Creating Integrated Evidence Graphs for Network Forensics
Probabilistic evidence graphs can be used to model network intrusion evidence and the underlying dependencies to support network forensic analysis. The graphs provide a means for linking the probabilities associated with different attack paths with the available evidence. However, current work focused on evidence graphs assumes that all the available evidence can be expressed using a single, small evidence graph. This paper presents an algorithm for merging evidence graphs with or without a corresponding attack graph. The application of the algorithm to a file server and database server attack scenario yields an integrated evidence graph that shows the global scope of the attack. The global graph provides a broader context and better understandability than multiple local evidence graphs.
KeywordsNetwork forensics probabilistic evidence graphs attack graphs
- 4.K. Ingols, R. Lippmann and K. Piwowarski, Practical attack graph generation for network defense, Proceedings of the Twenty-Second Annual Computer Security Applications Conference, pp. 121–130, 2006.Google Scholar
- 5.S. Jha, O. Sheyner and J. Wing, Two formal analyses of attack graphs, Proceedings of the Fifteenth Computer Security Foundations Workshop, p. 49, 2002.Google Scholar
- 6.C. Liu, A. Singhal and D. Wijesekera, Mapping evidence graphs to attack graphs, Proceedings of the IEEE International Workshop on Information Forensics and Security, pp. 121–126, 2012.Google Scholar
- 8.National Institute of Standards and Technology, National Vulnerability Database, Version 2.2, Gaithersburg, Maryland (nvd.nist.gov).
- 9.X. Ou, W. Boyer and M. McQueen, A scalable approach to attack graph generation, Proceedings of the Thirteenth ACM Conference on Computer and Communications Security, pp. 336–345, 2006.Google Scholar
- 10.O. Sheyner, J. Haines, S. Jha, R. Lippmann and J. Wing, Automated generation and analysis of attack graphs, Proceedings of the IEEE Symposium on Security and Privacy, pp. 273–284, 2002.Google Scholar
- 11.A. Singhal and X. Ou, Security Risk Analysis of Enterprise Networks using Probabilistic Attack Graphs, NIST Interagency Report 7788, National Institute of Standards and Technology, Gaithersburg, Maryland, 2011.Google Scholar
- 12.L. Wang, T. Islam, T. Long, A. Singhal and S. Jajodia, An attack graph based probabilistic security metric, Proceedings of the Twenty-Second Annual IFIP WG 11.3 Conference on Data and Applications Security, pp. 283–296, 2008.Google Scholar
- 13.W. Wang and T. Daniels, A graph based approach toward network forensic analysis, ACM Transactions on Information and Systems Security, vol. 12(1), article no. 4, 2008. Google Scholar