Forensic Investigation Framework for Complex Cyber Attack on Cyber Physical System by Using Goals/Sub-goals of an Attack and Epidemics of Malware in a System

  • Shivani MishraEmail author
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 524)


A cyber attack on critical infrastructure differs from attack on general information and communication systems. Recent trends of cyber attacks on critical infrastructure are found to be complex cyber attacks (CCA) because they are multistage, multi-phase and multi-pace. Detection of these complex cyber attacks is yet a challenging problem because they are intractable to describe and analyze. In this paper, complex cyber attacks are analyzed and as a response to detection of an attack, a forensic investigation framework for CCA is proposed. This paper focuses on forensic investigation framework for CCA in cyber physical system, which is large and geographically distributed. A model for forensics investigation process is proposed which is based on goals and sub-goals of an attack. This helps to reconstruct the event and collect data for evidence. Since complex cyber attacks are constructed with a variety of malwares and some of them show the property of self-propagation, an epidemic analysis in forensic investigation process determines the spread of infection in large infrastructures. Addition of epidemic behavior of malware in forensic investigation process is helpful to understand the dynamics of infection in a large, heterogeneous infrastructure.


Critical infrastructure SCADA Stuxnet Malware Complex cyber attack 


  1. 1.
    Sandip, P., & Zaveri, J. (2010). A risk-assessment model for cyber attacks on information systems. Journal of Computers, 5(3), 352–359.Google Scholar
  2. 2.
    Zhu, B., Joseph, A., & Sastry, S. (2011). A taxonomy of cyber attacks on SCADA systems. In 4th International Conference on Cyber, Physical and Social Computing Internet of Things (iThings/CPSCom). IEEE.Google Scholar
  3. 3.
    Kang, D. J., et al. (2009). Analysis on cyber threats to SCADA systems. In Transmission & Distribution Conference & Exposition: Asia and Pacific, 2009. IEEE.Google Scholar
  4. 4.
    Virvilis, N., Gritzalis, D., & Apostolopoulos, T. (2013). Trusted computing vs. advanced persistent threats: Can a defender win this game?. In 10th International Conference on Ubiquitous Intelligence and Computing, Autonomic and Trusted Computing (UIC/ATC). IEEE.Google Scholar
  5. 5.
    Virvilis, N., & Gritzalis, D. (2013). The big four-what we did wrong in advanced persistent threat detection?. In Eighth International Conference on Availability, Reliability and Security (ARES). IEEE.Google Scholar
  6. 6.
    Sheng, S., Yingkun, W., Yuyi, L., Yong, L., & Yu, J. (2011). Cyber attack impact on power system blackout. In IET Conference on Reliability of Transmission and Distribution Networks (RTDN 2011), 22–24 November 2011 (pp. 1–5).Google Scholar
  7. 7.
    Pasqualetti, F., Dorfler, F., & Bullo, F. (2013). Attack detection and identification in cyber-physical systems. IEEE Transactions on Automatic Control, 58(11), 2715–2729MathSciNetCrossRefGoogle Scholar
  8. 8.
    Ten, C-W., Manimaran, G., & Liu, C-C. (2010). Cyber security for critical infrastructures: Attack and defense modeling. IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans, 40(4), 853–865.CrossRefGoogle Scholar
  9. 9.
    Cardenas, A. A., et al. (2011). Attacks against process control systems: Risk assessment, detection, and response. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ACM.Google Scholar
  10. 10.
    Govindarasu, M., Hann, A., & Sauer, P. (2012). Cyber physical systems security for smart grid. In The future grid to enable sustainable energy systems. PSERC Publication.Google Scholar
  11. 11.
    Wong, T. P. (2011). Active cyber defense: Enhancing national cyber defense. Naval postgraduate school, Monterey, December 2011.Google Scholar
  12. 12.
  13. 13.
    Vondra, T. (2013). Master Thesis. Czech Technical University in Prague, Department of Cybernetics. May 2013.Google Scholar
  14. 14.
  15. 15.
    Zhioua, S. (2013). The middle east under malware attack dissecting cyber weapons. In International Conference onDistributed Computing Systems” Workshops (ICDCSW) (pp. 11–16). IEEE.Google Scholar
  16. 16.
    Chen, T. M. (2010). Stuxnet, the real start of cyber warfare? [Editor’s Note]. IEEE Network, 24(6), 2–3.CrossRefGoogle Scholar
  17. 17.
    Chen, & Abu-Nimeh, S. (2011). Lessons from stuxnet. IEEE Computer, 44(4), 91–93.CrossRefGoogle Scholar
  18. 18.
    Falliere, N., Murchu, L., & Chien, E. (2011). W32.Stuxnet dossier. Symantec, February 2011.Google Scholar
  19. 19.
    Matrosov, A., Rodionov, E., Harley, D., & Malcho, D. (2011). Stuxnet under the microscope. ESET, January 2011.Google Scholar
  20. 20.
    Mishra, S., Kant, K., & Yadav, R. S. (2012). Multi tree view of complex attack–stuxnet. In Advances in computing and information technology (pp. 171–188). Berlin, Heidelberg: Springer.CrossRefGoogle Scholar
  21. 21.
    Symantec. (2011). W32.Duqu—The precursor to the next stuxnet. Symantec.Google Scholar
  22. 22.
    Bencsath, B., Pek, G., Buttyan, L., & Felegyhazi, M. (2012). Duqu: Analysis, detection, and lessons learned. In Proceedings of the 2nd ACM European Workshop on System Security.Google Scholar
  23. 23.
    Bencsath, B., Pek G., Buttyan L., & Felegyhazi M. (2012). The cousins of stuxnet: Duqu, flame, and gauss. In Proceedings of the Future Internet.CrossRefGoogle Scholar
  24. 24.
    Falliere, N., Murchu, L., & Chien, E. (2011). W32 Stuxnet dossier, Version 1.4, technical report. Symantec Corporation, February 2011.Google Scholar
  25. 25.
    Kaspersky Lab. Gauss. (2012). Abnormal distribution; Technical report. Kaspersky Lab: Moscow, Russia.Google Scholar
  26. 26.
    Almarri, S., & Sant, P. (2014). Optimised malware detection in digital forensics. International Journal of Network Security & Its Applications, 6(1).CrossRefGoogle Scholar
  27. 27.
    Hellany, A., Achi, H., & Nagrial, M. (2008). An overview of digital security forensics approach and modelling. In International Conference on Computer Engineering & Systems, 2008. ICCES 2008. IEEE.Google Scholar
  28. 28.
    Altschaffel, R., Kiltz, S., & Dittmann, J. (2009). From the computer incident taxonomy to a computer forensic examination taxonomy. In Fifth International Conference on IT Security Incident Management and IT Forensics, 2009. IMF’09. IEEE.Google Scholar
  29. 29.
    Denning, D. E. (1987). An intrusion-detection model. IEEE Transactions on Software Engineering, (2), 222–232.CrossRefGoogle Scholar
  30. 30.
    Fabro, M., & Cornelius, E. (2008). Recommended practice: Creating cyber forensics plans for control systems. Department of homeland security.Google Scholar
  31. 31.
    Zou, C. C., Gong, W., Towsley, D., & Gao, L. (2005). The monitoring and early detection of internet worms. IEEE/ACM Transactions on Networking, 13(5), 961–974.CrossRefGoogle Scholar
  32. 32.
    Daley, D. J., & Gani, J. (1999). Epidemic modelling: An introduction. Cambridge University.Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.Motilal Nehru National Institute of Technology AllahabadAllahabadIndia

Personalised recommendations