Skip to main content
Springer Nature Link
Log in

A New Approach to Executable File Fragment Detection in Network Forensics

  • Conference paper
Network and System Security (NSS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8792))

Included in the following conference series:

  • 2219 Accesses

Abstract

Network forensics known as an extended phase of network security plays an essential role in dealing with cybercrime. The performance of a network forensics system heavily depends on the network attack detection solutions. Two main types of network attacks are network level and application level. Current research methods have improved the detection rate but this is still a challenge. We propose a Shannon entropy approach to this study to identify executable file content for anomaly-based network attack detection in network forensics systems. Experimental results show that the proposed approach provides high detection rate.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Perdisci, R., Ariu, D., Fogla, P., Giacinto, G., Lee, W.: McPAD: A multiple classifier system for accurate payload-based anomaly detection. Computer Networks 53, 864–881 (2009)

    Article  MATH  Google Scholar 

  2. Pilli, E.S., Joshi, R.C., Niyogi, R.: Network forensic frameworks: Survey and research challenges. Digital Investigation 7, 14–27 (2010)

    Article  Google Scholar 

  3. Like, Z., White, G.B.: An Approach to Detect Executable Content for Anomaly Based Network Intrusion Detection. In: IEEE International Parallel and Distributed Processing Symposium, IPDPS 2007, pp. 1–8 (2007)

    Google Scholar 

  4. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. DTIC Document (2006)

    Google Scholar 

  5. Shannon, C.E., Weaver, W.: The mathematical theory of communication, vol. 19, p. 1. University of Illinois Press, Urbana (1949)

    MATH  Google Scholar 

  6. Chang, C.-C., Lin, C.-J.: LIBSVM: a library for support vector machines. ACM Transactions on Intelligent Systems and Technology (TIST) 2, 27 (2011)

    Google Scholar 

  7. Karresand, M., Shahmehri, N.: File Type Identification of Data Fragments by Their Binary Structure. In: 2006 IEEE Information Assurance Workshop, pp. 140–147 (2006)

    Google Scholar 

  8. Sportiello, L., Zanero, S.: File Block Classification by Support Vector Machine. In: 2011 Sixth Int. Conf. on Availability, Reliability and Security (ARES), pp. 307–312 (2011)

    Google Scholar 

  9. Veenman, C.J.: Statistical Disk Cluster Classification for File Carving. In: Third Int. Symposium on Information Assurance and Security, IAS 2007, pp. 393–398 (2007)

    Google Scholar 

  10. Pietrek, M.: Inside Windows-An In-Depth Look into the Win32 Portable Executable File Format, Part 2. MSDN magazine, 87–100 (2002)

    Google Scholar 

  11. Yasinsac, A., Manzano, Y.: Policies to enhance computer and network forensics. In: Proc. of the IEEE Workshop on Information Assurance and Security, pp. 289–295 (2001)

    Google Scholar 

  12. McDaniel, M., Heydari, M.H.: Content based file type detection algorithms. In: Proc. of the 36th Annual Hawaii International Conference on System Sciences, p. 10 (2003)

    Google Scholar 

  13. Fitzgerald, S., Mathews, G., Morris, C., Zhulyn, O.: Using NLP techniques for file fragment classification. Digital Investigation 9(suppl.), S44–S49 (2012)

    Google Scholar 

  14. Axelsson, S.: The Normalised Compression Distance as a file fragment classifier. Digital Investigation 7(suppl.), S24–S31 (2010)

    Google Scholar 

  15. Wei-Jen, L., Ke, W., Stolfo, S.J., Herzog, B.: Fileprints: identifying file types by n-gram analysis. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005, pp. 64–71 (2005)

    Google Scholar 

  16. Shannon, M.: Forensic relative strength scoring: ASCII and entropy scoring. International Journal of Digital Evidence 2, 151–169 (2004)

    Google Scholar 

  17. Hall, G.A.: Sliding window measurement for file type identification (2006)

    Google Scholar 

  18. Amirani, M.C., Toorani, M., Mihandoost, S.: Feature-based Type Identification of File Fragments. Security and Communication Networks 6, 115–128 (2013)

    Article  Google Scholar 

  19. Roussev, V., Garfinkel, S.L.: File Fragment Classification-The Case for Specialized Approaches. In: Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2009, pp. 3–14 (2009)

    Google Scholar 

  20. Roussev, V., Quates, C.: File fragment encoding classification—An empirical approach. Digital Investigation 10(suppl.), S69–S77 (2013)

    Google Scholar 

  21. Garfinkel, S., Farrell, P., Roussev, V., Dinolt, G.: Bringing science to digital forensics with standardized forensic corpora. Digital Investigation 6, S2–S11 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Faculty of Education, Science, Technology and Mathematics, University of Canberra, ACT, 2601, Australia

    Khoa Nguyen, Dat Tran, Wanli Ma & Dharmendra Sharma

Authors
  1. Khoa Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dat Tran
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wanli Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dharmendra Sharma
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computing, Hong Kong Polytechnic University, Hung Hom, Kowloon, Hong Kong

    Man Ho Au

  2. Department of Computer Science and Communication, University of Insubria, Via Mazzini, 5, 21100, Varese, Italy

    Barbara Carminati

  3. Ming Hsieh Department of Electrical Engineering, University of Southern California, 3740 McClintock Avenue, EEB 100, 90089-2560, Los Angeles, CA, USA

    C.-C. Jay Kuo

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Nguyen, K., Tran, D., Ma, W., Sharma, D. (2014). A New Approach to Executable File Fragment Detection in Network Forensics. In: Au, M.H., Carminati, B., Kuo, CC.J. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science, vol 8792. Springer, Cham. https://doi.org/10.1007/978-3-319-11698-3_40

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-11698-3_40

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11697-6

  • Online ISBN: 978-3-319-11698-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics