NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

A Logic Based Network Forensics Model for Evidence Analysis

Published

Author(s)

Changwei Liu, Anoop Singhal, Duminda Wijesekera

Abstract

Many attackers tend to use sophisticated multi-stage and/or multi-host attack techniques and anti-forensic tools to cover their traces. Due to the limitations of current intrusion detection and network forensic analysis tools, reconstructing attack scenarios from evidence left behind by attackers of enterprise systems is challenging. In particular, reconstructing attack scenarios using intrusion detection system alerts and system logs that have too many false positives is a big challenge. This chapter presents a model and an accompanying software tool that systematically addresses the reconstruction of attack scenarios in a manner that could stand up in court. The problems faced in such reconstructions include large amounts of data (including irrelevant data), missing evidence and evidence corrupted or destroyed by anti-forensic techniques. The model addresses these problems using various methods, including mapping evidence to system vulnerabilities, inductive reasoning and abductive reasoning, to reconstruct attack scenarios. The Prolog-based system employs known vulnerability databases and an anti-forensic database that will eventually be extended to a standardized database like the NIST National Vulnerability Database. The system, which is designed for network forensic analysis, reduces the time and effort required to reach definite conclusions about how network attacks occurred.
Proceedings Title
Advances in Digital Forensics XI
Volume
462
Conference Dates
January 26-28, 2015
Conference Location
Orlando, FL, US
Conference Title
11th IFIP WG 11.3 International Conference on Digital Forensics
Pub Type
Conferences

Download Paper

https://doi.org/10.1007/978-3-319-24123-4_8
Local Download

Keywords

admissibility, evidence graph, network attacks, network forensics
Information technology, Forensic Science, Digital evidence and Cybersecurity and privacy

Citation

Liu, C. , Singhal, A. and Wijesekera, D. (2015), A Logic Based Network Forensics Model for Evidence Analysis, Advances in Digital Forensics XI, Orlando, FL, US, [online], https://doi.org/10.1007/978-3-319-24123-4_8, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=918321 (Accessed October 8, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created January 27, 2015, Updated October 12, 2021
Was this page helpful?