Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

A Probabilistic Network Forensics Model for Evidence Analysis

Published

Author(s)

Changwei Liu, Anoop Singhal, Duminda Wijesekera

Abstract

Modern-day attackers tend to use sophisticated multi-stage/multi-host attack techniques and anti-forensics tools to cover their attack traces. Due to the current limitations of intrusion detection and forensic analysis tools, reconstructing attack scenarios from evidence left behind by the attackers of an enterprise system is challenging. In particular, reconstructing attack scenarios by using the information from IDS alerts and system logs that have a large number of false positives is a big challenge. In this paper, we have developed a probabilistic model that applies Bayesian Network to evidence graphs, systematically addressing how to resolve some of the above problems. This model can be used to detect and analyze such errors and compute the probability for an entire attack scenario. We have also developed a software tool based on this model for network forensics analysis. Our system is based on a Prolog system using known vulnerability databases and an anti-forensics database that is similar to the NIST National Vulnerability Database (NVD). Our experimental results and case study show that such a system can be useful for constructing most likely attack scenario and doing error management in network forensics analysis.
Proceedings Title
IFIP WG 11.3 International Conference on Digital Forensics
Volume
484
Conference Dates
January 4-6, 2016
Conference Location
New Delhi, IN

Keywords

Bayesian Network, digital evidence, logical evidence graphs, network forensic

Citation

Liu, C. , Singhal, A. and Wijesekera, D. (2016), A Probabilistic Network Forensics Model for Evidence Analysis, IFIP WG 11.3 International Conference on Digital Forensics, New Delhi, IN, [online], https://doi.org/10.1007/978-3-319-46279-0_10, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=919693 (Accessed June 24, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created September 19, 2016, Updated October 12, 2021