Including network routers in forensic investigation

Network forensics concerns the identification and preservation of evidence from an event that has occurred or is likely to occur. The scope of network forensics encompasses the networks, systems and devices associated with the physical and human networks. In this paper we are assessing the forensic potential of a router in investigations. A single router is taken as a case study and analysed to determine its forensic value from both static and live investigation perspectives. In the live investigation, tests using steps from two to seven routers were used to establish benchmark expectations for network variations. We find that the router has many attributes that make it a repository and a site for evidence collection. The implications of this research are for investigators and the inclusion of routers in network forensic investigations

Including Network Routers In Forensic Investigation

Network forensics concerns the identification and preservation of evidence from an event that has occurred or is likely to occur. The scope of network forensics encompasses the networks, systems and devices associated with the physical and human networks. In this paper we are assessing the forensic potential of a router in investigations. A single router is taken as a case study and analysed to determine its forensic value from both static and live investigation perspectives. In the live investigation, tests using steps from two to seven routers were used to establish benchmark expectations for network variations. We find that the router has many attributes that make it a repository and a site for evidence collection. The implications of this research are for investigators and the inclusion of routers in network forensic investigations

Minimizing Range Rules for Packet Filtering Using Double Mask Representation

Packet filtering is widely used in multiple networking appliances and applications, in particular, to block malicious traffic (protect network infrastructures through fire-walls and intrusion detection systems) and to be deployed on routers, switches and load balancers for packet classification. This mechanism relies on the packet's header fields to filter such traffic by using range rules of IP addresses or ports. However, the set of packet filters has to handle a growing number of connected nodes and many of them are compromised and used as sources of attacks. For instance, IP filter sets available in blacklists may reach several millions of entries, and may require large memory space for their storage in filtering appliances. In this paper, we propose a new method based on a double mask IP prefix representation together with a linear transformation algorithm to build a minimized set of range rules. We define formally the double mask representation over range rules and we prove that the number of required masks for any range is at most 2w − 4, where w is the length of a field. This representation makes the network more secure, reliable and easy to maintain and configure. We define formally the double mask representation over range rules. We show empirically that the proposed method achieves an average compression ratio of 11% on real-life blacklists and up to 74% on synthetic range rule sets.Finally, we add support of double mask into a real SDN network

Reducing the Size of Routing Tables for Large-scale Network Simulation

ネットワーク規模の増大やネットワーク構造の複雑化にともない，大規模ネットワークにおけるシミュレーションが必要とされている．しかし，計算機で使用できる資源は限られているため，シミュレータに適用可能なネットワークの大きさ，シミュレーションシナリオの規模は制限される．シミュレーションにおいて，計算機資源（特にメモリ容量）を消費する要因の1 つは，各ノードにおいて，到着したパケットを宛先ノードごとにどの隣接ノードに転送すべきかを示す，ルーティングテーブルであることが知られている．N をネットワークに含まれるノードの数とすると，表形式のルーティングテーブルでは，その容量は全体としてO(N 2 )となる．一方，任意の2 ノード間の経路がすべて，全ノードを含むある1 つの木（被覆木）に含まれる特殊な場合にのみ，ルーティングテーブルのデータ構造を被覆木そのものとすることで，ルーティングテーブルの容量をO(N)とする被覆木ルーティング法も提案されているが，任意のルーティングを表現できない制約がある．本論文では，被覆木ルーティング法をもとに，なるべく多くの経路を含む被覆木によるルーティングテーブルと，表形式のルーティングテーブルを組み合わせたルーティングテーブルを構築し，任意のルーティングを表現でき，かつそのルーティングテーブルの容量を削減する方法を提案する．提案手法の評価を行った結果，階層化トポロジにおいて，単純なルーティングテーブルと比較し，容量を90%削減できた．In simulating large-scale networks, due to the limitation of available resources on computers, the size of the networks and the scale of simulation scenarios are often restricted. Especially, routing tables, which indicate the directions to forward packets, are considered to consume memory space. A general routing table requires O(N 2 ) space where N is the number of nodes. An algorithmic routing recently proposed by Heung et al. only requires O(N) space for rep-resenting routing tables, however this can be applied in the case that all the routes between two nodes are contained in a fixed spanning tree (i.e. very limited routing is allowed). In this paper, we propose a new method to reduce a capacity of routing tables which is applicable to any routing table. In our method, a (near-optimal) algorithmic routing based table is used to represent a part of the given routing table. Our experimental results have shown that our method could reduce about 90% of the routing table size compared with a general routing table in hierarchical networks