{"title":"网络侦察调查:一种记忆取证方法","authors":"Mohammed I. Al-Saleh, Ziad Al-Sharif, L. Alawneh","doi":"10.1109/IACS.2019.8809084","DOIUrl":null,"url":null,"abstract":"Perpetrators utilize different network reconnaissance techniques in order to discover vulnerabilities and conduct their attacks. Port scanning can be leveraged to conclude open ports, available services, and even running operating systems along with their versions. Even though these techniques are effective, their aggressiveness for information gain could leave an apparent sign of attack, which can be observed by the variety of security controls deployed at the network perimeter of an organization. However, not all such attacks can be stopped nor the corresponding security controls can defend against insiders. In this paper, we tackle the problem of reconnaissance detection using a different approach. We utilize the rich information that is kept in memory (or RAM). We observe that packets sent or received stay in memory for a while. Our results show that inspecting memory for attack signs is beneficial. Furthermore, correlating contents that are obtained from different memories empowers the investigation process and helps reach to conclusions.","PeriodicalId":225697,"journal":{"name":"2019 10th International Conference on Information and Communication Systems (ICICS)","volume":"79 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-06-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":"{\"title\":\"Network Reconnaissance Investigation: A Memory Forensics Approach\",\"authors\":\"Mohammed I. Al-Saleh, Ziad Al-Sharif, L. Alawneh\",\"doi\":\"10.1109/IACS.2019.8809084\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Perpetrators utilize different network reconnaissance techniques in order to discover vulnerabilities and conduct their attacks. Port scanning can be leveraged to conclude open ports, available services, and even running operating systems along with their versions. Even though these techniques are effective, their aggressiveness for information gain could leave an apparent sign of attack, which can be observed by the variety of security controls deployed at the network perimeter of an organization. However, not all such attacks can be stopped nor the corresponding security controls can defend against insiders. In this paper, we tackle the problem of reconnaissance detection using a different approach. We utilize the rich information that is kept in memory (or RAM). We observe that packets sent or received stay in memory for a while. Our results show that inspecting memory for attack signs is beneficial. Furthermore, correlating contents that are obtained from different memories empowers the investigation process and helps reach to conclusions.\",\"PeriodicalId\":225697,\"journal\":{\"name\":\"2019 10th International Conference on Information and Communication Systems (ICICS)\",\"volume\":\"79 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-06-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"12\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2019 10th International Conference on Information and Communication Systems (ICICS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/IACS.2019.8809084\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 10th International Conference on Information and Communication Systems (ICICS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IACS.2019.8809084","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Network Reconnaissance Investigation: A Memory Forensics Approach
Perpetrators utilize different network reconnaissance techniques in order to discover vulnerabilities and conduct their attacks. Port scanning can be leveraged to conclude open ports, available services, and even running operating systems along with their versions. Even though these techniques are effective, their aggressiveness for information gain could leave an apparent sign of attack, which can be observed by the variety of security controls deployed at the network perimeter of an organization. However, not all such attacks can be stopped nor the corresponding security controls can defend against insiders. In this paper, we tackle the problem of reconnaissance detection using a different approach. We utilize the rich information that is kept in memory (or RAM). We observe that packets sent or received stay in memory for a while. Our results show that inspecting memory for attack signs is beneficial. Furthermore, correlating contents that are obtained from different memories empowers the investigation process and helps reach to conclusions.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
