-
1
CHAPTER I: INTRODUCTION
1.1 Overview
This project is about a network forensic that allow finding the
details of
networking events after they happened and how to analyze VoIP
attacked data
pattern by using WEKA, a data mining tool. WEKA is used to view
network
traffic, in order to investigate network and security attacks or
application
performance issues. From the data pattern, an investigation will
be conducted to
reveal information about network and application interactions,
user sessions, and
response time and latency metrics. It is also to get the
information about the
source of the attacks, when the attacks happen, where the source
of the attacks
comes from and what type of attacks that are found and track
down a hacker is to
keep vast records of activity on a network with the help of an
intrusion detection
system.
From the gathered data, it will help to find a solution for each
attack to
prevent them from happening again in the future. From the data
analysis, it also
reveals who communicated with whom, when, and how often. This
information
gained could be used as evidences to the victims for them to
take further action
on the parties that committed network crimes on them.
1.2 Project Objective
The main objective of this project is to analyze the pattern of
attack data
from the captured data. In which case, the data will indicate
the condition of the
network events. Hence the source of attacks or other problem
incidents will be
discovered. It helps in identifying unauthorized access to a
computer system, and
searches for evidence of other types of threats of attack
occurrence.
-
2
The second objective is to convert the pcap data to arff data
file that will
recognize by the WEKA data mining tool. The first objective
cannot be
conducted if the second objective is failing to apply.
1.3 Project Scope
This project will focus on VoIP and attacked data pattern by
using
WEKA, a data mining tool. The Denial-of-service attack (DoS),
Spam over
Internet Telephony (SPIT), and Man-in-the-middle (Mitm) attacks
are the three
main focuses of this project.
1.4 Problem Statement
The growth in networking connectivity, complexity and activity
has
increased the number of crimes committed within networks. An
emerging
application like VoIP has worsened the situation. Knowing the
attacked patterns
allows network administrators to fence their network.
VoIP is one of the newest technologies that are being rapidly
embraced
by the market as an alternative to the traditional Public
Switched Telephony
Network (PSTN). The common VoIP threats are network-based
DoS,
eavesdropping, signaling protocols, spam and etc. These attacks
can make
conversations unintelligible due to malicious people that can
listen in others
conversations, network overloaded, and packet loss or network
congests that
caused a network down. In addition the bandwidth for each
application on the
network will be less since they will be shared amongst the
applications.
-
3
1.5 Problem Solving
The solution to the problem can be solved by any network tools.
WEKA
which is a data mining tool will be used in this project to view
network traffic
history to investigate the attacked and identify the source of
attacks.
-
4
1.6 Chapter Organization
This chapter contains the detailed description of the project
proposed
which is VoIP data Forensic using WEKA a data mining tool. In
this chapter, we
have described the surface of how the VoIP data Forensic work
and how the
attacks had given an impact on VoIP application. More details
about VoIP data
Forensic using WEKA a data mining tool will be described in
Chapter 4.
Chapter 2 discusses the literature review that is used in the
project. The
literature review describes all the research and findings that
related to this
project.
Chapter 3 will discuss on the research methodology that will
give specific
research methods used to design the project. In this chapter,
there had
explanations on the methods and specifications that used in this
project and also
prepare budgets and costing.
Chapter 4 will discuss on the testing and implementation of
the
project. This chapter will give the explanation on how the
project will be
implemented.
Chapter 5 will discuss on the project verification. This chapter
will give a
result from the project implementations or experiments. From
this chapter, user
will understand on how the system running and the final output
of the system.
Chapter 6 is the conclusion of the project. Any other
suggestions or
enhancements will be listed in this chapter for future
reference.
-
5
CHAPTER II: LITERATURE REVIEW
This chapter consists of discussion on several subjects that
related to this project.
The reviews start with a definition and concept of VoIP, Data
Mining and Network
Forensic. In addition, the existing VoIP protocol and VoIP
issues will be one of the
researches. Then some work by other researchers that related to
the area of study will be
study so that it can be included in a literature review.
2.1 Background
2.1.1 Voice over Internet Protocol (VoIP)
VoIP known as IP Telephony, which is using an Internet Protocol
over an
IP network. With the growth in popularity and bandwidth, VoIP
allows phone
calls to be routed over the Internet rather than Public Switched
Telephone
Network (PSTN). VoIP converts the voice signal into digital
signals that travel
over the Internet. The voice signal is packetized and sent over
the network one-
by-one. The processes of packetization involved with a callers
voice signal
being compressed, then transfer it over the IP network, and it
is then
decompressed at the end [1]. So VoIP can achieve on any data
network that uses
IP like Local Area Networks (LAN), Internets and Intranets
[1].
There are several reasons why VoIP telephony is becoming
very
attractive to telecommunication providers and users rather than
PSTN. The
decreased call cost is one of the main reasons. It is relatively
cheap to make a
long distance call through a VoIP service rather than PSTN. This
is because
network resources such as bandwidth, router CPU and memory are
shared
between applications in the Internet [2]. When using a PSTN
line, users had to
pay for each minute that spend on the phone. The Internet is a
backbone of VoIP,
-
6
the cost that the user has to pay is a monthly bill to an
Internet service provider
(ISP). The other reason is VoIP services can be used for
conference calls as
appose to the phone line whereby only two persons can speak at a
time. With
VoIP, a conference can be setup with a whole team, communicating
in a real
time.
Figure 2.1 shows a simple VoIP process. To send data over the
internet,
the voices or the data are compressed into small packets to
reduce amount of
transmission space. These packets are sent in different order
and the packets are
then streamed line at the other end. Generally packet loss can
happen during the
transmission. To recover from the loss, there is a mechanism in
order to cover up
the loss and building up the data by collecting the pieces of
information [3].
There are also other potential problems with VoIP such as
increased
security risks and lower Quality of Service (QoS) and Denial of
Service (DOS)
[4]. In the PSTN, a circuit or dedicated channel was set up
between two points
for the call duration. These telephony systems are based on
copper wires carrying
analog voice data over the dedicated circuits [5]. A set amount
of bandwidth is
Figure 2.1: VoIP Processing [3]
-
7
reserved when a call is established between the callers for the
time the
connection is active. One of the main problems with PSTN
technology is that
the 64 kbps of bandwidth is reserved even when there is no data
being sent and
the entire bandwidth is not needed. The actual requirement for
bandwidth is
usually only a small amount of what is reserved [4].
VoIP telephony relies upon methods and various protocols to
establish
calls and transmit data. Most VoIP implementations however use
Session
Initiation Protocol (SIP) and Real-time Transport Protocol
(RTP). The SIP
protocol is a text based application is used for a call
teardown, call initiation, and
other call related data sent during the conversation [4].
