A Probabilistic Network Forensics Model for Evidence Analysis

Published: September 20, 2016


Changwei Liu, Anoop Singhal, Duminda Wijesekera


Modern-day attackers tend to use sophisticated multi-stage/multi-host attack techniques and anti-forensics tools to cover their attack traces. Due to the current limitations of intrusion detection and forensic analysis tools, reconstructing attack scenarios from evidence left behind by the attackers of an enterprise system is challenging. In particular, reconstructing attack scenarios by using the information from IDS alerts and system logs that have a large number of false positives is a big challenge. In this paper, we have developed a probabilistic model that applies Bayesian Network to evidence graphs, systematically addressing how to resolve some of the above problems. This model can be used to detect and analyze such errors and compute the probability for an entire attack scenario. We have also developed a software tool based on this model for network forensics analysis. Our system is based on a Prolog system using known vulnerability databases and an anti-forensics database that is similar to the NIST National Vulnerability Database (NVD). Our experimental results and case study show that such a system can be useful for constructing most likely attack scenario and doing error management in network forensics analysis.
Proceedings Title: IFIP WG 11.3 International Conference on Digital Forensics
Volume: 484
Conference Dates: January 4-6, 2016
Conference Location: New Delhi, -1
Pub Type: Conferences


Bayesian Network, digital evidence, logical evidence graphs, network forensic
Created September 20, 2016, Updated November 10, 2018