INSPIRING FUTURES

Performance analysis of network based forensic systems for in-line and out-of-line detection and logging.

Graves, Jamie, Buchanan, William J, Saliou, Lionel and Old, L John (2006) Performance analysis of network based forensic systems for in-line and out-of-line detection and logging. In: 5th European Conference on Information Warfare and Security (ECIW), 1st-2nd June 2006, National Defense College, Helsinki, Finland.

[img]
Preview
PDF
Available under License Creative Commons Attribution Non-commercial.

Download (308kB) | Preview

    Abstract/Description

    Network based forensic investigations often rely on data provided by properly configured network- based devices. The logs from interconnected devices such as routers, servers and Intrusion Detection Systems (IDSs) can yield important information, which can be used during an investigation to piece together the events of a security incident. A device, such as a router, which performs its intended duties as well as logging tasks, can be defined as having in-line logging capabilities. A system that only performs these duties, such as an IDS, can be described as an out-of-line logging system.
    The usefulness of these logs, though, must be compared against the impact that they have on the systems that produce them. It is thus possible to introduce a detrimental burden on inline devices. This can thus reduce the capability of the device to provide core functionality, and, the extra evidence generated could place an increased burden on the forensic investigator. Therefore, when configuring network devices, the security practitioner is the key to producing a careful balance between security, performance and generated data volume.
    This paper outlines an intensive experiment to compare and contrast different logging schemes. These tests are placed within the scenario of a forensic investigation, which involves extensive data logging and analysis. The metrics compare CPU utilisation, bandwidth usage, memory buffers, usefulness of these records to the investigation, and so on. The two logging systems examined are the Cisco 20x series based routers, for in-line logging capabilities with Syslog, and the IDS Snort for out-of-line logging. This work provides an empirical perspective by plotting the footprint that this logging scheme has on the core network infrastructure, thus providing a proposed optimal logging approach for a network, along with the comparative merits of in-line and out-of-line auditing systems.

    Item Type: Conference or Workshop Item (Paper)
    ISBN: 1905305206
    Additional Information: Remenyi, D. (ed.). Proceedings of the 5th European Conference on Information Warfare and Security ECIW 2006. Reading, Kidmore End: Academic Conferences, 1st June 2006. ISBN 1905305206 & ISBN13 9781905305209. 281p.
    Uncontrolled Keywords: Logging; Digital forensics; Network management; Network performance; Intrusion detection;
    University Divisions/Research Centres: Faculty of Engineering, Computing and Creative Industries > School of Computing
    Dewey Decimal Subjects: 000 Computer science, information & general works > 000 Computer science, knowledge & systems > 005 Computer programming, programs & data
    000 Computer science, information & general works > 000 Computer science, knowledge & systems > 005 Computer programming, programs & data > 005.8 Data security
    Library of Congress Subjects: Q Science > QA Mathematics > QA76 Computer software
    Item ID: 1838
    Depositing User: RAE Import
    Date Deposited: 22 Jul 2008 11:21
    Last Modified: 18 Jun 2012 14:15
    URI: http://researchrepository.napier.ac.uk/id/eprint/1838

    Actions (login required)

    View Item

    Document Downloads

    More statistics for this item...

    Edinburgh Napier University is a registered Scottish charity. Registration number SC018373