Besides using SIP for
teardown and initiating calls, SIP is also used for integrating
more users into a
conference call. VoIP that uses SIP relies on a SIP proxy server
which to
authenticate the users login credentials. This proxy also used
for signaling the
data and to route the call and acts as a registrar which is used
to locate other
users [4].
RTP is used for generic transport capabilities for real-time
multimedia
applications that support both steaming applications and
conversational such as
video conferencing, video-on-demand, internet telephony,
internet radio and
music-on-demand. RTP is transported with a Datagram Protocol
(UDP) packet to
reduce overhead to get a greater transmission speed or a better
call quality.
2.1.2 VoIP Attacks
VoIP is for sure gaining advantage over PSTN but there is a
major concern for
the VoIP community which is its security. An increasing security
mechanism
would have a poor VoIP performance service. On the other hand,
without
security mechanisms, VoIP services would be open to threats and
attacks [2].
Man-in-The-Middle (MiTM), Denial of Service (DoS) and Spam over
Internet
Telephony (SPIT) are among the VoIP attacks.
-
8
MiTM attack is the attacker inserts himself between two
communicating
parties that the he can delete or modify the communications.
MiTM attack is a
real threat to the security. For example, the MiTM which in the
VoIP signaling
or a media path can easily divert, wiretap, and even hijack
selected VoIP calls
[6]. Such MITM attacks on VoIP could cause a serious effect to
the targeted
VoIP users. For example, attackers are able to collect sensitive
information such
as bank account number, credit card number, PIN number and etc.
of the victims.
MITM is such a problem in Internet communication because there s
no way to
recognize someone's face and voice. Electronic communications
are tools that the
attackers are easy to discover because they would not be able to
answer quickly
when victims are suspicious about the caller, they might
question the attackers
about a shared history moment for example as a test [7]. That is
why MiTM
attacks work against web-based systems because the web is not
synchronous [7].
The attacker could simply pass and get through to the end of
the
communications.
DoS attack is an attack that denies a service or connectivity on
a network
or devices, or bringing down the servers offering such services
because it can
overload the devices internal resources of the network. DoS
attacks can be
carried out by flooding a target with unnecessary SIP
call-signaling messages.
This can cause calls to drop prematurely and halts call
processing [8]. The DoS
attacks goal is to cause the service inoperable for as long as
possible. By
targeting victims computer and network of the site victims are
trying to use, the
attacker may be able to prevent victims from accessing websites,
or other
services. Floods are a common type of DoS attack. Floods
happened when the
attacker overloads the server with a request so it cannot
process the victims
request and they cannot access that site. The attacker can use
spam email
messages on victims email account. The email account services
have assigned
one account with a specific quota which one account has a
limited amount of
data at any given time [9]. The attacker can collect victim
quota, preventing them
-
9
from receiving legitimate messages by sending large, or many
email messages to
the account [9].
If SPAM is for email, SPIT is for VoIP which is an unwanted bulk
calls
or voicemails that sent over VoIP networks [10]. SPIT may be a
bigger problem
to deal with to compare with SPAM. SPIT might cause a bandwidth
problem that
will increase the bandwidth bills for several times. This is
because voice
messages carry up more bytes than emails which only a few
kilobytes apiece.
SPIT attacks are different with SPAM. SPAM can be detected
before it interfere
the recipient meanwhile in SPIT, there is too late for
prevention of SPIT if the
phone rings and the phone rings immediately after session
initiation [10]. This
will disturb the users current activity.
2.1.3 Network Forensic
VoIP is an application resides within the Internet environment.
As the increasing
number of people using the Internet, the number of illegal
activities such as
identity theft, data theft and etc. also increases drastically.
Network forensics
deals with the recording, capture or analysis of network events.
With network
forensics, it is able to analyze historical network traffic in
order to conduct
investigations for security attacks [11]. From the gathered
information, it will
help in identifying an unauthorized access to the system, and
searches a solution
to prevent them happening in future. This information can be
used as for
evidence in case of such an occurrence.
The main goal of network forensics is to provide evidence that
is
sufficient to allow the criminal perpetrator to be successfully
prosecuted [12].
Network forensics require two steps, first gathering a complete
network activity
data and then interpreting the data. Network activity data build
a necessary
foundation for a network forensics investigation which
interpreting forensic
-
10
network data could range from extracting files and
reconstructing web sessions
to tracing data leakage and detecting advanced persistent
threats [13].
2.1.4 WEKA Data Mining Tool
Data mining is the process of analyzing data from different
corners and
summarizing it into useful information [14], and it is one of
the analysis tools
software for analyzing data. Data mining could be separate into
two parts,
directed and undirected. In directed data mining, it is trying
to predict a particular
data point, but in undirected data mining, it is trying to find
patterns in existing
data, or creates groups of data [15]. Data mining has dozens of
techniques and
procedures that used to examine and transform data. The data
mining is to
create a model that can improve the way to read and interpret
the existing data
and the future data [15].
Waikato Environment for Knowledge Analysis (WEKA) is one of
the
data mining tools software and is open source software. WEKA is
a collection
of machine learning algorithms for data mining tasks and it is
the product of the
University of Waikato, New Zealand [15]. The software is written
in the Java
language. It contains tools for data preprocessing, regression,
clustering,
classification, association rules and visualization [16]. WEKA
uses a flat text file
describing the data and it can work with a variety of data files
including its own
file formats, Attribute Relation File Format (ARFF) and C4.5
file formats. ARFF
is the WEKA default file type that use for data analysis, but
the data also can be
imported from a various formats [17]. The data can also be read
from a
Structured Query Language (SQL) database or from Uniform
Resource Locator
(URL).
-
11
2.2 Previous Work
2.2.1 Skype Forensics in Android Devices
In this research paper, Mohammed I. Al-Saleh and Yahya A.
Forihat did some
investigation on the evidences of Skype calls and chats in the
Android devices.
Smartphones, have a bit of capabilities similar to that of PCs
which can store a
large of data and different categories of information.
Smartphone which is
having an Android-based device is getting more popular because
there are a lot
of varieties of mobile Applications (Apps) that were developed
to extend the
functionality of the phones. VoIP Apps are extensively used that
provided the
usage for their wide availability and cheap prices and Skype is
one of the popular
VoIP Apps.
Figure 2.2: Investigation Model [18]
-
12
This research paper might assume that Skype is one of the ways
that
helps in committing cybercrimes. Digital Forensics may be
conducted on mobile
devices, computers, and networks, in order to detect the
cyber-criminal activities
and prove them guilty under the law. Fig. 2.2 is an
investigation models
researchers designed. The figure summarized that the criminal
starts a call
conversation session with the victim. The conversation sessions
from the
criminals device need to be extracted by the investigator to
extract evidences by
inspecting both RAM and NAND flash memories [18].
