A proposed architecture for network forensic system in large-scale networks

TL;DR

This paper proposes a comprehensive network forensic architecture with advanced analysis features like malware clustering, dynamic analysis, and anomaly detection to improve cybercrime investigation in large-scale networks.

Contribution

It introduces a novel architecture with an enhanced analysis component, including malware clustering, dynamic analysis, and behavior anomaly detection, improving forensic capabilities.

Findings

Enhanced malware clustering and ranking

Implementation of dynamic malware analysis

Effective detection of network anomalies

Abstract

Cybercrime is increasing at a faster pace and sometimes causes billions of dollars of business- losses so investigating attackers after commitment is of utmost importance and become one of the main concerns of network managers. Network forensics as the process of Collecting, identifying, extracting and analyzing data and systematically monitoring traffic of network is one of the main requirements in detection and tracking of criminals. In this paper, we propose an architecture for network forensic system. Our proposed architecture consists of five main components: collection and indexing, database management, analysis component, SOC communication component and the database. The main difference between our proposed architecture and other systems is in analysis component. This component is composed of four parts: Analysis and investigation subsystem, Reporting subsystem, Alert and visualization subsystem and the malware analysis subsystem. The most important differentiating factors of the proposed system with existing systems are: clustering and ranking of malware, dynamic analysis of malware, collecting and analysis of network flows and anomalous behaviour analysis.