|
Frameworks | Approach | Methods | Evaluation | Limitations | Performance |
|
Traceback | NFEA [71] | LO, PM | Authenticated evidence marking scheme (AEMS) | Test bed & Simulation | Computational & Storage overhead | 50% performance degrades when AEMS applied to each packet. However, performance gains 40% when it is applied to only select packets. |
LWIP [9] | PM | Lightweight IP traceback based on TTL | Tree analysis algorithm | Router overhead | Significant path reconstruction in DDoS attack |
Scalable-NF [16] | LO | Scalable network forensics | Real world traffic traces | Capture real time traffic | Reduce 97% of irrelevant data for analysis |
HB-SST [85] | Spread spectrum techniques | Hopping based spread spectrum | Simulation | Scalability | False positive decrease exponential with increase in signal length. |
ITP [8] | LO | IP traceback protocol (ITP) | Simulation | Router overhead | ITP shows better results in term of false positive rate & attack detection as comparing with existing frameworks |
|
Converge network | PBNF [87] | LO | VoIP network forensics patterns | Suggest to use NFATs | Scalability, Forensics server bottle neck | Faster and structural investigation in VoIP traffic |
VoIP-NFDE [88] | LO | VoIP network forensics with digital evidence | Test bed | Time consuming, bandwidth utilization | Collects, analyzes, and performs forensics in VoIP DEFSOP operational stage |
VoIPEM [62] | LO | VoIP Evidence Model | S-TLC+ | Not trace anonymous attacks | Identifies significant information relate to attacks |
|
Intrusion detection system | AIDF [91] | Probabilistic model | Probabilistic discovery & inference | Test bed | Database for untreated data | Perfect discovery results in 16.67% and information combining from multiple IDS for forensics explanation is 87% |
DFITM [92] | Dynamic forensics intrusion tolerance | Formal methods | Finite state machine | Storage overhead | Enhancement of availability of forensics server with improvement of collected significant evidence |
IIFDH [93] | LO | Steganography | Prototyped | Scalability | Real-time detection with preservation of evidence |
NFIDA [94] | LO | Multi-dimensional analysis | Not applicable | Computational overhead | Records complete network data with providing data integrity that results in network forensics solution based on intrusion detection analysis. |
|
Attack graph (AG) | SA [95] | Measure current & future attacks | Scalable analysis | Synthetic & real AG | Computational overhead | For large graph the integer value increases when processing time increase. However it remains stable for small graphs |
MLL-AT [96] | Network attack modeling | Multi-level & layer attack tree | Case study | Scalability, Storage overhead | Model attack more accurately, address system risk |
AGFE [97] | Forensics examination | Anti-forensics injection in AG | Test bed | Scalability | Identifies alteration performed by intruders in log files. |
FCM [98] | Network security evaluation | finite cognitive map & genetic algorithm | Simulation | Observation depended, lack of awareness | Results best fit value of 1.64 that shows the probability of goal achieved. |
CSBH [17] | Probabilistic | Design model | Scenario based | Computational overhead | It finds that an approach is user centric, with complexity O (MN2). |
AGVI [99] | Visualization & Interaction | RAVEN | Not applicable | Visualization in real time situation | Address impact of HCI techniques on attack graphs |
|
Distributive | ForNet [100] | distributive network forensics | Architecture | Not applicable | Limited attack detection due to lightweight filtering | Provide valuable, trustworthy information about network events |
DRNIFS [101] | LO, PM | Architecture | Not applicable | Storage overhead | Real time detection with quick incident response |
DCNFM [102] | LO | Client Server Architecture | Not applicable | Forensics server bottle neck, Storage overhead | Identifies origin of attack and potential risk |
DNF-IA [18] | LO | Dynamic network forensics model | Laboratory test | Lack of cryptography, forensics server bottle neck | Integrated, accurate results in real-time situation when attacks are occurred. |
|