After doing several experiments, the pattern for each experiment
had
shown there were no differences between the call conversation
patterns. The
result of chat messages is found in both memories and have
decreased the
average number of occurrences for the different time durations.
This means, chat
messages were stuck for a long time in the flash memory without
redundancy.
The remaining number of messages still can be used as evidence.
The researchers
concluded that Skype conversation patterns and chat messages can
be found in
both of the RAM and NAND flash memories for a long time and
regardless of
deleting calls and chat histories and signing out of the Skype
[18].
2.2.2 Network Forensics Models for Converged Architectures
A pattern is a solution to a problem that can be used to guide
evaluation
of systems or the design. The concept of forensic pattern is
introduced by
illustrating them using Unified Modeling Language (UML) object
oriented
models. Attack patterns are a description of the objectives and
steps of an attack.
From these attack patterns, it can obtain useful information to
analyze a ways to
stopping the attacks. Forensic pattern is a systematic approach
to network
forensic collection and data analysis. By using these forensic
patterns,
investigators or forensic teams will have a structured method to
search, collect
and analyze network forensic data.
-
13
Firewalls and Intrusion Detection System (IDS) is a general
security
mechanism that unable to detect and stop the attacks at a higher
level. To stop it
in the future, some details about the attackers activities need
to collect and send
them to be analyzed. Sensors with examination capabilities for
collection of
evidence are a way of collecting data which help reduce human
intervention
were used. These sensors are to capture all entering or leaving
the system of
voice packets. The evidence collector starts collecting forensic
data if there is
notifications alert of alarm that detect the against VoIP
components. After
collecting the forensic data, the evidence collectors will the
data to the network
forensics server. These data are used to discover and rebuild
the attacking
behaviors. The forensics server will perform the corresponding
forensics
analysis.
Log correlation and normalization are one of the techniques to
analyze
forensic database and files. The evidence analyzer will presents
results to the
forensic investigator. This result will include such information
as the IP address,
the topology of the network, the MAC address, and possibly the
geographic
location of the IP. In Fig. 2.3, Juan C. Pelaez and Eduardo B.
Fernandez
described how a forensic system and IP telephony integrate. The
model
represented the three primary components, the forensic server,
the evidence
Figure 2.3 Class diagram for a VoIP network forensics system
[19]
-
14
collector and the network investigator. The advantages using the
forensic pattern
are; automated evidence analyses will reduce response times of
the forensic
investigators, the analyzer can provide information about logs
and for tracing
back the attackers, and can determine the call history, when a
user is using the
VoIP device, and with whom the user communicates [19].
2.2.3 Security Patterns for Voice over IP Networks
The authors[REFERENCE REQUIRED], discuss the security
attacks
and related them to the ways the system is used and provided
some defense
mechanisms. Four security patterns are presented which provide
good practices
for VoIP in identifying and understanding the mechanisms needed.
The patterns
include VoIP Tunneling, Network Segmentation, Secure VoIP Call,
and Signed
Authenticated Call. Unified Modeling Language (UML) was used to
make easier
for the implementation of the patterns. There are three
different types of
connections when using the IP protocol. PC-to-PC,
PC-to-Telephone, and
Telephone-to-Telephone. VoIP uses the Real-Time Protocol (RTP)
for transport,
Real-Time Transport Protocol (RTCP) for reporting Quality of
Service (QoS),
and SIP, H.323 Media Gateway Control Protocol (MGCP) for
signaling.
In this journal[REFERENCE REQUIRED], there are several attacks
that
the authors presented. Theft of service, IP Spoofing, and
Denial-of-service
(DoS), masquerading, call interception, repudiation, call
hijacking, and brute
force is one of the presented attacks that against the VoIP
network. The authors
have made some detail analyzed of these attacks using the
concept of attack
pattern by considering the forensic aspects.
-
15
Fig.2.4 shows the relation between VoIP security patterns and
related
cryptographic patterns. The double box represented the patterns.
In the Network
Segmentation pattern, it will minimize disruption in the attack
event and critical
voice traffic wont impact. The VoIP Tunneling pattern uses
encryption to ensure
data integrity and confidentiality in VoIP networks. Tunnels
will secure the VoIP
traffic transport over the external network and eliminates the
risk of exposing a
network. The Signed Authenticated Call provides a suitable way
for
authentication of messages in VoIP and the best countermeasure
for theft of
service attacks. In Secure VoIP call, encryption and decryption
of VoIP calls
were used to provide good confidentiality.
It concludes that, use VPNs and encrypt all voice traffic are
the best
security approach in VoIP. This would ensure that the critical
voice traffic
would be unaffected if an attack did occur on the data network
[20]. To enhance
the security in VoIP, filtering and firewalls can be implemented
to control the
traffic between the data VPN and the voice [20].
Figure 2.4: Relationships between VoIP security patterns
[20]
-
16
2.2.4 Enhancing Forensic Investigation In Large Capacity Storage
Devices Using
WEKA: A Data Mining Tool
This research project focuses on large sets of data that can be
handled by
a data mining system. WEKA data mining tools are studied to
demonstrate the
data mining methodology and thus obtain the data. The WEKA tool
kit is easily
extendable and flexible. WEKA is written in Java and makes it
easy to use and
easily portable. It allows modeling techniques and data
preprocessing.
WEKA is a user friendly which provides a large set of functions
and tools
included attribute selection, pre-processing filters, data
clustering, classification
and selection of data, data visualization of data and
association discovery.
WEKA is open source free software that is available to all users
and it can be
used to run individual experiments. There are various data
formats WEKA
supported. These files are ARFF, Comma Separated value (CSV),
Decision
induction algorithm acceptable format etc.
Fig. 2.5 present the flow of data mining that used in WEKA. Data
is
classified based on the attribute selection, and data are then
divided into clusters
based on the types of grouping that the user selects. The output
obtained after
clustering gives the accuracy of data when the data is clustered
which can be
Figure 2.5: Flow of Data Mining Methodology in WEKA [21]
-
17
used for future predictions. Finally regression analysis
describes how regression
can be applied and results can be visualized.
This research project used a bank data to import into WEKA
and
implement it in 4 modules that represents data mining process
stages. The source
file can be in one of the formats which are either .arff or
.csv. Fig. 2.6 is a
WEKA preprocessing window with the bank data. The data are saved
to bank-
data-final.arff after the parameters are set up. The project was
implemented in
four modules which represents various stages and each task of
data mining.
