Enhanced neural network-based attack investigation framework for network forensics: Identification, detection, and analysis of the attack

Abstract

Network forensics aids in the identification of distinct network-based attacks through packet-level analysis of collected network traffic. It also unveils the attacker's intentions and operations. After identification, it is inevitable to design an efficient network attack detection model. Therefore, this work modifies the generic network forensic framework for attack investigation with two primary objectives i.e., Analysis and detection of attacks. In the proposed framework, a three-level analysis is performed. First, packet-level analysis is performed to study the attack behavior. Second, a graphical analysis is completed to determine both the attack flow and whether a node is an attacker or a victim. Moreover, it also assigns a score to the node indicating the severity of the attack. Finally, forensics exploratory data analysis (FEDA) is performed to distinguish the distribution of different features during attack and normal scenarios. For attack detection, the framework uses a convolution neural network (CNN-1D). CSE-CIC-IDS2018 (CIC2018), UNSW-NB15 and CIC-Darknet2020 datasets are used to test the performance of the proposed framework, wherein, it classifies distinct classes of attacks with an accuracy of 99.4%, 99.0%, and 90% on each dataset respectively. The results show that the proposed framework is more effective than previous works in attack detection and network traffic classification.