Distributed agent-based real time network intrusion forensics system architecture design

Network forensics is a new approach for the network security, because the firewall and IDS cannot always stop and discover the misuse in the network. Once the system is compromised, the forensics and investigation always after the attacks and lose some useful instant evidence. The integrated analysis of the log and audit system and network traffic can lead to an efficient navigation of the traffic. The current network forensics approaches only focus on the network traffic capture and traffic replay, which always result in the performance bottleneck or forensics analysis difficulties. However, the adaptive capture without lose the potential sensitive traffic and real time investigation are seldom discussed. In this paper, we discuss the frameworks of distributed agent-based real time network intrusion forensics system, which is deployed in local area network environment. Some novel approaches for network forensics are discussed for the first time, such as network forensics server, network forensics database, network forensics agents, forensics data integration and active real time network forensic.