Association, classification, clustering and regression are the
four stages of data
mining process [21].
Figure 2.6: Preprocessing window [21]
-
18
2.3 Critical Analysis
The following table is a review of the differences in the
literature review.
Table 2.1: Critical Analysis
JOURNAL
JOURNAL 1
[REFERENCE
REQUIRED],
JOURNAL 2
[REFERENCE
REQUIRED],
JOURNAL 3
[REFERENCE
REQUIRED],
JOURNAL 4
[REFERENCE
REQUIRED],
RESEARCH
DATA
Skype
Converged
Network
Converged
Network
Bank
Employee
TOOLS
SOFTWARE
HARDWARE
X
X
VOIP ATTACKS
DoS
X
X
SPIT
X
X
X
X
MiTM
X
X
X
X
PROTOCOL
SIP
X
X
X
RTP
X
X
X
-
19
CHAPTER III: RESEARCH METHODOLOGY
This chapter will cover the detail explanation of methodology
that is being used
to make this project complete and working well. The method is
used to achieve the
objective of the project that will accomplish a perfect result.
Subsequently, section 3.1
introduces the methodology that be used in this project. In
section 3.2 the resources of
the hardware and software are listed. The budget and costing of
the tools are listed in
Section 3.3. Section 3.4 and Section 3.5 the Work Breakdown
Structure (WBS) and the
project timeline, Gantt chart was developed which consists of
activity duration
estimation and the development of the project schedule.
3.1 Rapid Application Development (RAD) Methodology
Rapid Application Development (RAD) methodology is selected to
be
used as a methodology model because it is a suitable process for
software
development and it used to replicate the flow of each work
related to this project.
This methodology is based on an iterations approach and
prototype. Since this
project involves with the existing data, comprises analysis and
reporting of the
data, RAD process works best in cases where the data is known,
the
requirements can be defined and kept unchanged during the
development and the
functional requirements can be met within a short time frame
[22]. In this
project the RAD methodology based on 6 phases which consist of
Initiation
phase, Planning phase, Design phase, Testing and Implementation
phase,
Verification phase and the last phase is Documentation
phase.
-
20
RAD methodology is designed with advantages. Quality and speed
are
the primary advantages of this methodology. RAD increased the
speed of
development and decreased delivery time, which focuses on
converting
requirements to code as quickly as possible [23]. Increased
quality is a RAD
primary focus, which is defined as both the degree to which a
delivered
application meets the needs of users as well as the degree to
which delivered
systems has low maintenance costs and provide a considerable
reduction in the
errors due to the use of automation tools and prototyping.
Errors and omissions
are detected in the early stages of development, thereby
preventing any extra
effort or cost. [24].
3.1.1 Initiation
An initiation or feasibility study is conducted after getting an
approval
from the FYP supervisor. During the first of these phases, the
initiation phase,
the project objective, project scope and current problem
statement are identified.
A feasibility study is conducted to gather all the findings and
data that related to
the project. The findings include all the sources of the
information from internet,
books, journal, articles and previous study which is similar to
this project or
systems. From the research literature, it can spot various gaps
in the literatures
Figure 3.1: RAD model methodology
-
21
which can formulate a research question based on the research
gaps and discuss
how these projects are likely.
3.1.2 Planning
The next phase, the planning phase, all of the work to be done
is identify
where is the hardware and software resource requirements, and
research model is
identified, along with the strategy process to implement the
project. A project
plan is created outlining the activities, tasks, dependencies
and timeframes and
identified a project budget by providing cost estimates for the
equipment and
materials costs. The budget is used to monitor and control cost
expenditures
during project implementation. The project plan can be referred
at Fig.3.3 and
Fig.3.4 on pages 7 and 8.
3.1.3 Design
During the third phase, the design phase, the hardware and
software are
defined, and .pcap data files collections are collected in this
phase. The system
architecture, topology is well designed in this phase, which
show the process of
project work and the process of converting the .Pcap data files
into a format that
will be recognized by WEKA. Fig.3.2 shows the architecture of
the project.
-
22
The .Pcap data files are the most available file format for
logging network
traffic and can be used by almost any network analysis tool
which displays huge
amounts of data that need to go through to find problems with
the network. To be
recognized by WEKA,. Pcap data files are converted into a
temporary .csv data
file format using a tshark Wireshark command line. Then the .csv
data files will
convert into .arff data files format that supported by WEKA
using a simple txt
notepad file and saved it as .arff file.
3.1.4 Testing & Implementation
In this phase, the project architecture is being tested in order
to identify
the effectiveness the test techniques that apply by converting
the .pcap data files
into a format that will be recognize by WEKA. The implementation
will be
started when the .pcap data file is successfully converted, and
the hardware and
software requirements are all gathered. All the installing and
software setup is
completed in this phase. Refer Section 4.2 in chapter four on
page 32 . The
collected data will be imported into WEKA that needs to be
analyzed to get a
result. The data collected from the company are subject to our
worked with time.
Figure 3.2: Architecture Topology
-
23
3.1.5 Verification
The fifth phase is the verification. This is where the result in
fourth phase
will be verified in order to identify whether the data and the
design implemented
meets the requirements of the project or not. If there is
failure in testing phase,
there will be some modification to this system until it will run
successfully. The
conclusions can be made based on the correctness and
completeness of
development and operation in Testing phase process.
3.1.6 Documentation
The last phase is documentation where is the preparation of
documented
all the information and result that related to the project as a
final report including
the corrections and amendments the report before submission.
3.2 Project Resources
The project requires the following hardware and software. Table
3.1
shows the hardware and Table 3.2 shows the software
specifications. These are
the minimum requirement needed to ensure the success of the
simulator.
3.2.1 Hardware Specifications
No
.
Device Quantit
y
Specifications
1 Laptop 1 ASUS brand
Processor : Intel inside CORE i3
RAM : 6.00 GB
OS : Microsoft Windows 7
Table 3.1: Hardware Requirement
-
24
3.2.2 Software Specifications
3.3 Budget/Costing
The following is review of the budget and costing of the
hardware and software
requirements. Table 3.3 shows the hardware and Table 3.4 shows
the software
estimated budget and costing.
3.3.1 Hardware Estimated Budget
Table 3.2: Software Requirement
No
.
Software Descriptions
1 WEKA
Version: 3.7.10(Latest version)
License/Price: Free
OS: Windows 7,8,XP,Vista,2000
Programming Language: Java
Size: 25.9 Mb
2 Wireshark
Version: 1.10.1 (64-bit)
License/Price: Free
OS: Windows 7,Vista,XP
Networking Software Tools
Table 3.3: Project costing for hardware
No. Equipment Quantity Price(RM) Remark
1 Laptop 1
1800
Students properties
-
25
3.3.2 Software Estimated Budget
3.4 Work Breakdown Structure (WBS)
The following figure is WBS which is contains level of the work
breakdown
structure that provides further definition and detail.
