skip to main content
research-article

A Graph Based Approach Toward Network Forensics Analysis

Published:01 October 2008Publication History
Skip Abstract Section

Abstract

In this article we develop a novel graph-based approach toward network forensics analysis. Central to our approach is the evidence graph model that facilitates evidence presentation and automated reasoning. Based on the evidence graph, we propose a hierarchical reasoning framework that consists of two levels. Local reasoning aims to infer the functional states of network entities from local observations. Global reasoning aims to identify important entities from the graph structure and extract groups of densely correlated participants in the attack scenario. This article also presents a framework for interactive hypothesis testing, which helps to identify the attacker's nonexplicit attack activities from secondary evidence. We developed a prototype system that implements the techniques discussed. Experimental results on various attack datasets demonstrate that our analysis mechanism achieves good coverage and accuracy in attack group and scenario extraction with less dependence on hard-coded expert knowledge.

References

  1. Carrier, B. D. and Spafford, E. H. 2004. Defining event reconstruction of digital crime scenes. J. Forensic Sci.Google ScholarGoogle Scholar
  2. Carvalho, J. P. and Tome, J. A. B. 1999a. Rule Based Fuzzy Cognitive Maps and Fuzzy Cognitive Maps - A Comparative Study. In Proceedings of the 18th International Conference of t he North American Fuzzy Information Processing Society (NAFIPS'99). New York.Google ScholarGoogle Scholar
  3. Carvalho, J. P. and Tome, J. A. B. 1999b. Rule-Based Fuzzy Cognitive Maps: Fuzzy Causal Relations. In Proceedings of the 8th International Fuzzy Systems Association World Congress (IFSA'99). Taiwan.Google ScholarGoogle Scholar
  4. Cuppens, F. 2001. Managing alerts in a multi-intrusion detecttion environment. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC'01). Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Cuppens, F. and Miege, A. 2002. Alert Correlation in a Cooperative Intrusion Detection Framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP'02). Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Dain, O. and Cunningham, R. 2001a. Building scenarios from a heterogeneous alert stream. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (IAW'01). 231--235.Google ScholarGoogle Scholar
  7. Dain, O. and Cunningham, R. 2001b. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications (DMSA'01). 1--13.Google ScholarGoogle Scholar
  8. DARPA. MIT Lincoln Lab 2000 DARPA intrusion detection scenario specific datasets. Retrieved from http://www.ll.mit.edu/IST/ideval/data/2000/index.html.Google ScholarGoogle Scholar
  9. Debar, H., Dacer, M., and Wespi, A. 1999. A revised taxonomy for intrusion-detection systems. In IBM Research Report.Google ScholarGoogle Scholar
  10. Debar, H. and Wespi, A. 2001. Aggregation and Correlation of Intrusion-Detection Alerts. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01). Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Eckmann, S., Vigna, G., and Kemmerer, R. 2000. Statl: An attack language for state-based intrusion detection. Dept. of Computer Science, University of California, Santa Barbara.Google ScholarGoogle Scholar
  12. EnCase. EnCase Forensic Tool. Available at http://www.guidancesoftware.com.Google ScholarGoogle Scholar
  13. eTrust. eTrust Network Forensics Solution. Available at http://www3.ca.com/.Google ScholarGoogle Scholar
  14. Flowtools. flow-tools. Retrieved from http://www.splintered.net/sw/flow-tools/.Google ScholarGoogle Scholar
  15. IDMEF. Intrusion Detection Message Exchange Format. Internet draft available at http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-14.txt.Google ScholarGoogle Scholar
  16. Institute for Security Technology Studies. 2004. Law enforcement tools and technologies for investigating cyber attacks: Gap analysis report. Retrieved from http://www.ists.dartmouth.edu.Google ScholarGoogle Scholar
  17. Jajodia, S., Noels, S., and O'Berry, B. 2005. Topological analysis of network attack vulnerability. Managing Cyber Threats: Issues, Approaches and Challenges.Google ScholarGoogle Scholar
  18. Julisch, K. 2001. Mining alarm clusters to improve alarm handling efficiency. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC'01). 12--21. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Julisch, K. 2003. Clustering intrusion detection alarms to support root cause analysis. In ACM Trans. Inf. Syst. Secur. 443--471. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Kruegel, C. and Robertson, W. 2004. Alert Verification: Determing the success of intrusion attempts. In Proceedings of the 1st Workshop on the Detection of Intrusions and Malware Vulnerability Assessment (DIMVA'04). Dortmund, Germany.Google ScholarGoogle Scholar
  21. LEDA. LEDA graph library. Retrieved from http://www.algorithmic-solutions.com/enleda.htm.Google ScholarGoogle Scholar
  22. Morin, B. and Debar, H. 2003. Correlation of intrusion symptoms: an application of chronicles. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03).Google ScholarGoogle Scholar
  23. NetDetector. Available at http://www.niksun.com/Products-NetDetector.htm.Google ScholarGoogle Scholar
  24. NetFlow. Cisco IOS NetFlow protocol. Retrieved from http://www.cisco.com/en/US/products/ps6601/home.html.Google ScholarGoogle Scholar
  25. Ning, P., Cui, Y., and Reeves, D. S. 2002. Constructing attack scenarios through correlation of intrusion alerts. In 9th ACM Conference on Computer and Communications Security (CCS'02). Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Ning, P. and Xu, D. 2003. Learning attack stratagies from intrusion alerts. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS'03). 200-209. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Ning, P. and Xu, D. 2004. Hypothesizing and reasoning about attacks missed by intrusion detection systems. ACM Trans. Inf. Syst. Secur. 7, 4, 591--627. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Phillips, C. and Swiler, L. 1998. A graph-based system for network vulnerability analysis. In Proceedings of the New Security Paradigm Workshop. Charlottesville, VA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Qin, X. and Lee, W. 2003. Statistical causality analysis of INFOSEC alert data. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03).Google ScholarGoogle Scholar
  30. Qin, X. and Lee, W. 2004. Discovering novel attack strategies from INFOSEC alerts. In Proceedings of the 9th European Symposium on Research in Computer Security (ESORICS'04).Google ScholarGoogle Scholar
  31. Ramakrishnan, C. and Sekar, R. 1998. Model-based vulnerability analysis of computer systems. In Proceedings of the 2nd International Workshop on Verification, Model Checking and Abstract Interpretation (UMCAI'98).Google ScholarGoogle Scholar
  32. Ritchey, R. W. and Ammann, P. 2000. Using model checking to analyze network vulnerabilities. In Proceedings of the 2000 IEEE Symposium on Security and Privacy (SP'00). Washington, DC. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Safeback. SafeBack Bit Stream Backup Software. Available at http://www.forensics-intl.com/safeback.html.Google ScholarGoogle Scholar
  34. Shanmugasundaram, K., Memon, N., Savant, A., and Bronnimann, H. 2003. ForNet: A Distributed Forensics Network. In Proceedings of the Second International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM'03).Google ScholarGoogle Scholar
  35. Sheyner, O., Haines, J., Jha, S., Lippmann, R., and Wing, J. M. 2002. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP'02). Oakland, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Sheyner, O. and Wing, J. M. 2005. Tools for generating and analyzing attack graphs. In Proceedings of International Symposium on Formal Methods for Components and Objects (FMCO'05).Google ScholarGoogle Scholar
  37. Siraj, A., M.Bridges, S., and B.Vaughn, R. 2001. Fuzzy cognitive maps for decision support in an intelligent intrusion detection system. Tech. rep., Department of Computer Science, Mississippi State University.Google ScholarGoogle Scholar
  38. Softflowd. Retrieved from http://www.mindrot.com/softflowd.html.Google ScholarGoogle Scholar
  39. Valdes, A. and Skinner, K. 2001. Probablistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01). Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. A Graph Based Approach Toward Network Forensics Analysis

