Skip to main content

A Probabilistic Network Forensic Model for Evidence Analysis

Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT,volume 484)


Modern-day attackers use sophisticated multi-stage and/or multi-host attack techniques and anti-forensic tools to cover their attack traces. Due to the limitations of current intrusion detection systems and forensic analysis tools, evidence often has false positive errors or is incomplete. Additionally, because of the large number of security events, discovering an attack pattern is much like finding a needle in a haystack. Consequently, reconstructing attack scenarios and holding attackers accountable for their activities are major challenges.

This chapter describes a probabilistic model that applies Bayesian networks to construct evidence graphs. The model helps address the problems posed by false positive errors, analyze the reasons for missing evidence and compute the posterior probabilities and false positive rates of attack scenarios constructed using the available evidence. A companion software tool for network forensic analysis was used in conjunction with the probabilistic model. The tool, which is written in Prolog, leverages vulnerability databases and an anti-forensic database similar to the NIST National Vulnerability Database (NVD). The experimental results demonstrate that the model is useful for constructing the most-likely attack scenarios and for managing errors encountered in network forensic analysis.


  • Network forensics
  • Logical evidence graphs
  • Bayesian networks


  1. Argus Cyber Security Lab, MulVAL: A Logic-Based Enterprise Network Security Analyzer. Department of Computer Science and Engineering, University of South Florida, Tampa, Florida (2016).

  2. Carrier, B.: A Hypothesis-Based Approach to Digital Forensic Investigations, Ph.D. Thesis, Department of Computer Science, CERIAS Tech Report 2006–06, Center for Education and Research in Information Assurance and Security, Purdue University, West Lafayette, Indiana (2006)

    Google Scholar 

  3. Darwiche, A.: Modeling and Reasoning with Bayesian Networks. Cambridge University Press, Cambridge (2009)

    CrossRef  MATH  Google Scholar 

  4. Fenton, N., Neil, M., Lagnado, D.: A general structure for legal arguments about evidence using Bayesian networks. Cognitive Science 37(1), 61–102 (2013)

    CrossRef  Google Scholar 

  5. Kwan, M., Chow, K.-P., Law, F., Lai, P.: Reasoning about evidence using Bayesian networks. In: Ray, I., Shenoi, S. (eds.) DigitalForensics 2008. ITIFIP, vol. 285, pp. 275–289. Springer, Heidelberg (2008). doi:10.1007/978-0-387-84927-0_22

    CrossRef  Google Scholar 

  6. Liu, C., Singhal, A., Wijesekara, D.: A logic-based network forensic model for evidence analysis. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics XI. IFIP, vol. 462, pp. 129–145. Springer, Heidelberg (2015)

    CrossRef  Google Scholar 

  7. Liu, Y., Man, H.: Network vulnerability assessment using Bayesian networks. Proceedings of SPIE 5812, 61–71 (2005)

    CrossRef  Google Scholar 

  8. MITRE, Common Vulnerabilities and Exposures, Bedford, Massachusetts (2016).

  9. Olshausen, B.: Bayesian Probability Theory, Redwood Center for Theoretical Neuroscience. Helen Wills Neuroscience Institute, University of California at Berkeley, Berkeley, California (2004)

    Google Scholar 

  10. Ou, X., Boyer, W., McQueen, M.: A scalable approach to attack graph generation. In: Proceedings of the Thirteenth ACM Conference on Computer and Communications Security, pp. 336–345 (2006)

    Google Scholar 

  11. Pearl, J.: Fusion, propagation and structuring in belief networks. Artificial Intelligence 29(3), 241–288 (1986)

    MathSciNet  CrossRef  MATH  Google Scholar 

  12. Taroni, F., Biedermann, A., Garbolino, P., Aitken, C.: A general approach to Bayesian networks for the interpretation of evidence. Forensic Science International 139(1), 5–16 (2004)

    CrossRef  Google Scholar 

  13. Taroni, F., Bozza, S., Biedermann, A., Garbolino, G., Aitken, C.: Data Analysis in Forensic Science: A Bayesian Decision Perspective. John Wiley and Sons, Chichester (2010)

    CrossRef  MATH  Google Scholar 

  14. Vlek, C., Prakken, H., Renooij, S., Verheij, B.: Modeling crime scenarios in a Bayesian network. In: Proceedings of the Fourteenth International Conference on Artificial Intelligence and Law, pp. 150–159 (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Changwei Liu .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2016 IFIP International Federation for Information Processing

About this paper

Cite this paper

Liu, C., Singhal, A., Wijesekera, D. (2016). A Probabilistic Network Forensic Model for Evidence Analysis. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XII. DigitalForensics 2016. IFIP Advances in Information and Communication Technology, vol 484. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-46278-3

  • Online ISBN: 978-3-319-46279-0

  • eBook Packages: Computer ScienceComputer Science (R0)