A Layered Graphical Model for Cloud Forensic Mission Attack Impact Analysis
- 619 Downloads
Cyber attacks on the systems that support an enterprise’s mission can significantly impact its objectives. This chapter describes a layered graphical model designed to support forensic investigations by quantifying the mission impacts of cyber attacks. The model has three layers: (i) an upper layer that models operational tasks and their interdependencies that fulfill mission objectives; (ii) a middle layer that reconstructs attack scenarios based on the interrelationships of the available evidence; and (iii) a lower level that uses system calls executed in upper layer tasks in order to reconstruct missing attack steps when evidence is missing. The graphs constructed from the three layers are employed to compute the impacts of attacks on enterprise missions. The National Vulnerability Database – Common Vulnerability Scoring System scores and forensic investigator estimates are used to compute the mission impacts. A case study is presented to demonstrate the utility of the graphical model.
KeywordsMission attack impact cloud forensic analysis layered graphical model
Unable to display preview. Download preview PDF.
- 1.L. Herbert, Specification, Verification and Optimization of Business Processes: A Unified Framework, Ph.D. Dissertation, Department of Applied Mathematics and Computer Science, Technical University of Denmark, Kongens Lyngby, Denmark, 2014.Google Scholar
- 2.S. Jajodia and S. Noel, Topological vulnerability analysis, in Cyber Situational Awareness, S. Jajodia, P. Liu, V. Swarup and C. Wang (Eds.), Springer, Boston, Massachusetts, pp. 139–154, 2010.Google Scholar
- 3.C. Liu, A. Singhal and D. Wijesekera, Mapping evidence graphs to attack graphs, Proceedings of the IEEE International Workshop on Information Forensics and Security, pp. 121–126, 2012.Google Scholar
- 4.C. Liu, A. Singhal and D. Wijesekera, A logic-based network forensic model for evidence analysis, in Advances in Digital Forensics XI, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 129–145, 2015.Google Scholar
- 5.C. Liu, A. Singhal and D. Wijesekara, A probabilistic network forensic model for evidence analysis, in Advances in Digital Forensics XII, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 189–210, 2016.Google Scholar
- 6.P. Mell and T. Grance, NIST Definition of Cloud Computing, NIST Special Publication 800-145, National Institute of Standards and Technology, Gaithersburg, Maryland, 2011.Google Scholar
- 7.S. Musman and A. Temin, A cyber mission impact assessment tool, Proceedings of the IEEE International Symposium on Technologies for Homeland Security, 2015.Google Scholar
- 8.National Institute of Standards and Technology, National Vulnerability Database, Gaithersburg, Maryland (nvd.nist.gov/vuln-metrics/cvss), 2018.
- 9.S. Noel, J. Ludwig, P. Jain, D. Johnson, R. Thomas, J. McFarland, B. King, S. Webster and B. Tello, Analyzing mission impacts of cyber actions (AMICA), Proceedings of the NATO IST-128 Workshop: Assessing Mission Impact of Cyberattacks, pp. 80–86, 2015.Google Scholar
- 10.OpenStack Foundation, Software, Austin, Texas (www.openstack.org/software), 2018.
- 11.X. Ou, S. Govindavajhala and A. Appel, MulVAL: A logic-based network security analyzer, Proceedings of the Fourteenth USENIX Security Symposium, 2005.Google Scholar
- 12.K. Ruan, J. Carthy, T. Kechadi and M. Crosbie, Cloud forensics, in Advances in Digital Forensics V, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 35–46, 2011.Google Scholar
- 13.M. Saudi, An Overview of a Disk Imaging Tool in Computer Forensics, InfoSec Reading Room, SANS Institute, Bethesda, Maryland, 2001.Google Scholar
- 14.X. Sun, J. Dai, P. Liu, A. Singhal and J. Yen, Towards probabilistic identification of zero-day attack paths, Proceedings of the IEEE Conference on Communications and Network Security, pp. 64–72, 2016.Google Scholar
- 15.X. Sun, A. Singhal and P. Liu, Towards actionable mission impact assessment in the context of cloud computing, in Data and Applications Security and Privacy XXXI, G. Livraga and S. Zhu (Eds), Springer International, Cham, Switzerland, pp. 259–274, 2017.Google Scholar
- 16.Y. Sun, T. Wu, X. Liu and M. Obaidat, Multilayered impact evaluation model for attacking missions, IEEE Systems Journal, vol. 10(4), pp. 1304–1315, 2016.Google Scholar
- 17.W. Wang and T. Daniels, A graph based approach toward network forensic analysis, ACM Transactions on Information and Systems Security, vol. 12(1), article no. 4, 2008.Google Scholar
- 18.Y. Yarom and K. Falkner, FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack, Proceedings of the Twenty-Third USENIX Security Symposium, pp. 719–732, 2014.Google Scholar
- 19.Y. Zhang, A. Juels, M. Reiter and T. Ristenpart, Cross-VM side channels and their use to extract private keys, Proceedings of the ACM Conference on Computer and Communications Security, pp. 305–316, 2012.Google Scholar