Abstract
Modern-day attackers use sophisticated multi-stage and/or multi-host attack techniques and anti-forensic tools to cover their attack traces. Due to the limitations of current intrusion detection systems and forensic analysis tools, evidence often has false positive errors or is incomplete. Additionally, because of the large number of security events, discovering an attack pattern is much like finding a needle in a haystack. Consequently, reconstructing attack scenarios and holding attackers accountable for their activities are major challenges.
This chapter describes a probabilistic model that applies Bayesian networks to construct evidence graphs. The model helps address the problems posed by false positive errors, analyze the reasons for missing evidence and compute the posterior probabilities and false positive rates of attack scenarios constructed using the available evidence. A companion software tool for network forensic analysis was used in conjunction with the probabilistic model. The tool, which is written in Prolog, leverages vulnerability databases and an anti-forensic database similar to the NIST National Vulnerability Database (NVD). The experimental results demonstrate that the model is useful for constructing the most-likely attack scenarios and for managing errors encountered in network forensic analysis.
Chapter PDF
Similar content being viewed by others
References
Argus Cyber Security Lab, MulVAL: A Logic-Based Enterprise Network Security Analyzer. Department of Computer Science and Engineering, University of South Florida, Tampa, Florida (2016). www.arguslab.org/mulval.html
Carrier, B.: A Hypothesis-Based Approach to Digital Forensic Investigations, Ph.D. Thesis, Department of Computer Science, CERIAS Tech Report 2006–06, Center for Education and Research in Information Assurance and Security, Purdue University, West Lafayette, Indiana (2006)
Darwiche, A.: Modeling and Reasoning with Bayesian Networks. Cambridge University Press, Cambridge (2009)
Fenton, N., Neil, M., Lagnado, D.: A general structure for legal arguments about evidence using Bayesian networks. Cognitive Science 37(1), 61–102 (2013)
Kwan, M., Chow, K.-P., Law, F., Lai, P.: Reasoning about evidence using Bayesian networks. In: Ray, I., Shenoi, S. (eds.) DigitalForensics 2008. ITIFIP, vol. 285, pp. 275–289. Springer, Heidelberg (2008). doi:10.1007/978-0-387-84927-0_22
Liu, C., Singhal, A., Wijesekara, D.: A logic-based network forensic model for evidence analysis. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics XI. IFIP, vol. 462, pp. 129–145. Springer, Heidelberg (2015)
Liu, Y., Man, H.: Network vulnerability assessment using Bayesian networks. Proceedings of SPIE 5812, 61–71 (2005)
MITRE, Common Vulnerabilities and Exposures, Bedford, Massachusetts (2016). cve.mitre.org
Olshausen, B.: Bayesian Probability Theory, Redwood Center for Theoretical Neuroscience. Helen Wills Neuroscience Institute, University of California at Berkeley, Berkeley, California (2004)
Ou, X., Boyer, W., McQueen, M.: A scalable approach to attack graph generation. In: Proceedings of the Thirteenth ACM Conference on Computer and Communications Security, pp. 336–345 (2006)
Pearl, J.: Fusion, propagation and structuring in belief networks. Artificial Intelligence 29(3), 241–288 (1986)
Taroni, F., Biedermann, A., Garbolino, P., Aitken, C.: A general approach to Bayesian networks for the interpretation of evidence. Forensic Science International 139(1), 5–16 (2004)
Taroni, F., Bozza, S., Biedermann, A., Garbolino, G., Aitken, C.: Data Analysis in Forensic Science: A Bayesian Decision Perspective. John Wiley and Sons, Chichester (2010)
Vlek, C., Prakken, H., Renooij, S., Verheij, B.: Modeling crime scenarios in a Bayesian network. In: Proceedings of the Fourteenth International Conference on Artificial Intelligence and Law, pp. 150–159 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 IFIP International Federation for Information Processing
About this paper
Cite this paper
Liu, C., Singhal, A., Wijesekera, D. (2016). A Probabilistic Network Forensic Model for Evidence Analysis. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XII. DigitalForensics 2016. IFIP Advances in Information and Communication Technology, vol 484. Springer, Cham. https://doi.org/10.1007/978-3-319-46279-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-46279-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46278-3
Online ISBN: 978-3-319-46279-0
eBook Packages: Computer ScienceComputer Science (R0)