Skip to Main content Skip to Navigation
Conference papers

A Probabilistic Network Forensic Model for Evidence Analysis

Abstract : Modern-day attackers use sophisticated multi-stage and/or multi-host attack techniques and anti-forensic tools to cover their attack traces. Due to the limitations of current intrusion detection systems and forensic analysis tools, evidence often has false positive errors or is incomplete. Additionally, because of the large number of security events, discovering an attack pattern is much like finding a needle in a haystack. Consequently, reconstructing attack scenarios and holding attackers accountable for their activities are major challenges.This chapter describes a probabilistic model that applies Bayesian networks to construct evidence graphs. The model helps address the problems posed by false positive errors, analyze the reasons for missing evidence and compute the posterior probabilities and false positive rates of attack scenarios constructed using the available evidence. A companion software tool for network forensic analysis was used in conjunction with the probabilistic model. The tool, which is written in Prolog, leverages vulnerability databases and an anti-forensic database similar to the NIST National Vulnerability Database (NVD). The experimental results demonstrate that the model is useful for constructing the most-likely attack scenarios and for managing errors encountered in network forensic analysis.
Document type :
Conference papers
Complete list of metadatas

Cited literature [12 references]  Display  Hide  Download

https://hal.inria.fr/hal-01758685
Contributor : Hal Ifip <>
Submitted on : Wednesday, April 4, 2018 - 4:48:12 PM
Last modification on : Wednesday, April 4, 2018 - 4:55:46 PM

File

431606_1_En_10_Chapter.pdf
Files produced by the author(s)

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Changwei Liu, Anoop Singhal, Duminda Wijesekera. A Probabilistic Network Forensic Model for Evidence Analysis. 12th IFIP International Conference on Digital Forensics (DF), Jan 2016, New Delhi, India. pp.189-210, ⟨10.1007/978-3-319-46279-0_10⟩. ⟨hal-01758685⟩

Share

Metrics

Record views

138

Files downloads

172