Poster:A Logic Based Network Forensics Model for Evidence Analysis

Published: October 15, 2015


Anoop Singhal, Changwei Liu, Duminda Wijesekera


Modern-day attackers tend to use sophisticated multi-stage/multi-host attack techniques and anti-forensics tools to cover their attack traces. Due to the current limitations of intrusion detection and forensic analysis tools, reconstructing attack scenarios from evidence left behind by the attackers of an enterprise system is challenging. In particular, reconstructing attack scenarios by using the information from IDS alerts and system logs that have a large number of false positives is a big challenge. In this poster, we present a model and an accompanying software tool that systematically addresses how to resolve the above problems to reconstruct the attack scenario. These problems include a large amount of data including non-relevant data and evidence destroyed by anti-forensic techniques. Our system is based on a Prolog system using known vulnerability databases and an anti-forensics database that we plan to extend to a standardized database like the NIST National Vulnerability Database (NVD).
Conference Dates: October 12-15, 2015
Conference Location: Denver, CO
Conference Title: 22nd ACM Conference on Computer and Communications Security
Pub Type: Conferences


Attack Graph, Forensic Analysis, Evidence Graphs, Vulnerability Database, Inductive Reasoning, Admissibility
Created October 15, 2015, Updated November 10, 2018