1.1. Background of Study
In many real world applications such as the earlier proposed Smart Green Energy Management System (SGEMS) which uses the DCCN (Okafor, Ugwoke, & Oparaku, 2015) to house the Enterprise Energy Analytic Tracking Cloud Portal EEATCP and Cloud Sypware Robot (CSR), sensitive data are kept in physical server machines. When a hacker exploits the server vulnerabilities, little or no damage can be done to the log files because the OFVA is shielding the log files. It is possible to forensically monitor the entire network and still deliver the required Quality of Service (QoS). The network forensics presented in this paper offers a computationally cost effective approach for generating audit or log trails prior to the logging into the network server that runs the CSR. This makes it difficult for an attacker to launch a read, modify or destroy attack on the DCCN. This paper establishes an OFVA as a special type of network forensics module that monitors the network users and their activities with little overhead on the network performance.
According to (Palmer, 2001), network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. There are numerous areas of digital forensics, but a distinguishing feature of network investigations is that it deals with volatile and dynamic information. The two broad application areas of network forensics are: security monitoring which involves monitoring a network for anomalous traffic and detecting intrusions. An attacker might be able to erase all log files on a compromised host; network-based evidence might therefore be the only evidence available for forensic analysis (Hjelmvik, 2012). The second form of network forensics relates to law enforcement. In this context, analysis of captured network traffic is the major consideration.
With cloud computing virtualization, computing as a network-centric pool could facilitate outside disk-based digital evidence. Two approaches that are commonly used to collect network data: a brute force “catch it as you can” and a more intelligent “stop look listen” method. Both approaches were applied in the Cloud forensic robot design. For the CSR, this could either be deployed in a Virtual Local Area Network (VLAN) based switch (Tariq, Mansy, Feamster, & Ammar, 2009) or an OpenFlow based switch (Bianco, Birke, Giraudo, & Palacin, 2010) (Heller, 2014). The security framework of CSR leverages and extends the advantages of OFVA and cloud virtualization. It also embeds autonomous management capabilities into the OpenFlow hardware infrastructure. Furthermore, the advent of Software Defined Networking (SDN) (Bianco, Birke, Giraudo, & Palacin, 2010) as a scheme that separates the data and control functions of networking devices with a well-defined Application Programming Interface (API) allows background processes for security monitoring (see figure 1). This makes the security framework more robust than in traditional large enterprise networks in which the security devices such as switches and routers encompass both data and control functions.
Figure 1. SDN logical structure (Stallings, 2013)