No
.
Equipment Quantity Price(RM) Remark
1 WEKA 1
-
Open source
2 Wireshark 1
-
Open source
Table 3.4: Project costing for software
-
26
Figure 3.3: Work Breakdown Structure (WBS)
-
27
3.5 Project Timeline
Project timeline in Fig.3.4 shows the time duration that is
taken to accomplish
this project. It shows every phase of the project development
and schedule of the
project to make sure the project will meet.
Figure 3.4: Gantt chart
-
28
CHAPTER IV: TESTING AND IMPLEMENTATION
This chapter explains the project testing and implementation
stages. Section 4.1,
testing stage will discuss on a conversion of the pcap files
into arff format files. The
testing stage is divided into two subsections. Section 4.1.1
introduces the conversion of
the pcap files into csv files format, meanwhile in section 4.1.2
introduces the conversion
of the csv files into arff files format. In section 4.2 will
discusses on an ethical matters
and in section 4.3 will discuss on a ways to analyze the
data.
4.1 Testing Stage
This section defines the testing method on the project
architecture
topology. The project architecture is set as shown in Figure 3.2
on page 22. This
stage is important to ensure that the test techniques that apply
by converting the
pcap data files into a format that will be recognized by WEKA is
in a systematic
manner.
4.1.1 Pcap To Csv Conversion
There is no direct conversion of pcap to arff formats. The csv
file is an
intermediate file between pcap and arff files. Wireshark will be
used for
converting pcap files into csv files.
-
29
Run the pcap files using wireshark and on File menu choose an
Export
Packet Dissection. This menu item allows exporting some of the
packets in the
capture file to file. In this case, choose CSV (Comma Separated
Values packet
Figure 4.1: Wireshark Export Packet Dissections
Figure 4.2: Wireshark Export File
-
30
summary) as shown in figure 4.1 on pages 25. Then save the files
as csv files
format as shown in figure 4.2.
4.1.2 CSV to Arff conversion
This is a step to convert CSV to Arff using WEKA. First of all,
itll need to
install WEKA. It can be downloaded from
http://www.cs.waikato.ac.nz/ml/weka.
It is a free source. WEKA windows will look like Figure 4.3. An
ArffViewer
option under the Tools menu is to load or open the csv files
into WEKA as
shown as in figure 4.3 on pages 22.
Figure 4.3: Weka GUI Chooser
-
31
Open the csv file by change files of types become CSV data files
(*.csv) as
shown in figure 4.4.
Figure 4.4: ARFF-Viewer windows
Figure 4.5: Weka Save Windows
-
32
Then save as the file in the file name delete ".csv" and change
it to ".arff" like in
figure 4.5, then the data files already finished converting csv
file to arff file.
4.2 Ethical Matters
The ethical matter is pertaining to the data gathering that we
collected
from a third party company. We mentioned it here as to protect
the companies
and ourselves from legal action taken in the future if the data
leaks. The first
company that we approached is a security company through its
employee that
was one of our speakers during the UniKL Security Talk day.
However, the
company was unable to release the data due to the sensitivity of
the data. The
official letter sent to the company as in Appendix X
The second attempt was through the Malaysian Computer Emergency
Response
Team (MyCERT), CyberSecurity Malaysia. After a few trials on
phone calls and
weeks, we got a response from one of the officer who is in
charged on our
request. We then sent a formal letter, refer to Appendix X, in
order to conduct an
interview with the officer. We also asked if the company could
supply the data
that are related to our project. Unfortunately the company did
not keep data type
that relates to network attacks. On the other hand, they provide
advisories on
what to do when an attack happens
The third attempt was to set an interview with Vigilnet Company,
which
provided VoIP analysis. The person in charge was outstation for
a few weeks,
though the company agreed to supply the data. At the end the
company supplied
us with the VoIP data, however the data were clean data and with
no trace of
network or individual attacks on the data. Nevertheless, we
still use this data as
one of the analyses.
-
33
4.3 Analysis Stage
Towards understanding and improving forensics analysis
processes, in this stage
an analyzing experiment were conducte on collected VoIP attack
data for
analysis. This stage enables to mark or discovers the source of
security attacks or
other problem incidents.
4.3.1 Analyze Using WEKA
This stage was focused on some common attack types of DoS attack
which is
ICMP Echo flood, UDP flood, TCP SYN flood, and a data from
reliable sources
by using WEKA Explorer preprocessing, classification,
clustering, and attribute
selection.
4.3.1.1 ICMP Echo Flood
4.3.1.1.1 Preprocessing
The file was loaded into WEKA in the Preprocess window as shown
in Fig.4.8
by click on Open file button and choose the .arff file from the
local file
system.
Figure 4.8: Weka Open File
-
34
Once the data is loaded, WEKA recognizes attributes that are
shown in the
Attribute window.
Left panel of Preprocess window shows the list of recognized
attributes:
No.: number that identifies the order of the attribute as they
are in the
data file.
Selection tick boxes: allow to select the attributes for
working
relation.
Name: name of an attribute as it was declared in the data
file.
During the scan of the data, WEKA computes some basic statistics
on each
attribute. The following statistics are shown in Selected
attribute box on the
right panel of Preprocess window:
Name: is the name of an attribute.
Type: is most commonly Nominal or Numeric.
Missing: is the number percentage of instances in the data for
which
this attribute is unspecified.
Distinct: is the number of different values that the data
contains for
this attribute.
Unique: is the number percentage of instances in the data having
a
value for this attribute that no other instances have.
Figure 4.9: Weka Selected Attribute Box
-
35
No. is numeric. Therefore, the following frequency statistics
for this attribute in
the Selected attributes window:
Missing: 0 means that the attribute is specified for all
instances (no
missing values).
Distinct: 6 means that number. has six connections
communication
Unique: 6 means that other instances do have the same value as
number.
has.
Time is a Numeric value. The statistics describing the
distribution of values in
the data - Minimum, Maximum, Mean and Standard Deviation.
Minimum = 1 is
the lowest time, Maximum = 2.075 is the longest time, mean and
standard
deviation. By comparing the result with the attribute table
destunreachble.csv,
the numbers in WEKA match the numbers in the table. Figure 4.11
showed the
visualization of all attributes.
Figure 4.10: Matched Attribute
-
36
4.3.1.1.2 Classification
Classifiers in WEKA are the models for predicting nominal or
numeric
quantities.
