Computer Communications 36 (2013) 1471–1484

Contents lists available at SciVerse ScienceDirect

Computer Communications
journal homepage: www.elsevier.com/locate/comcom

A scalable network forensics mechanism for stealthy self-propagating

attacks
Li Ming Chen a,⇑, Meng Chang Chen b, Wanjiun Liao a, Yeali S. Sun c
a
Department of Electrical Engineering, National Taiwan University, No. 1, Sec. 4, Roosevelt Rd., Taipei 106, Taiwan
b
Institute of Information Science, Academia Sinica, No. 128, Sec. 2, Academia Rd., Nankang, Taipei 115, Taiwan
c
Department of Information Management, National Taiwan University, No. 1, Sec. 4, Roosevelt Rd., Taipei 106, Taiwan

a r t i c l e i n f o a b s t r a c t

Article history: Network forensics supports capabilities such as attacker identification and attack reconstruction, which
Received 23 August 2012 complement the traditional intrusion detection and perimeter defense techniques in building a robust
Received in revised form 10 May 2013 security mechanism. Attacker identification pinpoints attack origin to deter future attackers, while attack
Accepted 11 May 2013
reconstruction reveals attack causality and network vulnerabilities. In this paper, we discuss the problem
Available online 30 May 2013
and feasibility of back tracking the origin of a self-propagating stealth attack when given a network traffic
trace for a sufficiently long period of time. We propose a network forensics mechanism that is scalable in
Keywords:
computation time and space while maintaining high accuracy in the identification of the attack origin.
Network forensics
Data reduction
We further develop a data reduction method to filter out attack-irrelevant data and only retain evidence
Stealthy self-propagating attack relevant to potential attacks for a post-mortem investigation. Using real-world trace driven experiments,
Contact activity we evaluate the performance of the proposed mechanism and show that we can trim down up to 97% of
attack-irrelevant network traffic and successfully identify attack origin.
Ó 2013 Elsevier B.V. All rights reserved.

1. Introduction rate of false positives. In addition, the lifespan of a stealth attack

Advanced Internet attacks tend to adopt indirect attack tech-
niques to conceal attack origins and provide attackers with ano-
nymity from security analysts. A self-propagating malcode [1],
for example, usually probes and compromises remote targets on
vulnerable services and replicates itself to the remote targets to
push the attack forward; thus, after several rounds of propagation,
the attack origin is indistinguishable from the victims that are in-
fected by other victims. Although current intrusion detection tech-
niques [2–4] can support certain types of perimeter protection,
they cannot provide effective deterrence by identifying the attack
origin. However, network forensics supporting capabilities such
as attacker identification and attack reconstruction can comple-
ment traditional intrusion detection techniques in building a ro-
bust security mechanism.
Stealth attacks specially crafted to evade intrusion detection
techniques may aggravate the security risks. In contrast with tradi-
tional Internet attacks, a stealth attack may use a variable rate to
scan victims and/or use polymorphism techniques to elude signa-
ture-based intrusion detection systems. This type of attack can re-
main undetectable indefinitely or can only be detected with a high
⇑ Corresponding author. Tel.: +886 2 27883799x1376; fax: +886 2 26518661.
E-mail addresses: d95921021@ntu.edu.tw (L.M. Chen), mcc@iis.sinica.edu.tw
(M.C. Chen), wjliao@cc.ee.ntu.edu.tw (W. Liao), sunny@im.ntu.edu.tw (Y.S. Sun).
might last for so long that applying forensic investigation on such
an extend time scale becomes even more challenging. In this paper,
we discuss the problem and feasibility of back tracking the origin
of a self-propagating stealth attack when given a network traffic
trace for a sufficiently long period of time. The challenges of such
a long-term network forensics cover three aspects:
 Storage: Enormous amounts of audit data generated over a long
period need to be retained for forensic investigation.
 Computation: Forensic investigation is computationally inten-
sive. Correlating and identifying suspicious events from a huge
dataset is time consuming.
 Accuracy: Attack traffic usually blends in with other daily Inter-
net traffic. Large amounts of irrelevant data during an investiga-
tion imply more noise, and thus lower accuracy.
To address these challenges, we propose a network forensics
mechanism that is scalable in computation time and space while
maintaining high accuracy in the identification of the attack origin.
We develop a data reduction method based on host contact activ-
ities to filter out attack-irrelevant data and only retain evidence
relevant to potential attacks for post-mortem investigation. This
strategy is premised on the ability to profile normal user behavior,
and the condition that an infected host must contact previously
uncontacted hosts to push the attack forward. After performing

