Improving Payload Attribution Techniques in Computer Network Criminology with Time based Hierarchical Bloom Filter

In the light of increased network attacks, payload attribution is an essential part of any forensics analysis of the attack. Usually attribution has to be done based on the payload of the packets. In such techniques network traffic should be stored in its entirety while user privacy is preserved. Bloom filters have been an ideal tool for such requirements. Previous works in this area have tried to minimize the false positive error rate associated with the bloom filter while improving on the data reduction ratio but there has not been any notable research on practical implementations in computer networks. A payload attribution technique should provide a list of connections which are suspects of carrying a specific payload (i.e. malware signature). The problem arises with the fact that there are too many queries required, given the large number of connections and the number of bloom filters involved over long time periods, which results in a large aggregate error rate. In this work, we propose a technique with which a time-based hierarchical bloom filter configuration is proposed to tackle the noted problem. Our evaluation shows that with this proposed technique we are able to limit the false positive error rate of the system as compared to the previously proposed techniques. This leads to an overall error reduction in the payload attribution system. More specifically, the error rate compared to previous work drops from 5.66% to 3.98% which results in reducing the number of incorrectly identified flows by 8400.