Figure 4.11: Attributes Visualization
Figure 4.12: Classify Tab Windows
-
37
In the Fig.4.13, C4.5 algorithm and J48, decision tree learner
is used to analyze
the data sample. The C4.5 algorithm was chosen because of it can
handle
numeric attributes.
Figure 4.13: Weka J48 Algorithm Tree
Figure 4.14: Classifier Test Option
-
38
In this data sample, the classifier will be evaluated based on
how well it predicts
66% of the tested data. The Percentage split radio-button was
checked and
keeps it as default 66%. Percentage splits evaluate the
classifier on how well it
predicts a certain percentage of the data, which is held out for
testing. The
amount of data held out depends on the value entered in the %
field. When the
options have been specified, the learning process will be
started by click on the
Start button.
4.3.1.1.3 Clustering
Clustering in WEKA is for finding groups of similar instances in
a dataset.
Figure 4.15: Cluster Tab Windows
Figure 4.16: Weka Gui Generic Object Editor Window
-
39
Once the cluster scheme SimpleKMeans is selected, a
weka.gui.GenericObjectEditor screens came up by right-click on
the algorithm
as shown in Fig.4.16. The value in numClusters box was set to 7
because it has
seven clusters in the .arff file.
When training set is completed, the Cluster output area on the
right panel of
Cluster window is filled with text describing the results of
training and testing.
A new entry appears in the Result list box on the left of the
result.
4.3.1.1.4 Attribute selection
Attribute selection searches through all possible combinations
of attributes in the
data and finds which subset of attributes works best for
prediction.
Figure 4.17: Cluster Output
-
40
In Fig.4.18, the CfsSubsetEval and BestFirst search method was
set up to
search through all possible combinations of attributes in the
data and find which
subset of attributes works best for prediction. The results of
selection are shown
on the right part of the window when the attribute selection
process is finished as
shown in Fig.4.19.
Figure 4.18: Select Attribute Tab Windows
Figure 4.19: Attribute Selection Output
-
41
The implementation of the other data which are UDP Flood, TCP
SYN
Flood and the data from reliable source were not shown because
it have same
steps as shown by ICMP Flood data, so the results on each data
will analyze on
next chapter, Chapter V: Result and Analysis.
-
42
CHAPTER V: RESULT AND ANALYSIS
This chapter discusses the results of the experiments conducted
as described in
Chapter 4. There are four discussed results regarding to
attacks. The results were
separated into each section according to the attacks. Section
5.1 discusses on data that
got from reliable sources and Section 5.2 discusses on ICMP
Flood attack data. In
section 5.3, TCP SYN Flood attack data will be discussed.
5.1 Reliable Data
The protocols involved in the pcap can be viewed in the
protocol
classifier tree. SIP, RTCP, RTP, and HTTP were the protocol
which involved as
shown in run information below:
= = = Run information = = =
Scheme: weka.classifiers.trees.J48 -C 0.25 -M 2
Relation: reliabledata
Instances: 4447
Attributes: 7
No.
Time
Source
Destination
Protocol
Length
Info
Test mode: split 66.0% train, remainder test
-
43
= = = Classifier model (full training set) = = =
J48 pruned tree
------------------
Time 201.325642
Length 202: RTP (3003.0/15.0)
Number of Leaves: 10
Size of the tree: 19
Time taken to build model: 0.06 seconds
-
44
SIP is a signaling protocol used for controlling multimedia
communication sessions, like voice or video calls over IP. The
protocol can be
used for modifying, creating and terminating two-party or
multiparty sessions
consisting of one or several media streams. In this capture
file, SIP is used to
create and tear down VoIP sessions.
RTP defines a standardized packet format for delivering audio
and video
over the Internet. RTP is usually used in conjunction with the
RTCP. When in
conjunction, RTP is usually originated and received on even port
numbers,
whereas RTCP uses the next higher odd port number. In this
capture file, RTP is
used as the media protocol to transport voice.
RTCP partners with RTP in the delivery and packaging of
multimedia
data, but does not transport any media streams itself. RTCP
itself does not
provide any flow encryption or authentication methods.
HTTP is a request-response protocol standard for
client-server
computing. In this capture file, HTTP is used to communicate
with the GUI
frontend of the SIP PBX.
= = = Run information ===
Scheme: weka.classifiers.trees.J48 -C 0.25 -M 2
Relation: reliabledata
Instances: 4447
Attributes: 7
No.
Time
Source
Destination
Protocol
-
45
Length
Info
Test mode: split 66.0% train, remainder test
= = = Classifier model (full training set) = = =
J48 pruned tree
------------------
Protocol = SIP
| Source = 172.25.105.43: Request: OPTIONS sip:[email protected]
| (1.0)
| Source = 172.25.105.40
| | Length 574
| | | No. 1298: Status: 401 Unauthorized | (2.0)
| Source = 172.25.105.3
| | No. 1302: Request: ACK sip:[email protected] |
(3.0/1.0)
| | No. > 1: User-Agent: Asterisk PBX 1.6.0.10 | FONCORE
At the beginning of the attack, the attacker 172.25.105.43 sent
a SIP
OPTIONS request for extension 100 at 172.25.105.40. Luckily,
172.25.105.40
responded to the request with a 200 OK response. The information
that is useful
for the attacker is the User-Agent message header field of the
response. Given
this information, the attacker now knows that he/she is facing
an Asterisk PBX
and FONCORE Tribox family distribution. With these clues in
hands, the
attacker tried to connect to the box with HTTP.
-
46
5.2 ICMP Echo Flood
Internet Control Message Protocol (ICMP), which enables users to
send
an echo packet to a remote host to check whether its alive.
These packets
request reply from the victim and this results in saturation of
the bandwidth of
the victims network connection.
=== Run information ===
Scheme: weka.classifiers.trees.J48 -C 0.25 -M 2
Relation: icmp
Instances: 6
Attributes: 7
No.
