framework to collect network logs from different network devices in disseminated network. It analyze IP packet header for IP connection, ports, and various sessions through bloom filter tracking. |
| DRNIFS [101] | It captures network packets soon as an attack is detected in a real-time situation. Moreover, it collects potential evidences that are deleted in most of the cases by intruders after its malicious attacks. It uses centralize network forensics server with disseminative detective agents. |
| DCNFM [102] | Proposes framework that identifies potential risk, misbehavior of packets, and origin of attack with having distributed cooperative network forensics system. The system is comprised of client server architecture, with client agents installed on different system to capture network traffic logs from different network artifacts. |
| DNF-IA [18] | It proposes artificial intelligence immunity theory to address network forensics in real time with keeping evidence in a safe way. It provides validity, integrality, and authenticity for evidence in a real time situation. |
|
