%0 Journal Article %1 knight2018forensic %A Knight, Paul %A Shashidhar, Narasimha Karpoor %D 2018 %J International Journal of Computer Science and Security (IJCSS) %K Comparison, Denial DoS Exemplar, Flow Score, Service Similarity Stresser of %N 1 %P 11-21 %T DoS Forensic Exemplar Comparison to a Known Sample %U http://www.cscjournals.org/library/manuscriptinfo.php?mc=IJCSS-1379 %V 12 %X The investigation of any event or incident often involves the evaluation of physical evidence. Occasionally, a comparison is conducted between an evidentiary sample of unknown origin and that of an appropriate known sample. In a Denial of Service (DoS) attack, items of evidentiary value may cross the spectrum from anecdotes to useful information in firewall logs or complete packet captures. Because of the spoofed or reflective nature of DoS attacks, relevant information leading to the direct identification of the perpetrator is rarely available. In many instances, this underscores the significance of the investigator's ability to accurately identify the tool utilized by the suspect. For a DoS attack scenario, this would likely involve a commercially available stresser or criminal bot infrastructure. In this paper, we propose the concept of a DoS exemplar and determine if the comparison of evidentiary samples to an appropriate known sample of DoS attributes could add value in the investigative process. We also provide a simple tool to compare two DoS flows.

@article{knight2018forensic, abstract = {The investigation of any event or incident often involves the evaluation of physical evidence. Occasionally, a comparison is conducted between an evidentiary sample of unknown origin and that of an appropriate known sample. In a Denial of Service (DoS) attack, items of evidentiary value may cross the spectrum from anecdotes to useful information in firewall logs or complete packet captures. Because of the spoofed or reflective nature of DoS attacks, relevant information leading to the direct identification of the perpetrator is rarely available. In many instances, this underscores the significance of the investigator's ability to accurately identify the tool utilized by the suspect. For a DoS attack scenario, this would likely involve a commercially available stresser or criminal bot infrastructure. In this paper, we propose the concept of a DoS exemplar and determine if the comparison of evidentiary samples to an appropriate known sample of DoS attributes could add value in the investigative process. We also provide a simple tool to compare two DoS flows.}, added-at = {2018-12-12T06:14:00.000+0100}, author = {Knight, Paul and Shashidhar, Narasimha Karpoor}, biburl = {https://www.bibsonomy.org/bibtex/23d4b3a22a747893561c84cc6b9c36ad2/cscjournals}, interhash = {e5f938ac80d40f2b53a4b7b9c36e8ed5}, intrahash = {3d4b3a22a747893561c84cc6b9c36ad2}, issn = {1985-1553}, journal = {International Journal of Computer Science and Security (IJCSS)}, keywords = {Comparison, Denial DoS Exemplar, Flow Score, Service Similarity Stresser of}, language = {English}, month = {April}, number = 1, pages = {11-21}, timestamp = {2018-12-12T06:14:00.000+0100}, title = {DoS Forensic Exemplar Comparison to a Known Sample}, url = {http://www.cscjournals.org/library/manuscriptinfo.php?mc=IJCSS-1379}, volume = 12, year = 2018 }