0140-3664/$ - see front matter Ó 2013 Elsevier B.V. All rights reserved.
http://dx.doi.org/10.1016/j.comcom.2013.05.005
1472 L.M. Chen et al. / Computer Communications 36 (2013) 1471–1484
the data reduction, we analyze and correlate the retained traffic to
pinpoint the attack origin.
In this study, we collect real-world traffic traces from a campus-
wide network at two periods of time in 2006 and 2011. We inject
synthetic worm traffic into real-world traffic traces to simulate a
slow self-propagating attack and we evaluate the performance of
data reduction by classifying traffic in the combined traces. For
the forensic investigation, we adopt the random moonwalk
(RMW) [5] as the forensic algorithm. This algorithm has been dem-
onstrated to be effective against worm attacks on a short term trace,
unlike the basic algorithm which cannot deal with long-term
network forensics. We also evaluate the accuracy of the RMW and
compare the forensic results with and without the use of data
reduction. The results show that different traces have different
characteristics that result in different outcomes for data reduction.
However, on average the proposed data reduction method not only
alleviates the overwhelming storage and processing demands, but
also improves the forensic accuracy in long-term network forensics.
The contributions of our work can be summarized in the follow-
ing points:
 We develop a scalable network forensics mechanism that
reduces up to 97% of attack-irrelevant network traffic,
which leads to higher accuracy and lower overhead in the
forensic investigation for self-propagating stealth attacks.
 The proposed data reduction method allows users to spec-
ify an expected false positive rate to guarantee the quality
of the forensic investigation. The RMW algorithm is then
applied to the reduced traffic trace to identify the attack
origin.
 The proposed data reduction method is solely based on
identifying deviations of host contact behavior, such that
the use of intrusion evasion techniques (e.g., encryption,
mutation, and special target acquisition) in an attack can
be resolved.
 We apply the proposed mechanism to two sets of real-
world traffic traces with different network connection
behaviors, with the successful performance of data reduc-
tion and attack origin identification showing the robust-
ness of the proposed mechanism.
The remainder of this paper is organized as follows. We review
the RMW algorithm and related work in Section 2. We present the
motivation and our approach, as well as the system architecture in
Section 3. The concept of data reduction and the development of
traffic filters are described in Section 4. Section 5 presents the de-
tails of the experiment methodology and Section 6 discusses the
evaluation results. We discuss limitations and some practical is-
sues in Section 7 and conclude the paper in Section 8.
2. Background
In this section, we first introduce the RMW algorithm and dis-
cuss its advantages and drawbacks in dealing with the problem
of long-term network forensics. We then discuss related works
for this study.
2.1. Overview of the RMW algorithm
The input of the RMW algorithm is a directed host contact graph
that records network communications between end-hosts through
time. Each node in the graph represents the state of an end-host at
a specific time. Each directed edge represents a connection be-
tween two communication peers, pointing from the initiator to
the receiver. In the host contact graph, edges are categorized into
three classes. An attack edge represents a connection that carries
an infectious payload to the receiver. If the receiver has the corre-
sponding vulnerability, it will be compromised and its state will
switch to ‘‘infected;’’ otherwise, its state remains as ‘‘uninfected.’’
A causal edge is an edge through which the corresponding connec-
tion in fact infects its receiver and advances the attack forward.
Causal edges are subsets of attack edges. The rest of the edges in
the graph that represent legitimate connections are defined as nor-
mal edges.
The design concept of the RMW is based on the one invariant
across all epidemic style attacks: in the host contact graph, causal
edges form a causal tree that depicts the proliferation structure of
an epidemic style attack and is rooted at the source of the attack.
In order to pinpoint the origin of the epidemic, the goal of the
RMW is to identify a set of initial causal edges at the top level of
the causal tree. Fig. 1 lists the steps of the RMW algorithm. By
repeatedly sampling moonwalk paths backward in time, it is ex-
pected that the algorithm will converge over the causal tree. The
underlying intuition is that in the tree-like structure of an epidemic
style attack, a small number of causal edges at the higher level of
the causal tree generate an exponential order of lower level causal
edges further down the tree. Therefore, after a sufficient number of
moonwalk paths have been performed on the host contact graph,
the initial causal edges will emerge as the edges with large counts.
2.2. The challenge of RMW in long-term forensics
According to the algorithm, parameters W; d, and Dt determine
the performance of the algorithm. This section summarizes their
effects for attack origin identification and discusses the potential
problems that the RMW may encounter when dealing with a slow
propagation attack.
The parameter W represents the number of trials of sampled
moonwalk paths on a host contact graph. For analyzing an attack,
it is necessary that the value of W is large enough to make the path
sampling converge at the higher level edges of the causal tree. Fur-
ther increasing W will not improve the apparent accuracy, but will
instead increase the overall execution time of the RMW. For a slow
propagation attack, the amount of attack edges may become rela-
tively smaller than the amount of normal edges; hence a moon-
walk path has a smaller probability to reach the root of the
causal tree. It is difficult to predict a suitable value for W to launch
RMW back tracking.
The parameter d, which restricts the length of a moonwalk path,
and Dt, which defines the longest interval of two consecutive edges
on a moonwalk path, have a certain correlation with respect to the
accuracy of the RMW. In [5], Xie et al. suggest using an adaptive ap-
proach to fine-tune these two parameters. By choosing a Dt that
gives the longest actual path lengths (a hint for configuring d),
the algorithm will obtain the best sampling performance. It is clear
that the value of Dt must be sufficiently large to associate the at-
tack edges generated by an infected host to the specific causal edge
of that host. A further increase in Dt negatively impacts the RMW,
because each moonwalk path tends to be shorter by jumping
across a larger portion of the trace for every moonwalk step. For
long-term network forensics, however, we must set Dt sufficiently
large to cover the behavior of an infected host before and after its
infection. This introduces another problem with such configura-
tion: the set of candidate edges of each moonwalk step might be
dominated by normal edges, and thus the RMW algorithm will
be difficult to converge on the attack origin.
2.3. Related work
To date, while there have been a few approaches that support
the detection of slow propagation worms [6–9], none of them
 L.M. Chen et al. / Computer Communications 36 (2013) 1471–1484
Fig. 1. Random moonwalk algorithm. An edge is denoted as a tuple ei ¼ fui ; v i ; t si ; tei g where ui is the initiator, v i is the receiver, and tsi and tei are the start and end times of the
communication.
provide the capability of network forensics. Further, Stanfford et al.
[10] compared different behavior-based worm detectors and found
that a stealth worm could evade all the evaluated detectors in all
environments.
In [5], Xie et al. first discovered the problem of worm origin
identification by inferring correlations among network hosts from
their communication patterns. They exploited the difference be-
tween worm propagation and common client–server communica-
tion model and showed the effectiveness of the proposed RMW
algorithm. However, their work did not discuss the scalability is-
sue, which is addressed in this paper. We propose a pre-filtering
step for data reduction and demonstrate the performance improve-
ments. Besides the RMW, there has been some work focusing on
tracking worm origins. For example, Kumar et al. [11] reverse engi-
neered the pseudorandom number sequence used by the Witty
Worm and reconstructed the infection tree. This approach requires
disassembly of the worm’s binary code and can be thwarted by
more determined attackers. Based on a network telescope log data,
Rajab et al. [12] and Hamadeh et al. [13]proposed inferring the ini-
tial infection sequence (or the initial infection tree) of a worm at-
tack. These approaches are more suitable for analyzing random
scanning worms, and their performances are usually affected by
the size of the network telescope. Xiang et al. [14] improved the
RMW algorithm to support online attack reconstruction. However,
it cannot deal with stealth attacks. Wang et al.[15], applying prob-
abilistic modeling methods and a sequential growth model to ana-
lyze the infection tree of a wide class of worms, demonstrated that
a general worm infection tree is highly unbalanced. It also give us a
hint that directly applying the RMW algorithm on a raw traffic
trace might be insufficient.
Network Forensics is an important extension in network secu-
rity. In [16], Wang et al. summarized two major technical chal-
lenges in network forensics. The first is that forensic analysts are
overwhelmed by huge volumes of low-quality evidence, and the
second is that Cyber attacks are becoming increasingly sophisti-
cated. For these reasons, how to identify useful network events
and record minimum representative attributes for each event for
a long-term network forensics is critical. ForNet [17] supports dis-
tributed and efficient network logging that can be deployed in a
wide area network to aid network forensics. It also focuses on data
1473
reduction and utilizes synopsis techniques to capture network
events in a succinct way. Wang et al. [16] use an evidence graph
model to preserve network events and automated reason attack
causality based on a hierarchical reasoning framework. Their ap-
proach identifies entities of an attack and discerns the complete at-
tack scenario among those entities, while our work especially
focuses on addressing the problem of long-term network forensics.
Liao et al. [18] propose an effective and automated network foren-
sic system based on fuzzy logic and expert system. Anaya et al. [19]
further use fuzzy logic and an artificial neural network to detect
suspicious network flows and to address the challenges of enor-
mous data being logged for network forensic computing. Our ap-
proach differs from this work because our data reduction method
and forensic investigation are both based on host contact activities
which we think is the feature that is most difficult to conceal in a
worm infection. Other network forensic models or frameworks can
be found in [20].
Generally, data compression is not suitable for forensic investi-
gation due to (1) the decompression overhead before analysis, and
(2) the actual amount of data for analysis not being reduced. Some
detection techniques use a Bloom filter [21] to construct a small
size bit vector to index previously seen events and support mem-
bership queries. This kind of abstracted information cannot be na-
ively adopted for forensic investigation, except in cases where we
know what to query in advance. Although sampling techniques are
widely used in conjunction with logging systems to reduce the
amount of data to be examined for network measurement, [22]
points out that these techniques are insufficient for anomaly detec-
tion and our experiments also show that random sampling is
unacceptable for preserving anomalous events for forensic
investigation.
Nonetheless, there is also some related work focusing on reduc-
ing the data volume before attack detection or forensic analysis.
Staniford et al. [23] use Bayesian networks to infer event likelihood
and only keep the anomalous packets for stealthy portscans detec-
tion. Bailey et al. [24] focus on scalable monitoring of darknets and
reduce the amount of data for forensic honeypots by using source-
distribution based methods. Maier et al. [25] present a Time Ma-
chine to efficiently retain several days of packet-level network traf-
fic by only storing up to a cut-off limit of bytes per connection. Our
1474 L.M. Chen et al. / Computer Communications 36 (2013) 1471–1484
approach, in contrast, focuses on retaining and investigating con-
nection-level network traffic. Finally, Giura et al. [26] propose a
new column-oriented storage infrastructure for the sheer volume
of network flow records. Their approach can speed up the query
and reduce the storage size compared to traditional row-oriented
relational database.
3. Our approach
Considering the features of the RMW algorithm, we propose
using data reduction as a preprocessing step to assist the following
RMW process. In this section, we present the motivation, approach,
and architecture of our proposed mechanism.
3.1. Motivation
Given a network traffic trace that contains network-wide con-
nection information for a sufficiently long period of time, we dis-
cuss the problem and the feasibility of back tracking the origin of
a stealth self-propagating attack. When an attack has occurred,
the audit traffic trace contains both the attack traffic, which pre-
serves evidence for detecting and inspecting the root cause of the
attack, and the normal traffic, which is attack irrelevant. Instead
of developing a smart guidance method for origin tracking, we
alternatively propose data reduction measures to assist forensic
investigation. The purpose of the concept is to filter out attack-
irrelevant data and only apply the RMW algorithm to the rest of
the data for subsequent analysis. The motivation for this is twofold,
given that (1) the normal traffic which is generated by legitimate
users/applications is not called for in network forensics, and (2)
the RMW can easily be affected by attack-irrelevant connections,
either in terms of speed or accuracy, when dealing with long-term
network forensics. We believe the proposed data reduction method
can facilitate the RMW in building a more robust network forensics
mechanism.
3.2. Approach
We design a data reduction method to divide the input connec-
tions into two subsets, one containing normal connections and the
other containing suspicious connections. Note that only the suspi-
cious connections are regarded as the input of the RMW algorithm.
In this way, the problem of data reduction is defined as follows: be-
fore the forensic investigation, how do we effectively and effi-
ciently handle the sheer volume of network traffic to preserve
the key attack-related evidential connections for further analysis?
Specifically, in our mechanism, we assign each input connec-
tion, denoted by C, an anomaly score AðCÞ to represent the degree
of unexpectedness of the connection. The higher the score, the
more likely it is that we have not seen such a communication pat-
tern before, and hence the more likely it is that a suspicious attack
is being conducted. Further, we define a threshold h and only re-
cord connections whose anomaly scores are higher than h (i.e.,
AðCÞ > h) and ignore connections with smaller anomaly scores.
After data reduction, we examine the recorded connections by
using the RMW algorithm. We anticipate that the RMW can effi-
ciently and effectively handle the recorded connections, and that
the results can be provided to security analysts to identify the
attack origin and to analyze the causality and propagation of the
attack. The overall system architecture will be described in
the next subsection.
The calculation of the anomaly score is based on the knowledge
of the past host communication patterns. We adopt Bayesian-
based learning techniques to establish this knowledge base from
