 |
 |
|
|
|
Abstract: Network traces are one of the most exhaustive data sources for the forensic investigation of computer security incidents. Recent advances in capturing the network traces techniques have facilitated the forensic processing, including the reconstruction. Unfortunately, off-line web-downloading chain reconstruction could not meet the demands for real time processing. Furthermore, the packets in prior studies are mainly captured on the client or server side, which is difficult to monitor the network traffic in the real-time. Consequently, how to online reconstruct from the packets captured by the gateway is getting challenging. In this paper, based on the packets from the gateway, we propose a novel system, CookieMiner. CookieMiner first identifies the web-downloading resources, and then use the cookies to reconstruct the web-downloading chains reversely. All cookies would be firstly split into a series of tokens by semicolon and a threshold value will be set by the SET_K algorithm according to the number of tokens. Next, the HTTP packets whose tokens’ number is greater than the threshold will be sorted by timestamp and then inserted into the corresponding webdownloading chain. Finally, the most frequent URLs are extracted as entry points from all the chains with the same webdownloading resources. In addition, by a user study involving 6 pair-wise downloading applications, CookieMiner can reconstruct the webdownloading chains and find their entry points with high precision and low false positive rate.
Keywords: real-time, network traffic, reconstruction
|