ForNet: A Distributed Forensics Network

  • Kulesh Shanmugasundaram
  • Nasir Memon
  • Anubhav Savant
  • Herve Bronnimann
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2776)


This paper introduces ForNet, a distributed network logging mechanism to aid digital forensics over wide area networks. We describe the need for such a system, review related work, present the architecture of the system, and discuss key research issues.


Intrusion Detection Network Event Intrusion Detection System Bloom Filter Packet Header 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Axelsson, S.: Research in intrusion-detection systems: A survey. Technical Report No 98–17 (December 1998)Google Scholar
  2. 2.
    Axelsson, S.: The base-rate fallacy and its implications for the difficulty of intrusion detection. In: Proceedings of the ACM Conference on Computer and Communication Security (November 1999)Google Scholar
  3. 3.
    Babcock, B., Babu, S., Datar, M., Motwani, R., Widom, J.: Models and issues in data stream systems. In: Symposium on Principles of Database Systems, Madison, Wisconsin, USA, June 2002. ACM SIGMOD (2002)Google Scholar
  4. 4.
    Babcock, B., Datar, M., Motwani, R.: Sampling from a moving window over streaming data. In: Proceedings of 13th Annual ACM-SIAM Symposium on Discrete Algorithms (2002)Google Scholar
  5. 5.
    Babu, S., Subramanian, L., Widom, J.: A data stream management system for network traffic management. In: Workshop on Network-Related Data Management (2001)Google Scholar
  6. 6.
    Bellovin, S.M., Leech, M., Taylor, T.: ICMP traceback messages. In: Internet Draft draft-ietf-itrace-01.txt (Work in progress). IETF (October 2001)Google Scholar
  7. 7.
    Bhattacharyya, M., Hershkop, S., Eskin, E., Stolfo, S.J.: Met: An experimental system for malicious email tracking. In: Proceedings of the 2002 New Security Paradigms Workshop (NSPW-2002), Virginia Beach, VA (September 2002)Google Scholar
  8. 8.
    Bloom, B.: Space/time tradeoffs in in hash coding with allowable errors. In: CACM, pp. 422–426 (1970)Google Scholar
  9. 9.
    Broder, A., Mitzenmatcher, M.: Network applications of bloom filters: A survey. In: Annual Allerton Conference on Communication, Control, and Computing, Urbana-Champaign, Illinois, USA (October 2002)Google Scholar
  10. 10.
    Burch, H., Cheswick, B.: Tracing anonymous packets to their approximate source. In: Proc. USENIX LISA (December 2000)Google Scholar
  11. 11.
    Datar, M., Gionis, A., Indyk, P., Motwani, R.: Maintaining stream statistics over sliding windows. In: ACM Symposium on Discrete Algorithms, pp. 635–644 (2001)Google Scholar
  12. 12.
    Dean, D., Franklin, M., Stubblefield, A.: An algebraic approach to IP traceback. In: Proceedings of NDSS (February 2001)Google Scholar
  13. 13.
    Debar, H., Dacier, M., Wepsi, A.: A revised taxonomy for intrusion-detection systems. IBM Research Report (1999)Google Scholar
  14. 14.
    Domingos, P., Hulten, G.: Mining high-speed data streams. In: Proc. SIGKDD Int. Conf. Knowledge Discovery and Data Mining (2000)Google Scholar
  15. 15.
    Sanstorm Enterprises. Netintercept (February 2003),
  16. 16.
    Frank, J.: Artificial intelligence and intrusion detection: Current and future directions. In: Proceedings of the 17th National Computer Security Conference (1994)Google Scholar
  17. 17.
    Gibbons, P., Matias, Y.: Synopsis data structures for massive data sets. In: DIMACS: Series in Discrete Mathematics and Theoretical Computer Science: special Issue on External Memory Algorithms and Visualization (1999)Google Scholar
  18. 18.
    Gilbert, K., Kotidis, Y., Muthukrishnan, S., Strauss, M.: Surfing wavelets on streams: one pass summaries for approximate aggregate queries. In: Proc. ACM Conf. Very Large Databases. VLDB (2001)Google Scholar
  19. 19.
    Guha, S., Koudas, N., Shim, K.: Data streams and histograms. In: Proc. ACM Symp. Theory Comput. STOC (2001)Google Scholar
  20. 20.
    Hulten, G., Spencer, L., Domingos, P.: Mining time-changing data streams. In: Proc. SIGKDD Int. Conf. Knowledge Discovery and Data Mining (2001)Google Scholar
