HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Conference papers

A Probabilistic Network Forensic Model for Evidence Analysis

Abstract : Modern-day attackers use sophisticated multi-stage and/or multi-host attack techniques and anti-forensic tools to cover their attack traces. Due to the limitations of current intrusion detection systems and forensic analysis tools, evidence often has false positive errors or is incomplete. Additionally, because of the large number of security events, discovering an attack pattern is much like finding a needle in a haystack. Consequently, reconstructing attack scenarios and holding attackers accountable for their activities are major challenges.This chapter describes a probabilistic model that applies Bayesian networks to construct evidence graphs. The model helps address the problems posed by false positive errors, analyze the reasons for missing evidence and compute the posterior probabilities and false positive rates of attack scenarios constructed using the available evidence. A companion software tool for network forensic analysis was used in conjunction with the probabilistic model. The tool, which is written in Prolog, leverages vulnerability databases and an anti-forensic database similar to the NIST National Vulnerability Database (NVD). The experimental results demonstrate that the model is useful for constructing the most-likely attack scenarios and for managing errors encountered in network forensic analysis.
Document type :
Conference papers
Complete list of metadata

Cited literature [12 references]  Display  Hide  Download

Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Wednesday, April 4, 2018 - 4:48:12 PM
Last modification on : Wednesday, April 4, 2018 - 4:55:46 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Changwei Liu, Anoop Singhal, Duminda Wijesekera. A Probabilistic Network Forensic Model for Evidence Analysis. 12th IFIP International Conference on Digital Forensics (DF), Jan 2016, New Delhi, India. pp.189-210, ⟨10.1007/978-3-319-46279-0_10⟩. ⟨hal-01758685⟩



Record views


Files downloads