Fig. 2. Schematic representation of a scalable network forensics mechanism.
the historical traffic trace (described later in Section 4.2).
Accordingly, we assess the anomalousness of a connection C based
on the degree of confidence that we expect C to have occurred pre-
viously. The goal of data reduction is to keep the amount of the re-
corded traffic as low as possible, while preserving as much of the
attack traffic as possible.
3.3. System architecture
Fig. 2 illustrates our scalable network forensics mechanism that
consists of the three phases of training, logging (data reduction),
and investigation.
In the training phase, we use a set of historical traffic traces as
the training data and from this build a normal behavior profile. Once
a normal behavior profile is established, it becomes the main refer-
ence for making decisions in the logging phase. When logging, real-
time traffic is fed into our system. A normal traffic filter (denoted as
U) will query the learned normal behavior profile, retrieve the re-
quired information from the profile, and compute the anomaly
score for each connection to check whether the observed commu-
nications are ‘‘normal’’ or not. Connections whose anomaly scores
are higher than h will be regarded as unexpected and stored to the
reduced traffic trace. Finally, in the investigation phase, we apply
the RMW to the reduced traffic trace to identify possible epidemic
attacks and their origins.
In order to support our learning-based data reduction method,
we separate the collected real-world traffic trace into the two parts
of training and testing. Due to the lack of labeled traffic traces, we
deem the real-world traffic as the traffic generated by normal, non-
infected hosts. Note that Fig. 2 also depicts the opportunities of
using a background noise filter (denoted by W) that works as a bin-
ary classifier for sanitizing the training data and the reduced traffic
trace. This is because we found that some portion of the real-world
traffic contained scan-like activities that may affect the decision
made by U, as well as the operation of the RMW algorithm. We
can apply certain basic rules to W to filter out unwanted network
activities. We will later study the impact of this background noise
on our proposed mechanism with and without the use of W (see
Section 5.3).
4. Data reduction
In this section, we first clarify the concept of data reduction and
introduce the learning procedure for constructing a normal behav-
ior profile from the historical traffic trace. We then describe how U
uses this profile to examine the input connections during the log-
ging phase. We also introduce and explain the usage of W to reduce
the impact of background noise in our dataset.
 L.M. Chen et al. / Computer Communications 36 (2013) 1471–1484
4.1. The concept of data reduction
The design of the data reduction method is based on two obser-
vations. First, the properties of ‘‘Community of Interest’’ within a
set of communicating entities have been discussed in the literature
and used for anomaly detection [27–29]. In a campus or an enter-
prise network, hosts tend to contact specific and small numbers of
destinations. The regularity of normal communication patterns im-
plies the predictability of host behaviors. Second, we argue that
although there are many sophisticated techniques to hide the at-
tack propagation from current intrusion detection techniques, an
infected host must contact previously uncontacted hosts in some
recurring and systematic way; otherwise, the attack could not pro-
gress forward. These two observations highlight the difference be-
tween normal traffic and attack traffic regarding the structure of
host communications.
We define contact activities as interactions between individual
hosts (who talks to whom) via specific communications channels.
According to the observations, for each host the deviation of its
previous contact activity will be regarded as an indication of a po-
tential attack; these contacts are worth recording for the post-mor-
tem investigation. On the other hand, communications matching
regular patterns are regarded as normal and can be ignored in
forensic investigation. Similar to anomaly-based intrusion detec-
tion, we learn and build a normal behavior profile from historical
traffic traces to record the probability distribution of previous con-
tact activities in the network. Based on this profile, we infer the
rarity of a newly established connection. In summary, the data
reduction method treats connections as the input data and then in-
fers the probability of each connection to decide whether or not a
connection should be logged for further investigation.
4.2. Building a normal behavior profile
The normal behavior profile consists of a set of features, their
values and the corresponding probabilities of each possible value.
The features are extracted from the network traffic trace to repre-
sent the contact activities in the trace. In what follows, we demon-
strate the procedure of describing and counting a contact activity
in a 5-tuple. Note that our method is general enough to accommo-
date other features in the network traffic trace.
A 5-tuple includes the source and destination addresses (de-
noted as SA and DA), the source and destination port numbers (de-
noted as SP and DP), and the protocol (denoted as Proto) of a
connection. It shows that a contact activity is initiated by the
source end-host and connected to the destination end-host via a
specific communications channel. The 5-tuple is the most common
feature for describing a connection within the existing literature.
The reason for selecting SP as a feature of contact activity is not
only that might some servers talk to each other through specific
source ports, but also that some applications (e.g., P2P, web, or
games) usually exhibit ‘‘collaborative behavior,’’ other than the
typical ‘‘client–server behavior’’ [30].
After selecting features, we build a normal behavior profile
based on these features. A naive approach is to construct a joint
probability table for all combinations of values of different features
(i.e., all possible contacts) and their probabilities in a network.
Although a joint probability table is simple to construct and easy
to use, its drawback is that maintaining such a table with a large
number of IP addresses and port numbers is resource intensive.
For example, in our case, it requires a table with 265 entries to re-
cord any possible contact activity inside a class-B network by using
features {SA, SP, DA, DP, Proto}, if we only focus on TCP and UDP
connections. In contrast, a naïve Bayes (NB) model assumes that
features are probabilistically independent, such that a joint proba-
bility of a feature set is the product of each feature’s probability.
1475
The NB model has the advantage of supporting the probability
inference of the class variable (i.e., connection C in our case) with
minimal resource consumption. However, the drawback is that
features sometimes have certain relations that are not exactly
mutually independent, especially for features used for describing
a contact activity.
In our data reduction method, we adopt a Tree-augmented
naïve Bayes network (TAN) [31] to record host contact activities.
The TAN model is an extension of the NB model by breaking the
assumptions of probabilistic independence. The TAN model consid-
ers that features have some relations, and assigns correlated fea-
tures an ‘‘augmented edge,’’ while keeping the structure acyclic
and simple. Therefore, the TAN model not only improves predict-
ability, but also maintains simplicity during construction with
acceptable storage requirements. Below, we describe how to corre-
late features and construct a TAN structure. Because the usage of
the NB model is relatively simple, we will not explain it any further
in this paper.
We first employ mutual information [32] to measure the
strength of the dependencies between features. In order to mea-
sure the pairwise mutual information, we need to compute the
probabilities and conditional probabilities of features. Here, we
use the m-estimate approach [33] to compensate for missing data
when computing probabilities. Once we have the pairwise mutual
information, we can build an undirected graph in which the verti-
ces are the features, and the weight of each edge assigns the mu-
tual information of the vertex-pair on that edge. As suggested in
[31], we construct the TAN structure in three stages. First, we gen-
erate a maximal weighted spanning tree on the graph, with this
tree representing an acyclic subgraph that associates the features
with higher dependencies. We next select a root and assign the
direction of all edges on the tree to be outward from the root; in
this step, selecting different nodes as the root will generate differ-
ent TAN structures. Lastly, we insert a vertex representing the class
variable and add edges from the class variable to each feature in
the graph.
Fig. 3 is an illustration of how to construct a TAN structure from
the training data collected in 2011. In Fig. 3(a), the relationship
among features is depicted, with the number on each edge repre-
senting the value of mutual information of two nodes (features)
and the solid lines forming a maximum weighted spanning tree
in the graph. In Fig. 3(b), the constructed TAN structure of the
training data is shown. Based on the TAN structure, we only need
to record the required probabilities of the correlated features in
the normal behavior profile for inferring the probability of the class
variable. It is both efficient and space-saving to build a normal
behavior profile by using the TAN model.
4.3. Normal traffic filter (U)
Based on the learned normal behavior profile, we now explain
the operation of U. According to Bayes’ theorem, the probability
of an inputted connection C can be derive by its 5-tuple as
PðCÞ  PðSA; SP; DA; DP; ProtojCÞ
PðCjSA; SP; DA; DP; ProtoÞ ¼
PðSA; SP; DA; DP; ProtoÞ:
In the above equation, we can ignore the effects of the probabilities
PðSA; SP; DA; DP; ProtoÞ since it is regarded as a constant and
gives equal impact to each connection. Moreover, based on our
assumption, PðCÞ is also a constant because C is assumed to be nor-
mal and we only want to infer its degree of unexpectedness against
the history. Therefore, we use the value of the probability
PðSA; SP; DA; DP; ProtojCÞ for comparison and for describing how
frequent a connection is in the past. Following the example in
Fig. 3(b), this probability can be inferred as follows (and all the
1476 L.M. Chen et al. / Computer Communications 36 (2013) 1471–1484
Fig. 3. (a) Mutual information of each feature pair learned from the 2011 training data. The solid lines form a maximal weighted spanning tree. (b) The TAN structure is
learned in this case.
decomposed probabilities are already stored in the normal behav-
ior profile).
PðSA; SP; DA; DP; ProtojCÞ ¼ PðSPjSA; CÞ  PðSAjDA; CÞ
 PðDPjDA; CÞ  PðDAjProto; CÞ
 PðProtojCÞ:
The operation of U is as follows. First, it extracts values of the
required features from each incoming connection C. Second,
according to the learned TAN structure, U queries the correspond-
ing probabilities (or conditional probabilities) to the normal behav-
ior profile. Third, an anomaly score AðCÞ is measured as the
negative log likelihood of the probability.
AðCÞ ¼  logðPðSA; SP; DA; DP; ProtojCÞÞ:
The anomaly score represents the degree of unexpectedness of a
contact. Contacts with an anomaly score higher than h will be re-
corded for further investigation. We will describe how to select h
in Section 5.4.
4.4. Background noise filter (W)
As mentioned above, the operation of the proposed data reduc-
tion method is conceptually similar to the model of anomaly-based
intrusion detection. In the collected traffic trace, there is a consid-
erable amount of incomplete connection attempts that generate
noise to reduce prediction accuracy of the normal behavior profile.
In this subsection, we introduce W to remove the background noise
in the traffic trace.
In the 2006 traffic trace, we observe that about 36.2% of the dai-
ly connections in the trace were half-open TCP connections with-
out responses and the standard deviation for each day is about
13.7%. However, this phenomenon is much more moderate in the
2011 traffic trace, where about only 3.2% are seen. This background
noise may be caused by administrative scans, machine misconfig-
urations or malfunctions, or malicious scans generated by out-of-
date attacks. Together, these sources generate a certain number
of connections that are called ‘‘background radiation’’ [34]. The re-
quests might be blocked by the firewall on the destination side, or
the destination may not even exist. We find that the patterns
caused by these half-open TCP connections are similar to port-scan
or port-sweep. For example, in the week-long training data of
2006, more than 60% of the half-open TCP connections target des-
tination port number 139, which is conventionally used by the
NetBIOS session service, and these connections mostly come from
six distinct source IP addresses.
Based on this observation, we design a rule-based W that can
filter out half-open TCP connections in the dataset. We consider
using W to sanitize our training data, and further study the reduced
traffic trace so as to understand the impact of dataset background
noise on data reduction and forensic investigation. In the next sec-
tion, we thus describe our evaluation strategy for not only evaluat-
ing the size of expected improvement in the forensic investigation
from using data reduction, but also for validating the requirement
of using W for our mechanism and dataset.
5. Experiment methodology
In this paper, we design a series of experiments to evaluate our
scalable network forensics mechanism. In this section, we first
introduce the datasets used for the experiments, and then define
metrics and describe our evaluation strategy by considering the
background noise in the dataset. Finally, we describe the threshold
selection strategy for data reduction.
5.1. Dataset
Here we describe the characteristics of the real-world traffic
traces and explain the manual worm injection to emulate epidemic
style attacks. These two kinds of traffic traces will be combined as
the dataset used for the experiments.
5.1.1. Real-world traffic traces
We individually collected two sets of network traffic traces
from a core router in a class-B campus network in 2006 and
2011. The format of the collected traces is Cisco NetFlow Version
5 [35], which summarizes a sequence of network packets with
the same direction (i.e., the packets share some pre-specified key
values such as source and destination IP addresses, port numbers,
and protocol) as a flow. To fulfill the need of the experiments, we
preprocess the real-world traffic traces in two steps. In the first
step, we filter out incoming and outgoing flows from the campus
network and only keep intra-campus flows. This is because we fo-
cus on building a profile to record the communication behavior
within the network. Table 1 shows the characteristics of the col-
lected traffic traces during the two years. The average amount of
intra-campus flows per day is about 6.9 million in 2006 and 21.2
million in 2011.
The second preprocessing step, in order to identify the initiator
and receiver of a connection, combines these flows by combining
flows with opposite directions into one connection, where the
source of the connection is the initiator. However, due to the basic
flow expiration policies, a long-lived flow may be expired and ex-
ported as multiple small flow segments. We carefully merge this
kind of flow by referring to the flow merging approach mentioned
in [36]. Table 1 shows that the average amount of connections per
day decreased to about 3.2 million in 2006 and 12.9 million in
2011. Note that some UDP applications (e.g., DNS) do follow inter-
active communications and those UDP flows are processed in the
same way as TCP flows to understand the communication patterns.
 L.M. Chen et al. / Computer Communications 36 (2013) 1471–1484 1477

