Advertisement

A LOGIC-BASED NETWORK FORENSIC MODEL FOR EVIDENCE ANALYSIS

  • Changwei Liu
  • Anoop Singhal
  • Duminda Wijesekera
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 462)

Abstract

Many attackers tend to use sophisticated multi-stage and/or multi-host attack techniques and anti-forensic tools to cover their traces. Due to the limitations of current intrusion detection and network forensic analysis tools, reconstructing attack scenarios from evidence left behind by attackers of enterprise systems is challenging. In particular, reconstructing attack scenarios using intrusion detection system alerts and system logs that have too many false positives is a big challenge.

This chapter presents a model and an accompanying software tool that systematically addresses the reconstruction of attack scenarios in a manner that could stand up in court. The problems faced in such reconstructions include large amounts of data (including irrelevant data), missing evidence and evidence corrupted or destroyed by anti-forensic techniques. The model addresses these problems using various methods, including mapping evidence to system vulnerabilities, inductive reasoning and abductive reasoning, to reconstruct attack scenarios. The Prolog-based system employs known vulnerability databases and an anti-forensic database that will eventually be extended to a standardized database like the NIST National Vulnerability Database. The system, which is designed for network forensic analysis, reduces the time and effort required to reach definite conclusions about how network attacks occurred.

Keywords

Network forensics network attacks evidence graph admissibility 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Changwei Liu
    • 1
  • Anoop Singhal
    • 2
  • Duminda Wijesekera
    • 1
  1. 1.Computer ScienceGeorge Mason UniversityFairfaxUSA
  2. 2.Computer Security DivisionNational Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations