Paper Info
Title
A Logic-Based Network Forensic Model for Evidence Analysis.
Abstract
Many attackers tend to use sophisticated multi-stage and/or multi-host attack techniques and anti-forensic tools to cover their traces. Due to the limitations of current intrusion detection and network forensic analysis tools, reconstructing attack scenarios from evidence left behind by attackers of enterprise systems is challenging. In particular, reconstructing attack scenarios using intrusion detection system alerts and system logs that have too many false positives is a big challenge. This chapter presents a model and an accompanying software tool that systematically addresses the reconstruction of attack scenarios in a manner that could stand up in court. The problems faced in such reconstructions include large amounts of data (including irrelevant data), missing evidence and evidence corrupted or destroyed by anti-forensic techniques. The model addresses these problems using various methods, including mapping evidence to system vulnerabilities, inductive reasoning and abductive reasoning, to reconstruct attack scenarios. The Prolog-based system employs known vulnerability databases and an anti-forensic database that will eventually be extended to a standardized database like the NIST National Vulnerability Database. The system, which is designed for network forensic analysis, reduces the time and effort required to reach definite conclusions about how network attacks occurred.
Year
DOI
Venue
2015
10.1007/978-3-319-24123-4_8
ADVANCES IN DIGITAL FORENSICS XI
Keywords
Field
DocType
Network forensics,network attacks,evidence graph,admissibility
Analysis tools,Enterprise system,Network forensics,Computer security,Computer science,Intrusion detection system,False positive paradox
Conference
Volume
ISSN
Citations 
462
1868-4238
6
PageRank 
References 
Authors
0.59
8
3
Name
Order
Citations
PageRank
Changwei Liu1416.92
Anoop Singhal2576168.78
Duminda Wijesekera31464141.54