Poster:A Logic Based Network Forensics Model for Evidence Analysis
Anoop Singhal, Changwei Liu, Duminda Wijesekera
Modern-day attackers tend to use sophisticated multi-stage/multi-host attack techniques and anti-forensics tools to cover their attack traces. Due to the current limitations of intrusion detection and forensic analysis tools, reconstructing attack scenarios from evidence left behind by the attackers of an enterprise system is challenging. In particular, reconstructing attack scenarios by using the information from IDS alerts and system logs that have a large number of false positives is a big challenge. In this poster, we present a model and an accompanying software tool that systematically addresses how to resolve the above problems to reconstruct the attack scenario. These problems include a large amount of data including non-relevant data and evidence destroyed by anti-forensic techniques. Our system is based on a Prolog system using known vulnerability databases and an anti-forensics database that we plan to extend to a standardized database like the NIST National Vulnerability Database (NVD).
October 12-15, 2015
22nd ACM Conference on Computer and Communications Security
, Liu, C.
and Wijesekera, D.
Poster:A Logic Based Network Forensics Model for Evidence Analysis, 22nd ACM Conference on Computer and Communications Security, Denver, CO, [online], https://doi.org/10.1145/2810103.2810106, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=919122
(Accessed December 1, 2023)