Table 1 traces are assumed to be susceptible to the attacks (e.g., 10% of

Real-world traces collected in 2006 and 2011.
2006
Start time 2006/10/1
End time 2006/10/15
Average number of intra-campus 6, 980
flows per day (K)
Average number of intra-campus 3, 204
connections per day (K)
Intra-campus connections TCP:UDP 2: 1
Average fraction of the half-open 36.2
TCP connections (%)
Number of active hosts 19, 148
After preprocessing, the datasets contain information about the
connection start time and end time, protocol (e.g., TCP, UDP),
source/destination IP addresses and port numbers, transmitted
packet and byte counts on each direction, and the status of the con-
nection. In Table 1, we can see that datasets of the different years
have huge differences. The amount of connections in 2006 is about
4 times smaller than that of 2011. In 2006, TCP connections were
more numerous, while more than 30% of them were half-opened.
In contrast, in 2011, UDP connections generated most of the traffic
and the phenomenon of the half-open TCP connections became
much more moderate. One of the reasons for the increase of UDP
connections in 2011 is that nowadays web browsers (e.g., Google
Chrome) support DNS pre-fetching to accelerate web browsing
[37]. DNS pre-fetching can resolve domain names proactively be-
fore a user clicks on links on a webpage or when entering URLs
in a browser. In 2011, 14% of UDP connections belonged to DNS
connections. Another reason may be due to the popularity of P2P
applications. The impact of the changing traffic characteristics on
the traces can be seen in the data reduction results.
5.1.2. Synthetic worm traffic
In this study, we inject synthetic worm traffic into real-world
traffic trace to emulate the propagation of worms in the monitored
network. We design a typical slow propagation scenario that works
as follows: an infected host first rests for a period of time (called
the incubation period), and then starts attacking other hosts at a
specific rate (i.e., one over the predefined scan period). By increas-
ing these two factors, a worm attack becomes stealthier and more
difficult to detect. Moreover, the worm will sustain a long-term
propagation lifespan. Without loss of generality, a certain number
of active hosts that have generated connections in the collected
active hosts in our case). Selecting susceptible hosts from active
2011 hosts makes the worm propagation more reasonable.
2011/6/4 When the attack begins, we randomly choose a susceptible host
2011/6/18 as the worm origin and select a specific port number as the vulner-
21, 655 able service port. The infected hosts (including the origin) will fol-
low the slow propagation scenario to infect other hosts inside the
12, 857
network using random scanning. The attack stops when its lifespan
1: 11 exceeds a predefined attack duration. In this paper, we also con-
3.2 sider the case that worm propagation generates half-open TCP con-
nections as well. When an attempt tries to compromise an inactive
11, 845
host (i.e., unused IP addresses in our network), it results in a half-
open TCP connection. On the other hand, we assume an attempt
will be responded to when it points to active hosts, including in-
fected or uninfected hosts, in the network.
5.1.3. Test trace generation
The test traces used for the experiments are generated by com-
bining synthetic worm traffic with real-world traffic. Since the for-
mats of these two kinds of traffic are the same, the combination
method is trivial. A test trace is created by duplicating the real-
world traffic of a specific time period and then injecting synthetic
worm traffic according to the start time of each worm connection.
In our experiments, we generate six types of worms for each year
by varying the scan period and the destination port number. Table 2
shows the characteristics of these generated test traces.
We use X and Y to denote the test traces built upon the real-
world traffic traces of 2006 and 2011, respectively. For clarity,
we denote the scan period and the destination port number of
the embedded worm traffic as the subscript and superscript of X
and Y. In this paper, we control the scan periods of worms at
100 s and 1000 s to demonstrate the effect of long-term attacks.
For each scan period, we configure the attack duration long enough
for these worms to infect more than 99% of the susceptible hosts in
the network. Additionally, we allow each trace to have a 12-h addi-
tional observation period before and after the attack. In Table 2, we
can see that the fraction of the synthetic worm traffic in test traces
becomes smaller when the worm scan period increases.
We use the destination ports to emulate worm attacks targeting
different vulnerabilities, so as to see whether or not the proposed
data reduction method can discern these attacks. The port selec-
tion is purposely designed to introduce bias to our data reduction
method. First, we produce port-139 worm attacks to demonstrate
the impact of background noise, because most of the half-open
TCP connections in the 2006 traces target port 139 (Windows
NetBIOS session service). Further, the Bulletin Board System

Table 2
Test traces with different injected worm traffic.

2006 Test trace X 139

100 X 23
100 X RND
100 X 139
1000 X 23
1000 X RND
1000

Attack duration (day (s)) 1 1 1 7 7 7

Number of normal conn. (K) 5, 100 5, 100 5100 29, 104 29, 104 29, 104
Half-open TCP in normal trace (%) 36.3 36.3 36.3 47.9 47.9 47.9
Number of worm conn. (K) 753 661 895 456 526 481
Half-open TCP in attack trace (%) 77.0 77.0 77.0 76.8 76.9 76.9
Worm conn. in the test trace (%) 12.9 11.5 14.9 1.6 1.8 1.7
2011 Test trace Y 139
100 Y 23
100 Y RND
100 Y 139
1000 Y 23
1000 Y RND
1000

Attack duration (day(s)) 1 1 1 7 7 7

Number of normal conn. (K) 25, 961 25, 961 25, 961 108, 236 108, 236 108, 236
Half-open TCP in normal trace (%) 3.1 3.1 3.1 3.2 3.2 3.2
Number of worm conn. (K) 771 879 787 499 467 476
Half-open TCP in attack trace (%) 83.5 83.5 83.5 83.6 83.4 83.6
Worm conn. in the test trace (%) 2.9 3.3 2.9 0.5 0.4 0.4

