Scalable Forensics for Future Networks
Lead Research Organisation:
Queen's University Belfast
Department Name: Sch of Electronics, Elec Eng & Comp Sci
Abstract
We live in an increasingly networked world. While this interconnection of systems can simplify our daily tasks such as banking, shopping, and working, it also exposes a volume of personal information that can be exploited for nefarious purposes. Data breach incidents are being reported by companies and organisations with greater frequency. Such incidents are predominantly orchestrated remotely relying on a network intrusion. As such, it is vital to analyse network events including network traffic, flow, and device logs to determine how an attack was carried out or how an event occurred on a network.
Network forensics involves the preservation and analysis of traffic and logs from networks for security or law enforcement purposes. From the security perspective, the objective is to determine the source of a security incident.
To facilitate forensics, packet filters, firewalls and intrusion detection systems are deployed in the network. Of course, the ability to correctly pinpoint the source of an attack in the network relies on the appropriate placement of these devices and configuration to capture the necessary information. Storage capacity and performance requirements must also be considered in the deployment.
Software-Defined Networking (SDN) and Network Functions Virtualization (NFV) are emerging technologies in the field of networking. In combination, SDNFV introduces a programmable, dynamic, and flexible network topology. With the dynamic nature of SDNFV and with an increasing volume of virtual network appliances that can be introduced or removed from the network on-demand, the traditional placement of security devices at a fixed point in the network no longer applies. In order to secure dynamic software-defined networks with virtualized functions, new detection and protection mechanisms are required.
This research will investigate and derive forensics tools and remediation techniques for SDNs that exploit intelligence harvested from the network for resource management, network security, integrity and control.
The research objectives are:
1. To study state-of-the-art real-time traffic monitoring, analytics and forensics tools and algorithms and their suitability for SDNFV implementation.
2. To investigate various intrusion and anomaly detection algorithms and SDN-specific traffic properties such as communication patterns, applications etc. that can be used to detect and isolate abnormal behaviour.
3. To study new methods for analysing SDNFV network usage and event extraction and correlation in a multi-tenant infrastructure with multiple SDN controllers.
4. To design and develop a forensics framework specific to, and exploiting, the SDNFV architecture.
As previously identified, the network forensics solutions for traditional network environments may no longer be effective in the SDNFV environment with virtualization, anonymization, and the dynamic reconfiguration of the network. The results produced during this studentship will contribute to the advancement of network forensics for future network technologies.
Network forensics involves the preservation and analysis of traffic and logs from networks for security or law enforcement purposes. From the security perspective, the objective is to determine the source of a security incident.
To facilitate forensics, packet filters, firewalls and intrusion detection systems are deployed in the network. Of course, the ability to correctly pinpoint the source of an attack in the network relies on the appropriate placement of these devices and configuration to capture the necessary information. Storage capacity and performance requirements must also be considered in the deployment.
Software-Defined Networking (SDN) and Network Functions Virtualization (NFV) are emerging technologies in the field of networking. In combination, SDNFV introduces a programmable, dynamic, and flexible network topology. With the dynamic nature of SDNFV and with an increasing volume of virtual network appliances that can be introduced or removed from the network on-demand, the traditional placement of security devices at a fixed point in the network no longer applies. In order to secure dynamic software-defined networks with virtualized functions, new detection and protection mechanisms are required.
This research will investigate and derive forensics tools and remediation techniques for SDNs that exploit intelligence harvested from the network for resource management, network security, integrity and control.
The research objectives are:
1. To study state-of-the-art real-time traffic monitoring, analytics and forensics tools and algorithms and their suitability for SDNFV implementation.
2. To investigate various intrusion and anomaly detection algorithms and SDN-specific traffic properties such as communication patterns, applications etc. that can be used to detect and isolate abnormal behaviour.
3. To study new methods for analysing SDNFV network usage and event extraction and correlation in a multi-tenant infrastructure with multiple SDN controllers.
4. To design and develop a forensics framework specific to, and exploiting, the SDNFV architecture.
As previously identified, the network forensics solutions for traditional network environments may no longer be effective in the SDNFV environment with virtualization, anonymization, and the dynamic reconfiguration of the network. The results produced during this studentship will contribute to the advancement of network forensics for future network technologies.
Organisations
Studentship Projects
| Project Reference | Relationship | Related To | Start | End | Student Name |
|---|---|---|---|---|---|
| EP/N509541/1 | 01/10/2016 | 30/09/2021 | |||
| 2275984 | Studentship | EP/N509541/1 | 01/10/2019 | 31/03/2023 | Conor Black |
| EP/R513118/1 | 01/10/2018 | 30/09/2023 | |||
| 2275984 | Studentship | EP/R513118/1 | 01/10/2019 | 31/03/2023 | Conor Black |