      Recommendations

      Reviews

      Amos O Olagunju

      Wang and Daniels present a prototype network forensics analysis approach, with "a flexible preprocessing mechanism ... to reduce the volume and redundancy in collected intrusion evidence." They offer a novel graph-based model to facilitate effective presentation and interaction with intrusion evidence, and a hierarchical reasoning framework to automatically send notification of attacks and reconstruct them. The functionality of the network forensics analysis mechanism includes the collection of intrusion evidence from host computers and networks, and the parsing of intrusion evidence into aggregates. The authors propose a two-level hierarchical reasoning framework. The local-level reasoning is predicated on fuzzy logic and makes use of local evidence data to deduce the serviceable states of network entities. The global-level reasoning uses an analytical graph structure and clustering algorithms to recognize the set of vastly interrelated hosts, using the evidence graph of an observed intrusion to discern the potential members of an attack group. The authors implement a prototype system to validate the proposed network forensics analysis mechanism. They perform experiments with traces of multiphase attack scenarios and public intrusion detection datasets, to evaluate the accuracy of the graph-based network forensics analysis mechanism. Unfortunately, the automatic evaluation of the reliability of hypotheses in the network forensics analysis mechanism is tricky, as the process relies heavily on professional knowledge. Even so, the paper offers insights into the complex issues of practical network forensics. Online Computing Reviews Service

      Access critical reviews of Computing literature here

      Become a reviewer for Computing Reviews.

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Information and System Security
        ACM Transactions on Information and System Security  Volume 12, Issue 1
        October 2008
        230 pages
        ISSN:1094-9224
        EISSN:1557-7406
        DOI:10.1145/1410234
        Issue’s Table of Contents

        Copyright © 2008 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 1 October 2008
        • Accepted: 1 May 2008
        • Revised: 1 August 2007
        • Received: 1 June 2006
        Published in tissec Volume 12, Issue 1

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Research
        • Refereed

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!