Note: The subscript of a test trace is the scan period (sec.) of the injected worm attack and the superscript is the destination port number. For all 2006 test traces, the trace
start time is 10/8 0 am and the attack start time is 10/8 12 pm. For all 2011 test traces, the trace start time is 6/11 0 am and the attack start time is 6/11 12 pm.
1478 L.M. Chen et al. / Computer Communications 36 (2013) 1471–1484
Fig. 4. Metrics used for data reduction, including false negative rate (FNR), false
positive rate (FPR), precision, and data reduction rate (DRR).
(BBS) is one of the most popular network services in our monitored
network and it usually operates on a default Telnet port. We pro-
duce port-23 worm attacks to simulate the propagation of a worm
embedded in the traffic of a popular service. Lastly, we randomly
choose a seldom-used port number (denoted as RND) to create
worms as a base line for comparison.
5.2. Metrics
The metrics used for data reduction are defined in Fig. 4. After
data reduction, false negatives (FNs) refer to worm connections
that are incorrectly labeled as normal and exempted from forensic
investigation. Similarly, true positives (TPs) refer to correctly re-
tained worm connections, false positives (FPs) refer to falsely re-
tained normal connections, and true negatives (TNs) represent
correctly filtered normal connections.
For the goal of network forensics, minimizing FNR is critical, be-
cause doing so means we do not lose any attack relevant evidence.
Furthermore, a low FPR generally implies less noise in forensics
and more storage saving, and thus more computation scaling.
However, due to the base-rate fallacy [38], FNR and FPR may be
insufficient for the performance measure especially for the analysis
of a long period dataset. Therefore, we further use precision to rep-
resent the percentage of the retained worm connections against all
the retained connections. Conceptually, the higher the precision,
the lower the chances that the RMW algorithm will randomly se-
lect a non-worm connection in the reduced traffic trace. Finally,
DRR gives us a quick idea of the degree of storage saved. The value
of DRR is affected by the capability of the data reduction method,
as well as the proportion of the worm traffic in a test trace. For this
paper, we use FPR, FNR, and precision together to evaluate the data
reduction performance and to predict the performance of the
forensic investigation.
In this study, we adopt the same metrics used in [5] to evaluate
the performance of network forensics. We measure the number of
causal edges within the top 100 frequency edges after the RMW
investigation. The more causal edges returned, the higher the
chance that we can reconstruct the causal tree based on these cau-
sal edges. We also check whether these edges belong to the initial
Fig. 5. Illustrations of our evaluation strategies. (a) Constructing normal behavior profiles w/ or w/o using W, (b) data reduction (using U) by using different normal behavior
profiles, (c) applying forensic investigation on the reduced traffic traces w/ or w/o using W.
higher level of the causal tree. We will evaluate the performance of
RMW by measuring the degree of database access for an RMW
investigation.
5.3. Methodology
In this subsection, we illustrate and explain the evaluation
methodology of the proposed mechanism by answering the pro-
posed questions below. Here, we not only validate the usability
of the normal behavior profile for data reduction and evaluate
the improvement of the RMW investigation by using data reduc-
tion, but also discuss the impact of background noise in the real-
world traffic traces on our mechanism.
Q1: Does the background noise in the training data affect the sen-
sitivity of data reduction?
Sensitivity represents the capability of the data reduction meth-
od to correctly identify the synthetic worm connections. The more
attack traffic we retain, the more complete the evidence we can
preserve for forensic investigation. In the experiments, we treat
the FNR as an index of the sensitivity, such that a smaller FNR im-
plies a better sensitivity. However, if the attack behavior violates
our assumption and it shares similar contact characteristics with
the usual traffic pattern, our proposed data reduction method
may result in poor sensitivity.
The normal behavior profile learned from the training data sig-
nificantly affects the sensitivity of data reduction. In our experi-
ments, we find that half-open TCP connections contribute a
significant portion of the daily traffic while having a negative im-
pact on differentiating worm traffic. As shown in Fig. 5(a), we con-
struct normal behavior profiles from the training data with and
without using W. The learned normal behavior profiles are denoted
by P  and P, respectively. We further apply U to the test data T
based on the reference of P and P , as shown in Fig. 5(b). The cor-
responding reduced traffic traces are denoted as UðTÞ and U ðTÞ.
After data reduction, we measure the amount of TPs (and FNs) in
these reduced traffic traces and analyze the impact of the back-
ground noise in the training data to our data reduction method.
Q2: Does the background noise in the test data affect the specificity
of data reduction?
Specificity represents the capability of the data reduction meth-
od to correctly identify the normal contacts and avoid recording
this kind of connection in the reduced traffic trace. To measure
specificity, we focus on the FPR of data reduction and analyze the
composition of the FPs in the reduced traffic trace. For a given test
trace, reducing the FPR not only increases the DRR, but also im-
proves the precision. This indicates that a more efficient and accu-
rate forensic investigation is achievable.
Practically, connections preserved by U should be examined
carefully because their contact behavior deviates from the histori-
cal pattern. Due to the use of different normal behavior profiles, the
 L.M. Chen et al. / Computer Communications 36 (2013) 1471–1484 1479

preserved connections may have significant differences in their
contacts. We investigate the FPs in different reduced traffic traces
in terms of how much background noise is preserved. We also
measure the changes of the values of DRR and precision if we re-
move this noise from reduced traffic traces and discuss the perfor-
mance of data reduction. We argue that if preserving background
noise in the reduced traffic trace is unnecessary for the need of
forensic investigation, it would be a better choice to use W after
data reduction as well. This augmentation will be verified in the
next question.
Q3: What is the impact of different data reduction scenarios on the
forensic investigation?
After data reduction, we apply the RMW investigation on differ-
ent reduced traffic traces to analyze the performance of network
forensics. Based on the use of U and W, we derive four kinds of re-
duced traffic traces for the investigation as shown in Fig. 5(c). We
adaptively tune the parameters of the RMW and analyze the prop-
erties of the outputted connections. These results will be discussed
in Section 6.5.
The above three questions are mainly used to help us under-
stand the requirement of using W for data reduction when dealing
with background noise in the real-world traffic traces. However,
we can also understand the effect of U and validate our assump-
tion that the communication pattern generated by an epidemic
style attack is very different from that of normal communications.
In this paper, we also compare the NB-based learning model to the
TAN-based learning model when performing data reduction. In the
experiments, we further let L denote the learning model
(L 2 f NB; TANg) and use a subscript to emphasize the used learn-
ing model for some symbols, if required. For example, we denote a
normal behavior profile, which was learned based on the NB model
and by applying W to the training data, by P NB or we denote a re-
duced traffic trace by UTAN ðTÞ to represent a test trace T that had
been filtered by a TAN-based normal traffic filter.
5.4. Threshold selection
The goal of threshold selection is to find a threshold h that can
be used for comparing the anomaly score of each connection and
practically differentiating the contact activities from normal traffic
to attack traffic. In this study, we apply self-validation on the col-
lected dataset to decide the value of h for our data reduction
method.
The self-validation operates as follows. First, we identify a nor-
mal behavior profile from the training data. Then, we use the
learned profile to examine the same dataset used for training to
compute the anomaly score of each connection. Further, we sort
these connections based on their anomaly scores and finally decide
the value of h as the score that satisfies a predefined cut-off condi-
tion. The cut-off condition, which can be decided by the system
operator, indicates how many FPs the operator wants to preserve.
Here we define the cut-off condition as 1% of the traffic amount,
with the selected h being expected to capture the infrequent con-
tact activities against this cut-off condition.
6. Evaluation results
We discuss the results of our experiments in this section,
including the performance of data reduction and the accuracy
and efficiency of the RMW investigation.
6.1. Sensitivity tests for data reduction
We now discuss the data reduction results of the 2006 and 2011
test traces where the injected worms have a scan period of 100 s.
For sensitivity tests, we first focus on the FNRs of the reduced traf-
fic traces UL ðTÞ and UL ðTÞ for different T examined by different L.
Note that, as shown in Fig. 5, UL ðTÞ represents the output of data
reduction when the used profile is learned from a complete train-
ing data, while UL ðTÞ represents the output of data reduction by
referring to the profile learned from a reduced training data by
applying W.
In Table 3, the FNR of UNB ðX 139
100 Þ is greatly reduced in compari-
son with the FNR of UNB ðX 139
100 Þ, while the FNRs are equally strong
for UTAN ðX 139  139
100 Þ and UTAN ðX 100 Þ. This is because the contacts targeting
port 139 in the 2006 training data mostly belong to half-open TCP
connections, and without using W, the statistics maintained by P NB
can easily misclassify the port-139 worm attack traffic as normal

Table 3
Data reduction results of the test traces that the injected worms have scan period 100 s.

