Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

A Probabilistic Network Forensics Model for Evidence Analysis

Published

Author(s)

Changwei Liu, Anoop Singhal, Duminda Wijesekera

Abstract

Modern-day attackers tend to use sophisticated multi-stage/multi-host attack techniques and anti-forensics tools to cover their attack traces. Due to the current limitations of intrusion detection and forensic analysis tools, reconstructing attack scenarios from evidence left behind by the attackers of an enterprise system is challenging. In particular, reconstructing attack scenarios by using the information from IDS alerts and system logs that have a large number of false positives is a big challenge. In this paper, we have developed a probabilistic model that applies Bayesian Network to evidence graphs, systematically addressing how to resolve some of the above problems. This model can be used to detect and analyze such errors and compute the probability for an entire attack scenario. We have also developed a software tool based on this model for network forensics analysis. Our system is based on a Prolog system using known vulnerability databases and an anti-forensics database that is similar to the NIST National Vulnerability Database (NVD). Our experimental results and case study show that such a system can be useful for constructing most likely attack scenario and doing error management in network forensics analysis.
Proceedings Title
IFIP WG 11.3 International Conference on Digital Forensics
Volume
484
Conference Dates
January 4-6, 2016
Conference Location
New Delhi, -1

Keywords

Bayesian Network, digital evidence, logical evidence graphs, network forensic
Created September 20, 2016, Updated November 10, 2018