  21. 21.
    Ilgun, K., Kemmerer, R.A., Porras, P.A.: State transition analysis: A rulebased intrusion detection approach. IEEE Transactions on Software Engineering (March 1995)Google Scholar
  22. 22.
    Javitz, H.S., Valdes, A.: The sri ides statistical anomaly detector. In: Proceedings of the IEEE Symposium on Research in Security and Privacy (1991)Google Scholar
  23. 23.
    Kumar, S., Spafford, E.H.: An application of pattern matching in intrusion detection. Purdue University Technical Report CSD-TR-94-013 (1994)Google Scholar
  24. 24.
    Mankin, A., Massey, D., Wu, C.L., Wu, S.F., Zhang, L.: On design and evaluation of “intention-driven” ICMP traceback. In: Proc. IEEE International Conference on Computer Communications and Networks (October 2001)Google Scholar
  25. 25.
    Manku, G.S., Rajagopalan, S., Lindsay, B.G.: Approximate medians and other quantiles in one pass and with limited memory. In: Proc. of the ACM Intl Conf. on Management of Data, SIGMOD (June 1998)Google Scholar
  26. 26.
    Manku, G.S., Rajagopalan, S., Lindsay, B.G.: Random sampling techniques for space efficient online computation of order statistics of large datasets. In: Proc. of the ACM Intl Conf. on Management of Data. SIGMOD (June 1999)Google Scholar
  27. 27.
    Mitchell, A., Vigna, G.: Mnemosyne: Designing and implementing network short-term memory. In: International Conference on Engineering of Complex Computer Systems. IEEE, Los Alamitos (December 2002)Google Scholar
  28. 28.
    Motwani, R., Widom, J., Arasu, A., Babcock, B., Babu, S., Datar, M., Manku, G., Olston, C., Rosenstein, J., Varma, R.: Query processing, resource management, and approximation in a data stream management system. In: Proc. of the 2003 Conference on Innovative Data Systems Research , CIDR (January 2003)Google Scholar
  29. 29.
    Paxson, V.: Bro: A system for detecting network intruders in real-time. In: 7th Annual USENIX Security Symposium (January 1998)Google Scholar
  30. 30.
    Porras, P.A., Neumann, P.G.: Emerald: Event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the National Information Systems Security Conference (1997)Google Scholar
  31. 31.
    Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: Eluding network intrusion detection. In: Secure Networks, Inc. (January 1998)Google Scholar
  32. 32.
    Roberts, P.: Nai goes forensic with infinistream. In: InfoWorld (February 2003),
  33. 33.
    Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. In: Proceedings of the 2000 ACM SIGCOMM Conference, Stockholm, Sweden, pp. 295–306 (August 2000)Google Scholar
  34. 34.
    Shanmugasundaram, K., Memon, N., Savant, A., and Bronnimann, H.: Efficient monitoring and storage of payloads for network forensics (May 2003) (unpublished manuscript) Google Scholar
  35. 35.
    Shanmugasundaram, K., Memon, N., Savant, A., Bronnimann, H.: Fornet: A distributed forensics system (May 2003) (unpublished manuscript)Google Scholar
  36. 36.
    Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., Strayer, W.T.: Hash-based IP traceback. In: ACM SIGCOMM, San Diego, California, USA (August 2001)Google Scholar
  37. 37.
    Song, D., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. IEEE Infocomm (2001)Google Scholar
  38. 38.
    Thaper, U., Guha, S., Indyk, P., Koudas, N.: Dynamic multidimensional histograms. In: Proc. ACM Int. Symp. on Management of Data. SIGMOD (2002)Google Scholar
  39. 39.
    Winter, R., Auerbach, K.: The big time: 1998 winter vldb survey. Database Programming Design (August 1998)Google Scholar
  40. 40.
    Yasinsac, A., Manzano, Y.: Policies to enhance computer and network forensics. In: Workshop on Information Assurance and Security, United States Military Academy, West Point, NY. IEEE, Los Alamitos (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Kulesh Shanmugasundaram
    • 1
  • Nasir Memon
    • 1
  • Anubhav Savant
    • 1
  • Herve Bronnimann
    • 1
  1. 1.Department of Computer and Information SciencePolytechnic UniversityBrooklynUSA

Personalised recommendations