UNB ðTÞ UNB ðTÞ UNB ðTÞ UTAN ðTÞ UTAN ðTÞ UTAN ðTÞ

T= X 139 FPR 0.017 0.021 0.011 0.030 0.320 0.016

100
FNR 0.852 0.119 0.846 < 0.001 < 0.001 0.770
Precision 0.561 0.862 0.671 0.830 0.316 0.678
DRR 0.966 0.868 0.970 0.845 0.593 0.956
T= X 23 FNR 0.831 0.646 0.959 < 0.001 0.001 0.770
100
Precision 0.562 0.687 0.321 0.811 0.288 0.649
DRR 0.965 0.941 0.985 0.858 0.602 0.959
T= X RND
100
FNR < 0.001 0.001 0.770 0 0.013 0.773
Precision 0.911 0.894 0.783 0.853 0.351 0.712
DRR 0.836 0.833 0.956 0.825 0.581 0.952

T= Y 139 FPR 0.009 0.031 0.008 0.016 0.043 0.013

100
FNR 0.046 0.009 0.837 < 0.001 0 0.835
Precision 0.751 0.491 0.364 0.653 0.409 0.273
DRR 0.963 0.942 0.987 0.956 0.929 0.983
T= Y 23 FNR 0.287 0.224 0.896 < 0.001 < 0.001 0.835
100
Precision 0.720 0.463 0.292 0.682 0.441 0.300
DRR 0.968 0.945 0.988 0.952 0.926 0.982
T= Y RND
100
FNR 0.001 < 0.001 0.836 < 0.001 0 0.835
Precision 0.764 0.499 0.370 0.657 0.414 0.276
DRR 0.961 0.941 0.987 0.955 0.929 0.982

Note: The FPR are the same for different test traces when T = X 139 23 RND 139 23 RND 
100 , T= X 100 , T= X 100 . For T = Y 100 , T= Y 100 , T= Y 100 , the FPR are the same as well. UL ðTÞ represents that W is
applied in the training phase and UL ðTÞ represents that W is further applied to remove the background noise in UL ðTÞ.
1480 L.M. Chen et al. / Computer Communications 36 (2013) 1471–1484

traffic. However, the TAN model would not be confused in separat-
ing background noise and the traffic of a port-139 worm attack, be-
cause the background noise is generated only by a small number of
hosts in the network. In comparison, since the situation of back-
ground noise in the 2011 training data has become more moderate,
we can see that in Table 3 the FNRs of UNB ðY 139  139
100 Þ and UNB ðY 100 Þ both
decrease greatly. Using W in the training data further reduces the
FNR of UNB ðY 139
100 Þ to lower than 1%. For the TAN model, the FNRs
of UTAN ðY 139  139
100 Þ and UTAN ðY 100 Þ perform as well as the cases in 2006.
As for the destination port 23, which is used for Telnet services,
Table 3 shows that the NB model cannot distinguish between
worm attacks and normal traffic on destination port 23 for both
the 2006 and 2011 test traces, even if W is applied to the training
data. This is because Telnet is one of the most popular network ser-
vice in use at the monitored network and only a small portion of
the connections targeting port 23 in our training data yield the
half-opened situation. However, the TAN model can still overcome
the effects of the normal contacts on popular network services and
again outperform the NB model.
Lastly, in Table 3, we can also see that the two different learning
models perform equally well for identifying worm connections tar-
geting port RND. In summary, the NB model tends to generate a
high FNR in comparison with the TAN model when dealing with
a worm attack that shares similar feature properties with connec-
tions in the training data.
6.2. Specificity tests for data reduction
This subsection discusses the FPRs of data reduction for differ-
ent scenarios in Table 3. Since the calculation of FPRs are only re-
lated to normal traffic (see Fig. 4) and in our experiments the
durations of the test traces are fixed (2 and 8 days long for worm
attacks with 100- and 1000-s scan periods), applying the same data
reduction procedure to the equal-length test traces, such as
X 139 23 RND
100 ; X 100 , and X 100 , will derive the same FPRs. In Table 3, we find
that in general the TAN model generates a larger FPR than the
NB model, especially for cases of UTAN ðTÞ. This is because the con-
tact activities in our traffic traces are not that stable, and the TAN
model can easily identify these unapparent changes.
In addition to contact changes, the background noise in the test
trace also affects the FPR of data reduction. In Table 3, we find that
the FPR of UTAN ðTÞ is peculiarly higher than other cases. This is due
to the abnormally large amount of background noise in 2006 and
the more strict data reduction of the TAN model compared to the
NB model. This observation is further demonstrated by applying
W to UTAN ðTÞ. As shown in Table 3, the FPR of UTAN ðTÞ decreases
to 0.016, which shows that most of the retained connections in
UTAN ðTÞ belong to the background noise. Furthermore, other cases
applying W to the reduced traffic traces can further decrease the
FPR to about 0.01, which is near our setting for the threshold
selection.
However, the drawback of applying W to the reduced traffic
traces is that in the mean time we will lose many failed worm con-
nections that are half-opened. According to Table 2, we can verify
that the greatly increased FNRs of UL ðTÞ in Table 3 are mainly
caused by those half-open worm connections. We believe the
RMW process can still back track the worm origin, even when
these half-open worm connections are removed from the reduced
traffic trace.
6.3. Long-term attacks
In this subsection we discuss the performance of data reduction
against worm attacks with a 1000-s scan period. Table 4 shows the
FNRs, FPRs, precisions, and DRRs for different test traces and differ-
ent data reduction scenarios. Here, we first focus on the FNRs and
FPRs.
Compared to Table 3, the FNRs in Table 4 indicate very similar
characteristics in each case. This demonstrates that the proposed
contact-based data reduction methods (either using the TAN or
NB models) are not affected by the propagation rate of a worm at-
tack. Besides, the FPRs in Table 4 also show similar results as that
in Table 3, except for the FPRs of UTAN ðTÞ and UTAN ðTÞ when exam-
ining the 2006 test trace. As the investigation period becomes
longer, we notice that there is an increased deviation of contact
activities of the background noise in the 2006 test traces against
that in the 2006 training data, hence resulting in a higher FPR.
Moreover, compared to the two learning models, the NB model
can tolerate contact deviation to a certain degree, while the TAN

Table 4
Data reduction results of the test traces that the injected worms have scan period 1000 s.

UNB ðTÞ UNB ðTÞ UNB ðTÞ UTAN ðTÞ UTAN ðTÞ UTAN ðTÞ

T= X 139 FPR 0.019 0.046 0.016 0.391 0.464 0.022

1000
FNR 0.836 0.117 0.844 < 0.001 < 0.001 0.769
Precision 0.116 0.233 0.134 0.039 0.033 0.140
DRR 0.978 0.941 0.982 0.599 0.528 0.974
T= X 23 FNR 0.821 0.630 0.957 < 0.001 < 0.001 0.770
1000
Precision 0.142 0.128 0.047 0.044 0.037 0.157
DRR 0.978 0.949 0.984 0.598 0.527 0.974
T= X RND
1000
FNR < 0.001 0.001 0.770 < 0.001 0.003 0.773
Precision 0.459 0.266 0.194 0.041 0.034 0.144
DRR 0.965 0.939 0.981 0.599 0.528 0.974

T= Y 139 FPR 0.011 0.033 0.010 0.021 0.048 0.015

1000
FNR 0.047 0.010 0.839 < 0.001 < 0.001 0.837
Precision 0.293 0.120 0.069 0.183 0.087 0.049
DRR 0.985 0.962 0.989 0.975 0.947 0.985
T= Y 23 FNR 0.279 0.217 0.895 < 0.001 < 0.001 0.835
1000
Precision 0.227 0.092 0.043 0.173 0.082 0.047
DRR 0.986 0.963 0.990 0.975 0.948 0.985
T= Y RND
1000
FNR < 0.001 < 0.001 0.837 < 0.001 < 0.001 0.837
Precision 0.293 0.116 0.067 0.176 0.083 0.047
DRR 0.985 0.962 0.989 0.975 0.948 0.985

