Creating Integrated Evidence Graphs for Network Forensics

  • Changwei Liu
  • Anoop Singhal
  • Duminda Wijesekera
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 410)


Probabilistic evidence graphs can be used to model network intrusion evidence and the underlying dependencies to support network forensic analysis. The graphs provide a means for linking the probabilities associated with different attack paths with the available evidence. However, current work focused on evidence graphs assumes that all the available evidence can be expressed using a single, small evidence graph. This paper presents an algorithm for merging evidence graphs with or without a corresponding attack graph. The application of the algorithm to a file server and database server attack scenario yields an integrated evidence graph that shows the global scope of the attack. The global graph provides a broader context and better understandability than multiple local evidence graphs.


Network forensics probabilistic evidence graphs attack graphs 


  1. 1.
    P. Ammann, D. Wijesekera and S. Kaushik, Scalable, graph-based network vulnerability analysis, Proceedings of the Ninth ACM Conference on Computer and Communications Security, pp. 217–224, 2002.CrossRefGoogle Scholar
  2. 2.
    T. Cormen, C. Leiserson, R. Rivest and C. Stein, Introduction to Algorithms, MIT Press, Cambridge, Massachusetts, 2009.zbMATHGoogle Scholar
  3. 3.
    J. Homer, A. Varikuti, X. Ou and M. McQueen, Improving attack graph visualization through data reduction and attack grouping, Proceedings of the Fifth International Workshop on Visualization for Cyber Security, pp. 68–79, 2008.CrossRefGoogle Scholar
  4. 4.
    K. Ingols, R. Lippmann and K. Piwowarski, Practical attack graph generation for network defense, Proceedings of the Twenty-Second Annual Computer Security Applications Conference, pp. 121–130, 2006.Google Scholar
  5. 5.
    S. Jha, O. Sheyner and J. Wing, Two formal analyses of attack graphs, Proceedings of the Fifteenth Computer Security Foundations Workshop, p. 49, 2002.Google Scholar
  6. 6.
    C. Liu, A. Singhal and D. Wijesekera, Mapping evidence graphs to attack graphs, Proceedings of the IEEE International Workshop on Information Forensics and Security, pp. 121–126, 2012.Google Scholar
  7. 7.
    V. Mehta, C. Bartzis, H. Zhu, E. Clarke and J. Wing, Ranking attack graphs, Proceedings of the Ninth International Conference on Recent Advances in Intrusion Detection, pp. 127–144, 2006.CrossRefGoogle Scholar
  8. 8.
    National Institute of Standards and Technology, National Vulnerability Database, Version 2.2, Gaithersburg, Maryland (
  9. 9.
    X. Ou, W. Boyer and M. McQueen, A scalable approach to attack graph generation, Proceedings of the Thirteenth ACM Conference on Computer and Communications Security, pp. 336–345, 2006.Google Scholar
  10. 10.
    O. Sheyner, J. Haines, S. Jha, R. Lippmann and J. Wing, Automated generation and analysis of attack graphs, Proceedings of the IEEE Symposium on Security and Privacy, pp. 273–284, 2002.Google Scholar
  11. 11.
    A. Singhal and X. Ou, Security Risk Analysis of Enterprise Networks using Probabilistic Attack Graphs, NIST Interagency Report 7788, National Institute of Standards and Technology, Gaithersburg, Maryland, 2011.Google Scholar
  12. 12.
    L. Wang, T. Islam, T. Long, A. Singhal and S. Jajodia, An attack graph based probabilistic security metric, Proceedings of the Twenty-Second Annual IFIP WG 11.3 Conference on Data and Applications Security, pp. 283–296, 2008.Google Scholar
  13. 13.
    W. Wang and T. Daniels, A graph based approach toward network forensic analysis, ACM Transactions on Information and Systems Security, vol. 12(1), article no. 4, 2008. Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Changwei Liu
    • 1
  • Anoop Singhal
    • 2
  • Duminda Wijesekera
    • 3
  1. 1.Indiana University-Purdue University Fort WayneFort WayneUSA
  2. 2.Computer Security DivisionNational Institute of Standards and TechnologyGaithersburgUSA
  3. 3.George Mason UniversityFairfaxUSA

Personalised recommendations