/home/

/research/

/stuff/

/projects/ -- List of projects I've been working on. (If you like to collaborate or work on any project feel free to email me.) /pubs/ -- List of refereed publications. ForNet Project ForNet develops scalable, forensically sound frameworks, tools, and techniques to support network forensics in wide area networks. ForNet is the core of Project ForNet. ForNet is a distributed forensics network. It provides a scalable network logging mechanism to aid forensics over wide area networks. Like traditional packet loggers ForNet creates logs of network traffic and like distributed intrusion detection systems ForNet can span over multiple networks. But that is where the similarities end. Unlike existing Network Forensic Analysis Tools (NFAT) ForNet strives to log network traffic without discrimination so that the scope of a postmortem analysis does not get limited by some a priori decisions on what information to log and what not to log. To make this possible, ForNet transforms raw network data into succinct forms which can be stored for a prolonged period of time. The Long-term goal of Project ForNet is to build tools (hardware and software) and techniques to reliably log and analyze network traffic to support forensics and to provide a platform for providing forensically sound evidence for cyber-crimes. /pubs/ ForNet: A Distributed Forensics Network The Second International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security, 2003, St. Petersburg, Russia /src/ Currently in alpha and soon a beta will be released to public. If you'd like to be notified please send me an email. Payload Attribution (Vortex) Payload attribution is an important problem often encountered in network forensics. Given an excerpt of a payload, finding its source and destination is useful for many security applications such as identifying sources and victims of a worm or virus. Although IP traceback techniques have been proposed in the literature, these techniques cannot help when we do not have the entire packet or when we only have an excerpt of the payload. We present a payload attribution system (PAS) that attributes reasonably long excerpts of payloads to their source and/or destination hosts. The system we propose is based on a novel data structure called a Hierarchical Bloom Filter (HBF). An HBF creates compact digests of payloads and provides probabilistic answers to membership queries on the excerpts of payloads. We also present the performance analysis of the method and experimental results from a prototype demonstrating the practicality and efficacy of the system. The system can reliably work with certain packet transformations and is flexible enough to be used if the query string is spread across several packets. The system, however, can be evaded by splitting or by ``stuffing'' the payload. Future work focuses on making the system robust against such evasions. /pubs/ Payload Attribution via Hierarchical Bloom Filters 11th ACM Conference on Computer and Communications Security, 2004, Washington, DC /src/ Currently in alpha and soon a beta will be released to public. If you'd like to be notified please send me an email. Network Abuse Detection (Nabs) One of the growing problems faced by network administrators is the abuse of computing resources by authorized and unauthorized personnel. The nature of abuse may vary from using unauthorized applications to serving unauthorized content. Proliferation of peer-to-peer networks and wide use of tunnels makes it difficult to detect such abuses and easy to circumvent security policies. This paper presents the design and implementation of a system, called Nabs, that characterizes content types of network flows based solely on the payload which can then be used to identify abuses of computing resources. The proposed method does not depend on packet headers or other simple packet characteristics hence is more robust to circumvention. /pubs/ Nabs: A System for Detecting Resource Abuses via Characterization of Flow Content Type Annual Computer Security Applications Conference, 2004, Tucson, Arizona /src/ A beta version is available upon request. Automated Reassembly (DeShredder) Reassembly of fragmented objects from a collection of randomly mixed fragments is a common problem in classical forensics. We address the digital forensic equivalent, i.e., reassembly of document fragments, using statistical modelling tools applied in data compression. We propose a general process model for automatically analyzing a collection fragments to reconstruct the original document by placing the fragments in proper order. Probabilities are assigned to the likelihood that two given fragments are adjacent in the original using context modelling techniques in data compression. The problem of finding the optimal ordering is shown to be equivalent to finding a maximumweight Hamiltonian path in a complete graph. Heuristics are designed and explored and implementation results provided which demonstrate the validity of the proposed technique. /pubs/ Automatic Reassembly of Document Fragments via Context Based Statistical Models Annual Computer Security Applications Conference, 2003, Las Vegas, Nevada Automated Reassembly of Fragmented Images IEEE International Conference on Acoustics, Speech, and Signal Processing, 2003, Hong Kong /src/ Please email me regarding the source code.