Note: The FPR are the same for different test traces when T = X 139 23 RND 139 23 RND 
1000 , T= X 1000 , T= X 1000 . For T = Y 1000 , T= Y 1000 , T= Y 100 , the FPR are the same as well. UL ðTÞ represents that W is
applied in the training phase and UL ðTÞ represents that W is further applied to remove the background noise in UL ðTÞ.
 L.M. Chen et al. / Computer Communications 36 (2013) 1471–1484
model only allows contact activities well defined in its normal
behavior profile to pass through the filter.
6.4. Precision and DRR
In Tables 3 and 4, we also record the precisions and DRRs for
each data reduction scenario. Recall that a higher precision im-
proves the chances of the RMW for selecting worm connections.
In our cases, however, the following observations can be made
from the results. First, the real amount of the FPs in a reduced traf-
fic trace is much greater than the TPs, such that the overall preci-
sion of data reduction seems poor. Second, although the TAN
model usually generates a lower FNR than the NB model, the pre-
cision value of TAN-based data reduction is not always better than
that of NB-based data reduction due to the effect of the FPs. Finally,
a long investigation period (cases in Table 4 versus Table 3) and a
large amount of daily traffic (cases for the 2011 test traces) will
also reduce the precision in our experiments.
As for DRRs, we can see that for the UL ðTÞ cases, the NB model
slightly outperforms the TAN model. This is because the TAN mod-
el tends to have a larger FPR, and the value of DRR is mainly dom-
inated by the amount of normal traffic being filtered. Further, we
observe that the background noise indeed affects the performance
of data reduction. Comparing the results of the 2006 and 2011 test
traces, we find that the DRRs are above 95% for most of the 2011
cases, since the proposed data reduction method can accurately
separate the normal traffic from the worm connections.
6.5. Forensic investigation
In this subsection, we first discuss the forensic results for the
UL ðTÞ and UL ðTÞ cases in Table 3. For each reduced traffic trace,
we apply the RMW five times and compute the average results,
including the number of causal edges in the top 100 frequency
edges and the degree of database access. For each RMW investiga-
tion, we randomly select 10% of the connections in a reduced traffic
trace as the starting edges of the moonwalk paths. We fix d at 30
and vary Dt from between 10 times the scan period of the injected
worm to 90 times (i.e., from 1000 s to 9000 s). In Fig. 6, the dia-
grams at the upper half depict the results of the RMW for the
Fig. 6. (a), (b), (c) and (e), (f), (g) depict the accuracy of the RMW for worm attacks with a scan period of 100 s. The x-axis is the size of Dt and the y-axis is the number of
causal edges in top 100 frequency edges outputted by the RMW. Dash lines represent cases for UL ðTÞ and solid lines represent cases for UL ðTÞ . Squares represent L ¼ TAN and
dots represent L ¼ NB. (a) is the result for T ¼ X 139 23
100 , (b) is the result for T ¼ X 100 , (c) is the result for T ¼ X 100 ; and (e) is the result for T ¼ Y 100 , (f) is the result for T ¼ Y 100 , (g) is
the result for T ¼ Y RND
100 . (d) and (h) depict the database access counts of the RMW when Dt is 8000 s. The x-axis represents the 3 test traces individually and the y-axis is the
degree of database access. We use different colors to represent different data reduction scenarios.
1481
2006 test traces, and the diagrams at the lower half are for the
2011 test traces.
In Fig. 6, we can see that the accuracy of the RMW increases
when the value of Dt increases. In our experiments, data reduction
helps filter more than 82% to 98% of traffic before the investiga-
tion, such that we can afford configuring a wide sample window
for the RMW to correlate slow-paced worm traffic without worry-
ing about the noise. In general, the RMW tends to have a higher
accuracy for the reduced traffic traces generated by the TAN model
than by the NB model. Moreover, using W greatly improves the
accuracy of the RMW for the 2006 test traces, while only minimally
enhancing the 2011 test traces. This means that in a clean network
environment, using U alone is enough for network forensics to nar-
row down the scope of the investigation target.
Fig. 6(a) shows that the RMW performs well for both
 139 
UTAN ðX 139 
100 Þ and UNB ðX 100 Þ (the solid lines). Removing background
noise in the training data and the reduced traffic trace improves
the performance of data reduction and the forensic investigation.
Fig. 6(b) shows that if a worm attack embeds in the traffic of a pop-
ular network service, we must use the TAN model to carefully dis-
cern the worm traffic from the normal traffic. In Fig. 6(b), the

accuracy of the RMW on UNB ðX 23 100 Þ is even worse than on
UNB ðX 23
100 Þ, due to the higher FNR. Fig. 6(c) shows that for worm at-
tacks targeting port RND, applying the RMW to the reduced traffic
traces generated by different data reduction scenarios will have
comparable accuracy.
Fig. 6(d) depicts the database access counts of the RMW process
when Dt is configured as 8000 s, which leads to a reasonably high
accuracy. We see that for the UTAN ðTÞ cases, which usually have
higher FPRs, the RMW tends to have heavier database access but
does not improve the accuracy. It is also observed that using W
can decrease the chance of database access. Relatively speaking,
a higher database access count implies better RMW results, be-
cause the moonwalk paths tend to be long.
For the 2011 test traces, the results in Fig. 6(e) and Fig. 6(g) are
similar given the moderate background noise. However, worm at-
tacks that target popular destination ports (e.g., port-23 worm at-
tacks) are still difficult to trace back using the NB-based data
reduction method. We suggest employing the TAN model to per-
form data reduction for the traffic trace, before using forensic
RND 139 23
1482 L.M. Chen et al. / Computer Communications 36 (2013) 1471–1484

Fig. 7. RMW accuracy for worm attacks with a scan period of 100 s. The x-axis is the size of sample window Dt and the y-axis is the number of causal edges in top 100
frequency edges outputted by the RMW. Dash lines represent that W is not used and solid lines represent that W is applied. Rhombus represents there is no data reduction
before the RMW process and triangle represents the RMW is applied on a randomly sampled traffic trace with a sampling rate of 3%, (a) is the results for T ¼ X RND
100 , (b) is the
results for T ¼ Y RND
100 . These results are compared with the TAN-based data reduction and W applied (filled square and solid line, respectively).

Fig. 8. RMW accuracy for worm attacks with different scan periods for the UL ðTÞ cases. The x-axis is the ratio of the sample window size to the scan period of a worm attack
and the y-axis is the number of causal edges in top 100 frequency edges outputted by the RMW. Squares and dots represent the same results depicted in Fig. 6. Pluses and
crosses represent the results for worm attacks with a 1000-s scan period when L ¼ TAN and L ¼ NB, respectively, (a) is the result for T ¼ X 139 139
100 and T ¼ X 1000 , (b) is the result for
T ¼ X 23 23 RND RND 139 139 23 23
100 and T ¼ X 1000 , (c) is the result for T ¼ X 100 and T ¼ X 1000 ; and (d) is the result for T ¼ Y 100 and T ¼ Y 1000 , (e) is the result for T ¼ Y 100 and T ¼ Y 1000 , (f) is the result for
T ¼ Y RND RND
100 and T ¼ Y 1000 .

