Modern-day attackers tend to use sophisticated multi-stage/multi-host attack techniques and anti-forensics tools to cover their attack traces. Due to the current limitations of intrusion detection and forensic analysis tools, reconstructing attack scenarios from evidence left behind by the attackers of an enterprise system is challenging. In particular, reconstructing attack scenarios by using the information from IDS alerts and system logs that have a large number of false positives is a big challenge. In this paper, we have developed a probabilistic model that applies Bayesian Network to evidence graphs, systematically addressing how to resolve some of the above problems. This model can be used to detect and analyze such errors and compute the probability for an entire attack scenario. We have also developed a software tool based on this model for network forensics analysis. Our system is based on a Prolog system using known vulnerability databases and an anti-forensics database that is similar to the NIST National Vulnerability Database (NVD). Our experimental results and case study show that such a system can be useful for constructing most likely attack scenario and doing error management in network forensics analysis.
Proceedings Title: IFIP WG 11.3 International Conference on Digital Forensics
Conference Dates: January 4-6, 2016
Conference Location: New Delhi, -1
Pub Type: Conferences
Bayesian Network, digital evidence, logical evidence graphs, network forensic