Time
Source
Destination
Protocol
Length
Info
Test mode: split 66.0% train, remainder test
=== Classifier model (full training set) ===
J48 pruned tree
------------------
Source = 10.2.10.2: Echo (ping) request id=0x0200, seq=9472/37,
ttl=32
[ETHERNET FRAME CHECK SEQUENCE INCORRECT] (3.0/2.0)
Source = 10.2.99.99: Destination unreachable (Host unreachable)
[ETHERNET
FRAME CHECK SEQUENCE INCORRECT] (3.0)
-
47
Number of Leaves : 2
Size of the tree : 3
Time taken to build model: 0.01 seconds
=== Evaluation on test split ===
Time taken to test model on training split: 0 seconds
=== Summary ===
Correctly Classified Instances 0 0 %
Incorrectly Classified Instances 2 100 %
Kappa statistic 0
Mean absolute error 0.5
Root mean squared error 0.6124
Relative absolute error 133.3333 %
Root relative squared error 141.4214 %
Coverage of cases (0.95 level) 0 %
Mean rel. region size (0.95 level) 50 %
Total Number of Instances 2
=== Detailed Accuracy By Class ===
TP Rate FP Rate Precision Recall F-Measure MCC ROC Area
PRC Area Class
0.000 0.000 0.000 0.000 0.000 0.000 ? ? Echo
(ping) request id=0x0200, seq=9472/37, ttl=32 [ETHERNET FRAME
CHECK
SEQUENCE INCORRECT]
-
48
0.000 0.000 0.000 0.000 0.000 0.000 ? 1.000
Destination unreachable (Host unreachable) [ETHERNET FRAME
CHECK
SEQUENCE INCORRECT]
0.000 1.000 0.000 0.000 0.000 0.000 ? ? Echo
(ping) request id=0x0200, seq=9728/38, ttl=32 [ETHERNET FRAME
CHECK
SEQUENCE INCORRECT]
0.000 0.000 0.000 0.000 0.000 0.000 ? ? Echo
(ping) request id=0x0200, seq=9984/39, ttl=32 [ETHERNET FRAME
CHECK
SEQUENCE INCORRECT]
Weighted Avg. 0.000 0.000 0.000 0.000 0.000 0.000 0.000
1.000
=== Confusion Matrix ===
a b c d
-
49
5.3 TCP SYN Flood
The SYN flooding attacks exploit the TCPs three-way
handshake
mechanism and its limitation in maintaining half-open
connections. When a
server receives a SYN request, it returns a SYN/ACK packet to
the client. Until
the SYN/ACK packet is acknowledged by the client, the connection
remains in
half-open state for a period of up to the TCP connection
timeout.
=== Run information ===
Scheme: weka.classifiers.trees.J48 -C 0.25 -M 2
Relation: tcp
Instances: 9
Attributes: 7
No.
Time
Source
Destination
Protocol
Length
Info
Test mode: split 66.0% train, remainder test
=== Classifier model (full training set) ===
J48 pruned tree
------------------
Source = 192.168.0.1: boinc-client > neod2 [ACK] Seq=1 Ack=1
Win=8760
Len=0 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] (3.0/2.0)
-
50
Source = 192.168.0.2: [TCP Retransmission] neod2 >
boinc-client [PSH, ACK]
Seq=5841 Ack=1 Win=8760 Len=648 [ETHERNET FRAME CHECK
SEQUENCE INCORRECT] (6.0/1.0)
Number of Leaves: 2
Size of the tree: 3
Time taken to build model: 0 seconds
=== Evaluation on test split ===
Time taken to test model on training split: 0 seconds
=== Summary ===
Correctly Classified Instances 1 33.3333 %
Incorrectly Classified Instances 2 66.6667 %
Kappa statistic 0.1429
Mean absolute error 0.2667
Root mean squared error 0.483
Relative absolute error 84.6154 %
Root relative squared error 116.1347 %
Coverage of cases (0.95 level) 33.3333 %
Mean rel. region size (0.95 level) 26.6667 %
Total Number of Instances 3
=== Detailed Accuracy By Class ===
TP Rate FP Rate Precision Recall F-Measure MCC ROC Area
PRC Area Class
-
51
0.000 0.000 0.000 0.000 0.000 0.000 0.500 0.333
boinc-client > neod2 [ACK] Seq=1 Ack=1 Win=8760 Len=0
[ETHERNET
FRAME CHECK SEQUENCE INCORRECT]
0.000 0.000 0.000 0.000 0.000 0.000 0.500 0.333
neod2 > boinc-client [PSH, ACK] Seq=5841 Ack=1 Win=8760
Len=648
[ETHERNET FRAME CHECK SEQUENCE INCORRECT]
0.000 0.333 0.000 0.000 0.000 0.000 ? ?
boinc-client > neod2 [ACK] Seq=1 Ack=2921 Win=8760 Len=0
[ETHERNET
FRAME CHECK SEQUENCE INCORRECT]
0.000 0.000 0.000 0.000 0.000 0.000 ? ?
boinc-client > neod2 [ACK] Seq=1 Ack=5841 Win=8760 Len=0
[ETHERNET
FRAME CHECK SEQUENCE INCORRECT]
1.000 0.500 0.500 1.000 0.667 0.500 0.750 0.500
[TCP Retransmission] neod2 > boinc-client [PSH, ACK] Seq=5841
Ack=1
Win=8760 Len=648 [ETHERNET FRAME CHECK SEQUENCE
INCORRECT]
Weighted Avg. 0.333 0.167 0.167 0.333 0.222 0.167 0.583
0.389
=== Confusion Matrix ===
a b c d e neod2 [ACK] Seq=1 Ack=1 Win=8760 Len=0
[ETHERNET FRAME CHECK SEQUENCE INCORRECT]
0 0 0 0 1 | b = neod2 > boinc-client [PSH, ACK] Seq=5841
Ack=1 Win=8760
Len=648 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
0 0 0 0 0 | c = boinc-client > neod2 [ACK] Seq=1 Ack=2921
Win=8760 Len=0
[ETHERNET FRAME CHECK SEQUENCE INCORRECT]
0 0 0 0 0 | d = boinc-client > neod2 [ACK] Seq=1 Ack=5841
Win=8760 Len=0
[ETHERNET FRAME CHECK SEQUENCE INCORRECT]
-
52
0 0 0 0 1 | e = [TCP Retransmission] neod2 > boinc-client
[PSH, ACK]
Seq=5841 Ack=1 Win=8760 Len=648 [ETHERNET FRAME CHECK
SEQUENCE INCORRECT]
From the information above, the file begins with standard TCP
ACK
packets sent between 192.168.0.1 and 192.168.0.2. When TCP sends
a packet to
a destination and does not get a reply, it waits a specified
amount of time then
retransmits the original packet. If a response is still not
received, the source
(transmitting) computer doubles the amount of time it waits for
a response before
sending another retransmission. Once the retransmission attempts
have failed, the
connection has completely failed and the data in the
transmission is lost.
-
53
CHAPTER VI: CONCLUSION
This chapter contains a conclusion and some recommendation and
suggestion
that are made for future improvement and enhancing the project
that conclude after
testing and result. The essence of the study is to analyze VoIP
traffic trace using WEKA
a data mining tool. We believe that the objective is
achieved.