investigation to obtain better results. In Fig. 6(h), we notice that
although removing the background noise does not improve the
accuracy for the 2011 cases, it does reduce the database access
counts and the experiment times for the RMW investigation.
In Fig. 7, we compare the proposed scalable network forensic
mechanism to forensic investigation on the raw dataset and sam-
pled traffic trace. We again use X RND RND
100 and Y 100 as the test traces
and apply the RMW to the unrefined raw dataset and the randomly
sampled dataset with a sampling rate of 3%. Fig. 7 describes these
 RND 
results, as well as the results of UTAN ðX RND 
100 Þ and UTAN ðY 100 Þ from
Fig. 6 for the sake of comparison. We notice that apparently ran-
dom sampling does not help the forensic investigation and the
accuracy of its application of the RMW remains close to zero no
matter how long Dt is. The reason for this is the random sampling
method has little probability to sample all the connections in back
tracking the attack origin. On the other hand, although the raw
dataset preserves all the information for forensic investigation, it
suffers from the challenges mentioned in the Introduction. In
Fig. 7, it can be seen that using W alone greatly improves the
accuracy of the RMW for X RND 100 ; however the same configuration
makes the results even worse for Y RND100 . We find that although the
2011 traffic traces contain much fewer half-open TCP connections,
the contact activities in the traces become more complicated due
to the growing number of P2P applications that drags down
the accuracy. Overall, the proposed scalable network forensic
mechanism results in higher accuracy and better performance in
identifying the attack origin than both traditional methods.
Finally, we compare the forensic results for worm attacks with
different scan periods. We apply the RMW on the reduced traffic
traces that contain much slower worms (see Table 4) and plot
the forensic results for the UL ðTÞ cases with the corresponding
cases depicted in Fig. 6 together for comparison in Fig. 8. We find
that RMW accuracy decreases by about 50% for long-term attacks.
This may be caused by the slightly increased FPRs for the UL ðTÞ
cases in Table 4. However, in spite of the very low precision values
shown in Table 4, the RMW can still identify sufficient amount of
causal edges at the higher levels of the tree structure of the in-
jected worm attacks.
 L.M. Chen et al. / Computer Communications 36 (2013) 1471–1484
6.6. Summary of experiment evaluations
We now summarize the results of data reduction and long-term
network forensics.
 The TAN model is usually a better fit for the training data,
while accommodating various types of test data by select-
ing a more conservative threshold.
 Although the NB model is more flexible due to the assump-
tion of feature independence, it may suffer from poor
performance when features correlate mutually.
 In our cases, a well specified background noise filter helps
to eliminate the impact of unwanted traffic in the raw
dataset.
 Data reduction not only greatly improves the accuracy and
the performance of the RMW algorithm, but also improves
the scalability of network forensics.
7. Discussion and future work
In the current study, we have focused on finding the origin of a
stealth self-propagating attack in the research area of network
forensics. Unfortunately, this origin is usually the patient zero
who started the epidemic, but not the real attacker. Finding the
real attacker requires following the traditional way by carefully
looking at the system log of the originator or the log of the network
in which the originator resides to see what machine previously
contacted the originator. However, network forensics can provide
us with the opportunity to do this. Moreover, the other advantage
of cooperating with the RMW is that the reconstructed attack
propagation structure can reveal attack causality and network vul-
nerabilities. It can thus help the security analysts to design a better
perimeter protection and intrusion detection mechanism. Com-
puter forensics can also help us distinguish whether and when a
computer had been compromised. It would be one of the key ele-
ment for back tracking the worm propagation as well. However,
the collection of the digital evidence from computers requires
the cooperation of individual user or administrator. Further, com-
puter forensics may also encounter data reduction issue for long-
term investigation.
7.1. Limitations
The premise of our data reduction method is the change of con-
tact behavior of the infected hosts. We built a normal behavior pro-
file from historical contact activities and used this profile to in the
future distinguish unexpected events from frequently seen events.
Therefore, our method can effectively reduce the amount of the
traffic that will be further examined during post-mortem. How-
ever, if the premise is invalid where a sophisticated attack exhibits
exactly the same contact characteristics as usual traffic, the pro-
posed method may fail. Further, we have only demonstrated the
use of a 5-tuple as the features to build a normal behavior profile.
How to more precisely decide the more suitable features for inves-
tigating contact activity is an area for future work.
7.2. Adaptive forensic investigation
Although we adopted the RMW as the forensic tool in this pa-
per, the RMW still has some problems that warrant closer study
and refinement. Considering a worm attack with an unknown scan
period, we need to fine tune the RMW’s parameters, such as W; d,
and Dt, to achieve acceptable results. This problem is exacerbated
in the case of long-term network forensics. A method to automat-
ically decide values for these parameters is one of the goals of our
future research.
1483
Data reduction can ease another problem that may be encoun-
tered by the RMW. When performing traceback of each moonwalk
path, if there is a normal connection to the attack origin within the
length of the sample window, the RMW would simply pick up that
connection again and falsely identify that connection as one of the
most critical causal edges. By using data reduction, we can elimi-
nate the chance of facing this problem as much as can be reason-
ably expected.
8. Conclusions
In this paper, we considered the challenges that network foren-
sics will face under stealth attacks. To address this problem, we fo-
cused on host contact behavior and proposed a data reduction
method to facilitate scalable network forensics. The novelty of
the proposed mechanism lies in two key features: First, we
adopted the RMW to support an attack-agnostic forensic investiga-
tion. Second, the proposed contact-based data reduction method
can deal with various intrusion evasion techniques, such as
encryption, mutation, and special target acquisition schemes. The
real-world trace driven evaluation results demonstrated that the
proposed forensic mechanism yields good scalable performance
in terms of storage and computation time and maintains a high
accuracy rate of causal edge detection with the use of the RMW.
Further, we also showed that different network traces impact on
the sensitivity of the proposed data reduction method. This sug-
gests that when dealing with real traces, the network analyst must
first understand the characteristics of the traces.
The proposed mechanism still has a few limitations, including
how to deal with background noise in general, how to update the
normal behavior profile by using adaptive learning techniques,
and how to automatically decide the threshold value for data
reduction. In the future, we will evaluate our approach by using
more traffic traces collected from different environments, and re-
fine the data reduction method accordingly.
References
[1] S. Staniford, V. Paxson, N. Weaver, How to 0wn the internet in your spare time,
in: Proc. USENIX Security Symposium, Aug. 2002.
[2] M. Roesch, Snort lightweight intrusion detection for net-works, in: Proc.
Conference on Systems Administration (LISA), pp. 229–238. 1999.
[3] V. Paxson, Bro: a system for detecting network intruders in real-time,
Computer Networks (1999).
[4] C.C. Zou, W. Gong, D. Towsley, L. Gao, The monitoring and early detection of
internet worms, IEEE/ACM Transaction on Networking (2002).
[5] Y. Xie, V. Sekar, D. Maltz, M.K. Reiter, H. Zhang, Worm origin identification
using random moonwalks, in: Proc. IEEE Symposium on Security and Privacy,
May 2005.
[6] F. Akujobi, I. Lambadaris, E. Kranakis, An integrated approach to detection of
fast and slow scanning worms, in: Proc. International Symposium on
Information, Computer, and Communications Security (ASIACCS), 2009.
[7] V. Sekar, Yinglian Xie, Michael K. Reiter, Hui Zhang, A multi-resolution
approach for worm detection and containment, in: Proc. International
Conference on Dependable Systems and Networks (DSN), 2006.
[8] D. Dash, B. Kveton, J.M. Agosta, E. Schooler, J. Chandrashekar, A. Barchrah, A.
Newman, When gossip is good: distributed probabilistic inference for
detection of slow network intrusions, in: Proc. National Conference on
Artificial Intelligence (AAAI), 2006.
[9] F. Akujobi, I. Lambadaris, E. Kranakis, Detection of slow malicious worms using
multi-sensor data fusion, in: Proc. IEEE International Conference on
Computational Intelligence for Security and Defense Applications (CISDA),
2009.
[10] S. Stafford, J. Li, Behavior-based worm detectors compared, in: Proc.
International Conference on Recent Advances in Intrusion Detection (RAID),
2010.
[11] A. Kumar, V. Paxson, N. Weaver, Exploiting underlying structure for detailed
reconstruction of an internet-scale event, in: Proc. USENIX/ACM Internet
Measurement Conference (IMC), Oct. 2005.
[12] M.A. Rajab, F. Monrose, A. Terzis, Worm evolution tracking via timing analysis,
in: Proc. Workshop on Rapid Malcode (WORM), Nov. 2005.
[13] I. Hamadeh, G. Kesidis, Toward a framework for forensic analysis of scanning
worms, in: Proc. International Conference on Emerging Trends in Information
and Communication Security (ETRICS), 2006.
1484 L.M. Chen et al. / Computer Communications 36 (2013) 1471–1484
[14] Y. Xiang, Q. Li, D. Guo, Online accumulation: reconstruction of worm
propagation path, in: Proc. IFIP International Conference on Network and
Parallel Computing (NPC), 2008.
[15] Q. Wang, Z. Chen, C. Chen, Characterizing internet worm infection structure,
in: Proc. USENIX Workshop on Large-Scale Exploits and Emergent Threats
(LEET), Mar. 2011.
[16] W. Wang, T.E. Daniels, A graph based approach toward network forensics
analysis, ACM Transactions on Information and System Security (TISSEC) 12
(1) (2008) 33 (Article 4).
[17] K. Shanmugasundaram, N. Memon, A. Savant, H. Bronnimann, ForNet: a
distributed forensics network, in: Proc. International Workshop on
Mathematical Methods, Models and Architectures for Computer Networks
Security (MMM), pp. 1–16, 2003.
[18] N. Liao, S. Tian, T. Wang, Network forensics based on fuzzy logic and expert
system, Computer Communications 32 (17) (2009) 1881–1892.
[19] E. Anaya, M. Nakano-Miyatake, H.P. Meana, Network forensics with
neurofuzzy techniques, in: Proc. IEEE International Midwest Symposium on
Circuits and Systems (MWSCAS), 2009.
[20] E.S. Pilli, R.C. Joshi, R. Niyogi, Network forensic frameworks: survey and
research challenges, Digital Investigation 7 (1–2) (2010) 14–27.
[21] B. Bloom, Space/time tradeoffs in hash coding with allowable errors,
Communications of the ACM 13 (7) (1970) 422–426.
[22] J. Mai, C.N. Chuah, A. Sridharan, T. Ye, H. Zang, Is sampled data sufficient for
anomaly detection? in: Proc. ACM Internet Measurement Conference (IMC),
Oct. 2006.
[23] S. Staniford, J.A. Hoagland, J.M. McAlerney, Practical automated detection of
stealthy portscans, Journal of Computer Security 10 (2002) 105–136.
[24] M. Bailey, E. Cooke, F. Jahanian, N. Provos, K. Rosaen, D. Watson, Data reduction
for the scalable automated analysis of distributed darknet traffic, in: Proc. ACM
Internet Measurement Conference (IMC), Oct., 2005.
[25] G. Maier, R. Sommer, H. Dreger, A. Feldmann, V. Paxson, F. Schneider, Enriching
network security analysis with time travel, in: Proc. ACM SIGCOMM, Aug.
2008.
[26] P. Giura, N. Memon, NetStore: An efficient storage infrastructure for network
forensics and monitoring, in: Proc. International Conference on Recent
Advances in Intrusion Detection (RAID), 2010.
[27] P. McDaniel, S. Sen, O. Spatscheck, J. Merwe, W. Aiello, C.R. Kalmanek,
Enterprise security: a community of interest based approach, in: Proc.
Network and Distributed System Security Symposium (NDSS), Feb. 2006.
[28] P. Verkaik, O. Spatscheck, J.V. der Merwe, A.C. Snoeren, PRIMED: community-
of-interest-based DDoS mitigation, in: Proc. SIGCOMM Workshop on Large-
Scale Attack Defense, Sep. 2006.
[29] J. McHugh, C. Gates, Locality: A new paradigm for thinking about normal
behavior and outsider threat, in: Proc. Workshop on New Security Paradigms
(NSPW), Aug. 2003.
[30] T. Karagiannis, K. Papagiannaki, M. Faloutsos, BLINC: multilevel traffic
classification in the dark, in: Proc. ACM SIGCOMM, Aug. 2005.
[31] N. Friedman, D. Geiger, M. Goldszmidt, Bayesian network classifiers, Machine
Learning 29 (2–3) (1997) 131–163.
[32] T.M. Cover, J.A. Thomas, Elements of Information Theory, John Wiley & Sons,
New York, 1991.
[33] T.M. Mitchell, Machine Learning, McGraw-Hill, New York, 1997.
[34] R. Pang, V. Yegneswaran, P. Barford, V. Paxson, L. Peterson, Characteristics of
Internet Background Radiation, in: Proc. ACM Internet Measurement
Conference (IMC), Oct. 2004.
[35] Cisco System Inc., NetFlow Services and Application White paper.
[36] R. Sommer, A. Feldmann, NetFlow: Information loss or win? in: Proc. ACM
SIGCOMM Workshop on Internet Measurement (IMW), 2002.
[37] Chrome Team, The Chromium Projects. <http://www.chromium.org/
developers/design-documents/dns-prefetching>.
[38] S. Axelsson, The base-rate fallacy and the difficulty of intrusion detection, ACM
Transactions on Information System Security (TISSEC) 3 (3) (2000) 186–205.