Optimizing Forensic Data Availability and Retention of SDN Forensic Logs by Using Bloom Filter

Abstract

To perform network forensic analysis on an incident in software defined networking (SDN), logs are of the utmost importance. Without any logs, an investigator will not be able to complete and justify the forensic analysis. With the advancement of network and communication technologies, the volume of logs that needs to be collected and retained is growing exponentially big. The network administrators face the problems in maintaining such huge logs for longer period of time for forensic analysis. Network Providers rely on purging data based on a certain stipulated duration expected by the local rules for forensics evidence. SDN providers have limitations in managing such big data since the expense involved is commensurate with the duration of data retention. Here, in this work we propose a novel idea to reduce and summarize large forensic data sets for faster querying as well as reducing its space complexity by using bloom filters. Through this work we aim to propose a system which can deliver more optimized forensic data availability in SDN platform compared to existing systems.