Published: October 15, 2015
Author(s)
Anoop Singhal (NIST), Changwei Liu (GMU), Duminda Wijesekera (GMU)
Conference
Name: 22nd ACM Conference on Computer and Communications Security (CCS '15)
Dates: 10/12/2015 - 10/15/2015
Location: Denver, Colorado, United States
Citation: CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security , pp. 1677
Modern-day attackers tend to use sophisticated multi-stage/multi-host attack techniques and anti-forensics tools to cover their attack traces. Due to the current limitations of intrusion detection and forensic analysis tools, reconstructing attack scenarios from evidence left behind by the attackers of an enterprise system is challenging. In particular, reconstructing attack scenarios by using the information from IDS alerts and system logs that have a large number of false positives is a big challenge. In this poster, we present a model and an accompanying software tool that systematically addresses how to resolve the above problems to reconstruct the attack scenario. These problems include a large amount of data including non-relevant data and evidence destroyed by anti-forensic techniques. Our system is based on a Prolog system using known vulnerability databases and an anti-forensics database that we plan to extend to a standardized database like the NIST National Vulnerability Database (NVD). In this model, we use different methods, including mapping the evidence to system vulnerabilities, inductive reasoning and abductive reasoning to reconstruct attack scenarios. The goal of this work is to reduce the investigators' time and effort in reaching definite conclusion about how an attack occurred. Our results indicate that such a reasoning system can be useful for network forensics analysis.
Modern-day attackers tend to use sophisticated multi-stage/multi-host attack techniques and anti-forensics tools to cover their attack traces. Due to the current limitations of intrusion detection and forensic analysis tools, reconstructing attack scenarios from evidence left behind by the attackers...
See full abstract
Modern-day attackers tend to use sophisticated multi-stage/multi-host attack techniques and anti-forensics tools to cover their attack traces. Due to the current limitations of intrusion detection and forensic analysis tools, reconstructing attack scenarios from evidence left behind by the attackers of an enterprise system is challenging. In particular, reconstructing attack scenarios by using the information from IDS alerts and system logs that have a large number of false positives is a big challenge. In this poster, we present a model and an accompanying software tool that systematically addresses how to resolve the above problems to reconstruct the attack scenario. These problems include a large amount of data including non-relevant data and evidence destroyed by anti-forensic techniques. Our system is based on a Prolog system using known vulnerability databases and an anti-forensics database that we plan to extend to a standardized database like the NIST National Vulnerability Database (NVD). In this model, we use different methods, including mapping the evidence to system vulnerabilities, inductive reasoning and abductive reasoning to reconstruct attack scenarios. The goal of this work is to reduce the investigators' time and effort in reaching definite conclusion about how an attack occurred. Our results indicate that such a reasoning system can be useful for network forensics analysis.
Hide full abstract
Keywords
admissibility; cybercrime; digital evidence; evidence graph; network attack scenario; network forensics; Prolog reasoning
Control Families
None selected