A Probabilistic Network Forensic Model for Evidence Analysis

  • Changwei LiuEmail author
  • Anoop Singhal
  • Duminda Wijesekera
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 484)


Modern-day attackers use sophisticated multi-stage and/or multi-host attack techniques and anti-forensic tools to cover their attack traces. Due to the limitations of current intrusion detection systems and forensic analysis tools, evidence often has false positive errors or is incomplete. Additionally, because of the large number of security events, discovering an attack pattern is much like finding a needle in a haystack. Consequently, reconstructing attack scenarios and holding attackers accountable for their activities are major challenges.

This chapter describes a probabilistic model that applies Bayesian networks to construct evidence graphs. The model helps address the problems posed by false positive errors, analyze the reasons for missing evidence and compute the posterior probabilities and false positive rates of attack scenarios constructed using the available evidence. A companion software tool for network forensic analysis was used in conjunction with the probabilistic model. The tool, which is written in Prolog, leverages vulnerability databases and an anti-forensic database similar to the NIST National Vulnerability Database (NVD). The experimental results demonstrate that the model is useful for constructing the most-likely attack scenarios and for managing errors encountered in network forensic analysis.


Network forensics Logical evidence graphs Bayesian networks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Argus Cyber Security Lab, MulVAL: A Logic-Based Enterprise Network Security Analyzer. Department of Computer Science and Engineering, University of South Florida, Tampa, Florida (2016).
  2. 2.
    Carrier, B.: A Hypothesis-Based Approach to Digital Forensic Investigations, Ph.D. Thesis, Department of Computer Science, CERIAS Tech Report 2006–06, Center for Education and Research in Information Assurance and Security, Purdue University, West Lafayette, Indiana (2006)Google Scholar
  3. 3.
    Darwiche, A.: Modeling and Reasoning with Bayesian Networks. Cambridge University Press, Cambridge (2009)CrossRefzbMATHGoogle Scholar
  4. 4.
    Fenton, N., Neil, M., Lagnado, D.: A general structure for legal arguments about evidence using Bayesian networks. Cognitive Science 37(1), 61–102 (2013)CrossRefGoogle Scholar
  5. 5.
    Kwan, M., Chow, K.-P., Law, F., Lai, P.: Reasoning about evidence using Bayesian networks. In: Ray, I., Shenoi, S. (eds.) DigitalForensics 2008. ITIFIP, vol. 285, pp. 275–289. Springer, Heidelberg (2008). doi: 10.1007/978-0-387-84927-0_22 CrossRefGoogle Scholar
  6. 6.
    Liu, C., Singhal, A., Wijesekara, D.: A logic-based network forensic model for evidence analysis. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics XI. IFIP, vol. 462, pp. 129–145. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  7. 7.
    Liu, Y., Man, H.: Network vulnerability assessment using Bayesian networks. Proceedings of SPIE 5812, 61–71 (2005)CrossRefGoogle Scholar
  8. 8.
    MITRE, Common Vulnerabilities and Exposures, Bedford, Massachusetts (2016).
  9. 9.
    Olshausen, B.: Bayesian Probability Theory, Redwood Center for Theoretical Neuroscience. Helen Wills Neuroscience Institute, University of California at Berkeley, Berkeley, California (2004)Google Scholar
  10. 10.
    Ou, X., Boyer, W., McQueen, M.: A scalable approach to attack graph generation. In: Proceedings of the Thirteenth ACM Conference on Computer and Communications Security, pp. 336–345 (2006)Google Scholar
  11. 11.
    Pearl, J.: Fusion, propagation and structuring in belief networks. Artificial Intelligence 29(3), 241–288 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Taroni, F., Biedermann, A., Garbolino, P., Aitken, C.: A general approach to Bayesian networks for the interpretation of evidence. Forensic Science International 139(1), 5–16 (2004)CrossRefGoogle Scholar
  13. 13.
    Taroni, F., Bozza, S., Biedermann, A., Garbolino, G., Aitken, C.: Data Analysis in Forensic Science: A Bayesian Decision Perspective. John Wiley and Sons, Chichester (2010)CrossRefzbMATHGoogle Scholar
  14. 14.
    Vlek, C., Prakken, H., Renooij, S., Verheij, B.: Modeling crime scenarios in a Bayesian network. In: Proceedings of the Fourteenth International Conference on Artificial Intelligence and Law, pp. 150–159 (2013)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  • Changwei Liu
    • 1
    Email author
  • Anoop Singhal
    • 2
  • Duminda Wijesekera
    • 1
  1. 1.Department of Computer ScienceGeorge Mason UniversityFairfaxUSA
  2. 2.Computer Security DivisionNational Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations