Abstract
In this article we develop a novel graph-based approach toward network forensics analysis. Central to our approach is the evidence graph model that facilitates evidence presentation and automated reasoning. Based on the evidence graph, we propose a hierarchical reasoning framework that consists of two levels. Local reasoning aims to infer the functional states of network entities from local observations. Global reasoning aims to identify important entities from the graph structure and extract groups of densely correlated participants in the attack scenario. This article also presents a framework for interactive hypothesis testing, which helps to identify the attacker's nonexplicit attack activities from secondary evidence. We developed a prototype system that implements the techniques discussed. Experimental results on various attack datasets demonstrate that our analysis mechanism achieves good coverage and accuracy in attack group and scenario extraction with less dependence on hard-coded expert knowledge.
- Carrier, B. D. and Spafford, E. H. 2004. Defining event reconstruction of digital crime scenes. J. Forensic Sci.Google Scholar
- Carvalho, J. P. and Tome, J. A. B. 1999a. Rule Based Fuzzy Cognitive Maps and Fuzzy Cognitive Maps - A Comparative Study. In Proceedings of the 18th International Conference of t he North American Fuzzy Information Processing Society (NAFIPS'99). New York.Google Scholar
- Carvalho, J. P. and Tome, J. A. B. 1999b. Rule-Based Fuzzy Cognitive Maps: Fuzzy Causal Relations. In Proceedings of the 8th International Fuzzy Systems Association World Congress (IFSA'99). Taiwan.Google Scholar
- Cuppens, F. 2001. Managing alerts in a multi-intrusion detecttion environment. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC'01). Google Scholar
Digital Library
- Cuppens, F. and Miege, A. 2002. Alert Correlation in a Cooperative Intrusion Detection Framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP'02). Google Scholar
Digital Library
- Dain, O. and Cunningham, R. 2001a. Building scenarios from a heterogeneous alert stream. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (IAW'01). 231--235.Google Scholar
- Dain, O. and Cunningham, R. 2001b. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications (DMSA'01). 1--13.Google Scholar
- DARPA. MIT Lincoln Lab 2000 DARPA intrusion detection scenario specific datasets. Retrieved from http://www.ll.mit.edu/IST/ideval/data/2000/index.html.Google Scholar
- Debar, H., Dacer, M., and Wespi, A. 1999. A revised taxonomy for intrusion-detection systems. In IBM Research Report.Google Scholar
- Debar, H. and Wespi, A. 2001. Aggregation and Correlation of Intrusion-Detection Alerts. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01). Google Scholar
Digital Library
- Eckmann, S., Vigna, G., and Kemmerer, R. 2000. Statl: An attack language for state-based intrusion detection. Dept. of Computer Science, University of California, Santa Barbara.Google Scholar
- EnCase. EnCase Forensic Tool. Available at http://www.guidancesoftware.com.Google Scholar
- eTrust. eTrust Network Forensics Solution. Available at http://www3.ca.com/.Google Scholar
- Flowtools. flow-tools. Retrieved from http://www.splintered.net/sw/flow-tools/.Google Scholar
- IDMEF. Intrusion Detection Message Exchange Format. Internet draft available at http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-14.txt.Google Scholar
- Institute for Security Technology Studies. 2004. Law enforcement tools and technologies for investigating cyber attacks: Gap analysis report. Retrieved from http://www.ists.dartmouth.edu.Google Scholar
- Jajodia, S., Noels, S., and O'Berry, B. 2005. Topological analysis of network attack vulnerability. Managing Cyber Threats: Issues, Approaches and Challenges.Google Scholar
- Julisch, K. 2001. Mining alarm clusters to improve alarm handling efficiency. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC'01). 12--21. Google Scholar
Digital Library
- Julisch, K. 2003. Clustering intrusion detection alarms to support root cause analysis. In ACM Trans. Inf. Syst. Secur. 443--471. Google Scholar
Digital Library
- Kruegel, C. and Robertson, W. 2004. Alert Verification: Determing the success of intrusion attempts. In Proceedings of the 1st Workshop on the Detection of Intrusions and Malware Vulnerability Assessment (DIMVA'04). Dortmund, Germany.Google Scholar
- LEDA. LEDA graph library. Retrieved from http://www.algorithmic-solutions.com/enleda.htm.Google Scholar
- Morin, B. and Debar, H. 2003. Correlation of intrusion symptoms: an application of chronicles. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03).Google Scholar
- NetDetector. Available at http://www.niksun.com/Products-NetDetector.htm.Google Scholar
- NetFlow. Cisco IOS NetFlow protocol. Retrieved from http://www.cisco.com/en/US/products/ps6601/home.html.Google Scholar
- Ning, P., Cui, Y., and Reeves, D. S. 2002. Constructing attack scenarios through correlation of intrusion alerts. In 9th ACM Conference on Computer and Communications Security (CCS'02). Google Scholar
Digital Library
- Ning, P. and Xu, D. 2003. Learning attack stratagies from intrusion alerts. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS'03). 200-209. Google Scholar
Digital Library
- Ning, P. and Xu, D. 2004. Hypothesizing and reasoning about attacks missed by intrusion detection systems. ACM Trans. Inf. Syst. Secur. 7, 4, 591--627. Google Scholar
Digital Library
- Phillips, C. and Swiler, L. 1998. A graph-based system for network vulnerability analysis. In Proceedings of the New Security Paradigm Workshop. Charlottesville, VA. Google Scholar
Digital Library
- Qin, X. and Lee, W. 2003. Statistical causality analysis of INFOSEC alert data. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03).Google Scholar
- Qin, X. and Lee, W. 2004. Discovering novel attack strategies from INFOSEC alerts. In Proceedings of the 9th European Symposium on Research in Computer Security (ESORICS'04).Google Scholar
- Ramakrishnan, C. and Sekar, R. 1998. Model-based vulnerability analysis of computer systems. In Proceedings of the 2nd International Workshop on Verification, Model Checking and Abstract Interpretation (UMCAI'98).Google Scholar
- Ritchey, R. W. and Ammann, P. 2000. Using model checking to analyze network vulnerabilities. In Proceedings of the 2000 IEEE Symposium on Security and Privacy (SP'00). Washington, DC. Google Scholar
Digital Library
- Safeback. SafeBack Bit Stream Backup Software. Available at http://www.forensics-intl.com/safeback.html.Google Scholar
- Shanmugasundaram, K., Memon, N., Savant, A., and Bronnimann, H. 2003. ForNet: A Distributed Forensics Network. In Proceedings of the Second International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM'03).Google Scholar
- Sheyner, O., Haines, J., Jha, S., Lippmann, R., and Wing, J. M. 2002. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP'02). Oakland, CA. Google Scholar
Digital Library
- Sheyner, O. and Wing, J. M. 2005. Tools for generating and analyzing attack graphs. In Proceedings of International Symposium on Formal Methods for Components and Objects (FMCO'05).Google Scholar
- Siraj, A., M.Bridges, S., and B.Vaughn, R. 2001. Fuzzy cognitive maps for decision support in an intelligent intrusion detection system. Tech. rep., Department of Computer Science, Mississippi State University.Google Scholar
- Softflowd. Retrieved from http://www.mindrot.com/softflowd.html.Google Scholar
- Valdes, A. and Skinner, K. 2001. Probablistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01). Google Scholar
Digital Library
Index Terms
A Graph Based Approach Toward Network Forensics Analysis
Recommendations
Attack Graph Analysis for Network Anti-Forensics
The development of technology in computer networks has boosted the percentage of cyber-attacks today. Hackers are now able to penetrate even the strongest IDS and firewalls. With the help of anti-forensic techniques, attackers defend themselves, from ...
Network Forensics in MANET: Traffic Analysis of Source Spoofed DoS Attacks
NSS '10: Proceedings of the 2010 Fourth International Conference on Network and System SecurityThe process of analyzing available network forensics evidence to determine their meaning and significance can be very involved. It is often necessary to develop a timeline of significant events to obtain an overview of what occurred, to create ...
A moving target defense and network forensics framework for ISP networks using SDN and NFV
AbstractWith the increasing diversity of network attacks, there is a trend towards building more agile networks that can defend themselves or prevent attackers to easily launch attacks. To this end, moving target defense (MTD) mechanisms have ...
Highlights- Presents a Moving Target Defense framework for ISP network against crossfire attacks.








Comments