A framework for collection and correlation of network forensic evidence for quality of service degradation

The current shift from the static access based service model to the dynamic application based service model introduced major challenges for effective forensics of any quality degradation of the provided service. In addition, about 55% of the Tier 1 and Tier 2 providers are planning to offer managed security services to guarantee an attack free IP service. Meanwhile, the ability to retain the network traffic for extended period for further forensic investigation introduces another challenge. This thesis proposes a novel framework of modeling the network traffic in order to select meaningful metrics to be used in tracking the network behavior changes. Based on the deftly selected metrics, an adaptive exponentially weighted moving average (EWMA) with a moving centerline control chart is utilized to monitor the changes of the network behavior. Signaling the network behavior changes in association with the service objective based network behavioral model should provide the required information when the forensic analysis of the service quality degradation is needed with minimal storage requirements. As it will be only required to retain the selected metrics for the individualized abnormal periods. The proposed methodology is demonstrated using simulated and real traces of network behavioral metrics. This thesis illustrates the effectiveness of the forensic analysis model for the selection of relevant behavioral metrics. As well, it shows how the adaptive EWMA can be used for tracking the changes in the network behavior from normal to abnormal and vice versa and therefore bounding the storage requirement of the forensic evidence.