6.1 Project Accomplishment
In the early days of VoIP, there was no big concern about
security issues
related to its use. People were mostly concerned with its cost,
functionality and
reliability. Now that VoIP is gaining wide acceptance and
becoming one of the
mainstream communication technologies, security has become a
major issue. To
overcome a major problem, the network forensic is prepared to
the monitoring
and analysis of computer network traffic for the purposes of
information
gathering, legal evidence, or intrusion detection.
This project started with converting the pcap (Packet Capture)
into
Attribute-Relation File Format (arff) which format that WEKA
recognize and
learned how to analyze the data by using WEKA Explorer
preprocessing,
classification, clustering, and attribute selection before
getting the data from
company who provide VoIP analysis.
We believed that the objectives set for this project are met.
The first
objective is to analyze the pattern of attack data from the
captured data. In which
case, the data indicates the condition of the network
events.
-
54
The second objective is also achieved. It is to convert the pcap
data to arff
data file so that the input will be recognized by the WEKA data
mining tool. It is
important to state that and the first objective depends on this
second objective.
We have some hiccup in getting the right data for our analysis
since many
companies are tied with the legality that refrain them from
sharing their data with
us. However, we still get data from a simulated data from other
related project
conducted by another student in UniKL. Otherwise, our research
will produce
more interesting findings.
6.2 Future Recommendation
For the future recommendation, there are few aspects that can
be
further enhanced by expanding a few features and criteria to
make the
analysis more firm and strong.
Suggestion for Improvement Current Project Situation
Improve Data Set or create a traffic
simulation program to collect the
required data
As thedata in this project in not
related to VoIP attack due to a
certain problems, the pure collected
data that related to VoIP attack can
be analyzed for the future
enhancements.
Include more type of attacks that are
related to VoIP. Different type of VoIP
attacks such as Vishing (VoIP Phishing),
Eavesdropping, and Identity and service
theft can also be used in order to find the
different result.
Only looking for SPIT and MiTM
attacks
Expand the analytical knowledge by
using WEKAs Simple CLI interface.
Analysis using the GUI interface is
user friendly, but would not speed
-
55
Scripts can be written to allow the data
processing to be executed automatically.
up the process.
As a conclusion we would like to highlight that the issues with
VoIP security are one
of the concerned raised by the VoIP community. Although the
problem is still under
control the system admin currently is not equipped with the
right tools to detect the
VoIP attacks as earliest as possible. In most cases Wireshark or
other network sniffer
is used to determine the condition of the network. We are trying
to provide
alternative tools to the system admin by providing report
pattern produced by a data
mining tool like WEKA.
-
56
REFERENCES
[1] A Brief History of VoIP Document One - The Past. Hallock,
Joe. 2004.
[2] AmnaSaad. Secure VoIP Performance Measurement. 2013.
[3] How Does VoIP Work? discusstech.org. [Online] [Cited:
November 17,
2013.] http://discusstech.org/2011/05/how-does-voip-work/.
[4] Voice over IP: Forensic Computing Implications.
MatthewSimon. 2006.
[5] The Difference Between VoIP and PSTN Systems. webopedia.com.
[Online]
[Cited:November 17, 2013.]
http://www.webopedia.com/DidYouKnow/Internet/2008/VoIP_POTS_Differ
ence_Between.asp.
[6] On the Feasibility of Launching the Man-In-The-Middle
Attacks on VoIP
from Remote Attackers. Ruishan Zhangy, Xinyuan Wangy, Ryan
Farleyy,
Xiaohui Yangy, Xuxian Jiang. 2009.
[7] Man-in-the-Middle Attacks. schneier.com. [Online] July 15,
2008.
[Cited:November 18, 2013.]
http://www.schneier.com/blog/archives/2008/07/maninthemiddle
1.html.
[8] Security Threats In VoIP. voip.about.com. [Online] [Cited:
November 18,
2013.] http://voip.about.com/od/security/a/SecuThreats.htm.
[9] Understanding Denial-of-Service Attacks. us-cert.gov.
[Online] [Cited:
November 18, 2013.]
http://www.us-cert.gov/ncas/tips/ST04-015.
[10] SPIT: Spam Over Internet Telephony. asteriskblog.com.
[Online] [Cited:
November 19, 2013.]
http://www.asteriskblog.com/spit-spam-over-internet-
telephony.
-
57
[11] Network Forensics 101: Finding the Needle in the Haystack.
WildPackets
white paper.
[12] Network Forensic. cyberforensics.in. [Online] [Cited:
November 20, 2013.]
http://www.cyberforensics.in/(A(cos8NMWQywEkAAAAODMwODM4Y
WMtNWFmZC00ZWNhLThkNDEtNTlhMWM3MGE5MzA5hkCziwldj9ts
_CCtkjYQI68akds1))/Research/NetworkForensics.aspx?AspxAutoDetectCoo
kieSupport=1.
[13] Network Forensics & Packet Capture Analysis.
ipcopper.com. [Online]
[Cited: November 20, 2013.]
http://www.ipcopper.com/data_analysis.htm.
[14] Data Mining: What is Data Mining? anderson.ucla.edu.
[Online] [Cited:
November 20, 2013.]
http://www.anderson.ucla.edu/faculty/jason.frand/teacher/technologies/palac
e/datamining.htm.
[15] Data mining with WEKA,Part 1: Introduction and regression.
[Online]
[Cited: November 20, 2013.]
http://www.ibm.com/developerworks/library/os-weka1/.
[16] Weka - Modified for Data Mining Course at WPI. [Online]
[Cited:
November 21, 2013.] http://davis.wpi.edu/~xmdv/weka/.
[17] Introduction to Weka - A Toolkit for Machine Learning.
[18] Skype Forensic in Android Devices. Forihat, Mohammed I.
Al-Saleh &
Yahya A. 2013.
[19] Network Forensics Models for Converged Architectures.
Fernandez, Juan
C. Pelaez & Eduardo B. 2010.
[20] Security patterns for Voice over IP Networks. Eduardo B.
Fernandez, Juan
C. Pelaez and Maria M. Larrondo-Petrie. 2007.
-
58
[21] Enhancing Forensic Investigation in Large Capacity Storage
Devices using
WEKA: A Data Mining Tool. Lanka, Shravya. 2011.
[22] The Rapid Application. Issam J Zeinoun Cambridge
Technology
Enterprises, Inc. 2005.
[23] Rapid Application Development. Core Partners Inc. s.l.:
www.corepartners.com.
[24] Advantages of Rapid Application Development. buzzle.com.
[Online] 200-
2013. [Cited: December 12, 2013.]
http://www.buzzle.com/articles/advantages-of-rapid-application-
development.html
-
25