A Layered Graphical Model for Cloud Forensic Mission Attack Impact Analysis

  • Changwei LiuEmail author
  • Anoop Singhal
  • Duminda Wijesekera
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 532)


Cyber attacks on the systems that support an enterprise’s mission can significantly impact its objectives. This chapter describes a layered graphical model designed to support forensic investigations by quantifying the mission impacts of cyber attacks. The model has three layers: (i) an upper layer that models operational tasks and their interdependencies that fulfill mission objectives; (ii) a middle layer that reconstructs attack scenarios based on the interrelationships of the available evidence; and (iii) a lower level that uses system calls executed in upper layer tasks in order to reconstruct missing attack steps when evidence is missing. The graphs constructed from the three layers are employed to compute the impacts of attacks on enterprise missions. The National Vulnerability Database – Common Vulnerability Scoring System scores and forensic investigator estimates are used to compute the mission impacts. A case study is presented to demonstrate the utility of the graphical model.


Mission attack impact cloud forensic analysis layered graphical model 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    L. Herbert, Specification, Verification and Optimization of Business Processes: A Unified Framework, Ph.D. Dissertation, Department of Applied Mathematics and Computer Science, Technical University of Denmark, Kongens Lyngby, Denmark, 2014.Google Scholar
  2. 2.
    S. Jajodia and S. Noel, Topological vulnerability analysis, in Cyber Situational Awareness, S. Jajodia, P. Liu, V. Swarup and C. Wang (Eds.), Springer, Boston, Massachusetts, pp. 139–154, 2010.Google Scholar
  3. 3.
    C. Liu, A. Singhal and D. Wijesekera, Mapping evidence graphs to attack graphs, Proceedings of the IEEE International Workshop on Information Forensics and Security, pp. 121–126, 2012.Google Scholar
  4. 4.
    C. Liu, A. Singhal and D. Wijesekera, A logic-based network forensic model for evidence analysis, in Advances in Digital Forensics XI, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 129–145, 2015.Google Scholar
  5. 5.
    C. Liu, A. Singhal and D. Wijesekara, A probabilistic network forensic model for evidence analysis, in Advances in Digital Forensics XII, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 189–210, 2016.Google Scholar
  6. 6.
    P. Mell and T. Grance, NIST Definition of Cloud Computing, NIST Special Publication 800-145, National Institute of Standards and Technology, Gaithersburg, Maryland, 2011.Google Scholar
  7. 7.
    S. Musman and A. Temin, A cyber mission impact assessment tool, Proceedings of the IEEE International Symposium on Technologies for Homeland Security, 2015.Google Scholar
  8. 8.
    National Institute of Standards and Technology, National Vulnerability Database, Gaithersburg, Maryland (, 2018.
  9. 9.
    S. Noel, J. Ludwig, P. Jain, D. Johnson, R. Thomas, J. McFarland, B. King, S. Webster and B. Tello, Analyzing mission impacts of cyber actions (AMICA), Proceedings of the NATO IST-128 Workshop: Assessing Mission Impact of Cyberattacks, pp. 80–86, 2015.Google Scholar
  10. 10.
    OpenStack Foundation, Software, Austin, Texas (, 2018.
  11. 11.
    X. Ou, S. Govindavajhala and A. Appel, MulVAL: A logic-based network security analyzer, Proceedings of the Fourteenth USENIX Security Symposium, 2005.Google Scholar
  12. 12.
    K. Ruan, J. Carthy, T. Kechadi and M. Crosbie, Cloud forensics, in Advances in Digital Forensics V, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 35–46, 2011.Google Scholar
  13. 13.
    M. Saudi, An Overview of a Disk Imaging Tool in Computer Forensics, InfoSec Reading Room, SANS Institute, Bethesda, Maryland, 2001.Google Scholar
  14. 14.
    X. Sun, J. Dai, P. Liu, A. Singhal and J. Yen, Towards probabilistic identification of zero-day attack paths, Proceedings of the IEEE Conference on Communications and Network Security, pp. 64–72, 2016.Google Scholar
  15. 15.
    X. Sun, A. Singhal and P. Liu, Towards actionable mission impact assessment in the context of cloud computing, in Data and Applications Security and Privacy XXXI, G. Livraga and S. Zhu (Eds), Springer International, Cham, Switzerland, pp. 259–274, 2017.Google Scholar
  16. 16.
    Y. Sun, T. Wu, X. Liu and M. Obaidat, Multilayered impact evaluation model for attacking missions, IEEE Systems Journal, vol. 10(4), pp. 1304–1315, 2016.Google Scholar
  17. 17.
    W. Wang and T. Daniels, A graph based approach toward network forensic analysis, ACM Transactions on Information and Systems Security, vol. 12(1), article no. 4, 2008.Google Scholar
  18. 18.
    Y. Yarom and K. Falkner, FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack, Proceedings of the Twenty-Third USENIX Security Symposium, pp. 719–732, 2014.Google Scholar
  19. 19.
    Y. Zhang, A. Juels, M. Reiter and T. Ristenpart, Cross-VM side channels and their use to extract private keys, Proceedings of the ACM Conference on Computer and Communications Security, pp. 305–316, 2012.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  • Changwei Liu
    • 1
    Email author
  • Anoop Singhal
    • 2
  • Duminda Wijesekera
    • 1
  1. 1.George Mason UniversityFairfaxUSA
  2. 2.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations