A Probabilistic Network Forensic Model for Evidence Analysis
Modern-day attackers use sophisticated multi-stage and/or multi-host attack techniques and anti-forensic tools to cover their attack traces. Due to the limitations of current intrusion detection systems and forensic analysis tools, evidence often has false positive errors or is incomplete. Additionally, because of the large number of security events, discovering an attack pattern is much like finding a needle in a haystack. Consequently, reconstructing attack scenarios and holding attackers accountable for their activities are major challenges.
This chapter describes a probabilistic model that applies Bayesian networks to construct evidence graphs. The model helps address the problems posed by false positive errors, analyze the reasons for missing evidence and compute the posterior probabilities and false positive rates of attack scenarios constructed using the available evidence. A companion software tool for network forensic analysis was used in conjunction with the probabilistic model. The tool, which is written in Prolog, leverages vulnerability databases and an anti-forensic database similar to the NIST National Vulnerability Database (NVD). The experimental results demonstrate that the model is useful for constructing the most-likely attack scenarios and for managing errors encountered in network forensic analysis.
KeywordsNetwork forensics Logical evidence graphs Bayesian networks
Unable to display preview. Download preview PDF.
- 1.Argus Cyber Security Lab, MulVAL: A Logic-Based Enterprise Network Security Analyzer. Department of Computer Science and Engineering, University of South Florida, Tampa, Florida (2016). www.arguslab.org/mulval.html
- 2.Carrier, B.: A Hypothesis-Based Approach to Digital Forensic Investigations, Ph.D. Thesis, Department of Computer Science, CERIAS Tech Report 2006–06, Center for Education and Research in Information Assurance and Security, Purdue University, West Lafayette, Indiana (2006)Google Scholar
- 8.MITRE, Common Vulnerabilities and Exposures, Bedford, Massachusetts (2016). cve.mitre.org
- 9.Olshausen, B.: Bayesian Probability Theory, Redwood Center for Theoretical Neuroscience. Helen Wills Neuroscience Institute, University of California at Berkeley, Berkeley, California (2004)Google Scholar
- 10.Ou, X., Boyer, W., McQueen, M.: A scalable approach to attack graph generation. In: Proceedings of the Thirteenth ACM Conference on Computer and Communications Security, pp. 336–345 (2006)Google Scholar
- 14.Vlek, C., Prakken, H., Renooij, S., Verheij, B.: Modeling crime scenarios in a Bayesian network. In: Proceedings of the Fourteenth International Conference on Artificial Intelligence and Law, pp. 150–159 (2013)Google Scholar