Cart (Loading....) | Create Account
Close category search window
 

Payload Attribution via Character Dependent Multi-Bloom Filters

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
Haghighat, M.H. ; Dept. of Comput. Eng., Sharif Univ. of Technol., Tehran, Iran ; Tavakoli, M. ; Kharrazi, M.

Network forensic analysts employ payload attribution systems (PAS) as an investigative tool, which enables them to store and summarize large amounts of network traffic, including full packet payload. Hence an investigator could query the system for a specific string and check whether any of the packets transmitted previously in the network contained that specific string. As a shortcoming, the previously proposed techniques are unable to support wildcard queries. Wildcards are an important type of query that allow the investigator to locate strings in the payload when only part of the string is known. In this paper, a new data structure for payload attribution, named Character Dependent Multi-Bloom Filters, will be presented which, in addition to improving the previously proposed techniques, is able to support wildcard queries as well. To this end, a theoretical study of the proposed method was conducted in order to evaluate its false positive when responding to queries and subsequently the theoretical analysis is verified through a number of experiments. Furthermore, comparisons are made between the proposed method and the state-of-the-art attribution techniques presented in the literature. The results suggest that, using the Character Dependent Multi-Bloom Filters, one can obtain a data reduction ratio of about 265 : 1 opposed to 210 : 1 as obtained by the previously proposed state-of-the-art techniques assuming a similar false-positive rate. More importantly, the results indicate that a wildcard query with seven unknown characters would take approximately less than 1 second to process, using the proposed method; while given the previous techniques, as an exhaustive search is required, the same query takes about 4500 years to process.

Published in:

Information Forensics and Security, IEEE Transactions on  (Volume:8 ,  Issue: 5 )

Date of Publication:

May 2013

Need Help?


IEEE Advancing Technology for Humanity About IEEE Xplore | Contact | Help | Terms of Use | Nondiscrimination Policy | Site Map | Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest professional association for the advancement of technology.
© Copyright 2014 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.