BALL: designing and implementing network black box

Abstract

When it comes to network security, firewalls must be mentioned. However, firewalls was failed to block attacks from application layers as it permitted vulnerable protocols such as HTTP and FTP to pass. New technologies such as intrusion detection systems (IDS) and intrusion prevention systems (IPS) have brought us a new problem of accuracy. While the former generated tons of confusing alerts with false-positives mixed together and no trace of false-negatives, the latter even blocked innocent traffic and costs losses in services outage. In the other hand, attacks have becoming more sophisticated: hackers were targeting applications. And the new explosion of zero-day attacks, which occurred at the day of announcement of the corresponding vulnerability, urged security professionals to redefine the conventional mechanisms in information security. With those reasons, network forensics analysis has been applied since the time of computer network was born. It aimed to collect evidence for counts after an incident. And it has been evolved even further to gather evidence before, during and after an incident. This project focused on the current technologies in network security and network forensics, to design an innovative system model with an idea of ‘Black Box’ for both areas called ‘BALL: the Network Black Box’. With concern on the practical issues such as growing network speed and limited storage space, ‘Packet Dispatching’ which was evolved from traditional packet filtering, was proposed to solve the problem by dispatching a packet into different storage queues with different limits according to different sets of filters, together formed different capture rules. Finally, two versions of the model – ballCLI and ballGUI – were implemented and tested for verifications.