U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Poster:A Logic Based Network Forensics Model for Evidence Analysis

Published

Author(s)

Anoop Singhal, Changwei Liu, Duminda Wijesekera

Abstract

Modern-day attackers tend to use sophisticated multi-stage/multi-host attack techniques and anti-forensics tools to cover their attack traces. Due to the current limitations of intrusion detection and forensic analysis tools, reconstructing attack scenarios from evidence left behind by the attackers of an enterprise system is challenging. In particular, reconstructing attack scenarios by using the information from IDS alerts and system logs that have a large number of false positives is a big challenge. In this poster, we present a model and an accompanying software tool that systematically addresses how to resolve the above problems to reconstruct the attack scenario. These problems include a large amount of data including non-relevant data and evidence destroyed by anti-forensic techniques. Our system is based on a Prolog system using known vulnerability databases and an anti-forensics database that we plan to extend to a standardized database like the NIST National Vulnerability Database (NVD).
Conference Dates
October 12-15, 2015
Conference Location
Denver, CO
Conference Title
22nd ACM Conference on Computer and Communications Security
Pub Type
Conferences

Download Paper

https://doi.org/10.1145/2810103.2810106
Local Download

Keywords

Attack Graph, Forensic Analysis, Evidence Graphs, Vulnerability Database, Inductive Reasoning, Admissibility
Information technology, Forensic Science, Digital evidence and Cybersecurity

Citation

Singhal, A. , Liu, C. and Wijesekera, D. (2015), Poster:A Logic Based Network Forensics Model for Evidence Analysis, 22nd ACM Conference on Computer and Communications Security, Denver, CO, [online], https://doi.org/10.1145/2810103.2810106, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=919122 (Accessed March 13, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created October 14, 2015, Updated June 24, 2021