RCNF: Real-time Collaborative Network Forensic Scheme for Evidence Analysis
This work addresses the problem of efficient network forensic analysis for cybersecurity professionals, though it appears incremental as it builds on existing techniques with a new anomaly detection method.
The paper tackles the challenge of real-time cyber intrusion investigation in high-speed networks by proposing RCNF, a scheme that captures network data, selects features with chi-square, and detects anomalies using correntropy-variation, achieving high accuracy and low false alarm rates on the UNSW-NB15 dataset compared to state-of-the-art methods.
Network forensic techniques help in tracking different types of cyber attack by monitoring and inspecting network traffic. However, with the high speed and large sizes of current networks, and the sophisticated philosophy of attackers, in particular mimicking normal behaviour and/or erasing traces to avoid detection, investigating such crimes demands intelligent network forensic techniques. This paper suggests a real-time collaborative network Forensic scheme (RCNF) that can monitor and investigate cyber intrusions. The scheme includes three components of capturing and storing network data, selecting important network features using chi-square method and investigating abnormal events using a new technique called correntropy-variation. We provide a case study using the UNSW-NB15 dataset for evaluating the scheme, showing its high performance in terms of accuracy and false alarm rate compared with three recent state-of-the-art mechanisms.