Building evidence graphs for network forensics analysis

Author

Wang, Wei ; Daniels, Thomas E.

Author_Institution

Dept. of Electr. & Comput. Eng., Iowa State Univ., Ames, IA

fYear

2005

fDate

5-9 Dec. 2005

Lastpage

266

Abstract

In this paper, we present techniques for a network forensics analysis mechanism that includes effective evidence presentation, manipulation and automated reasoning. We propose the evidence graph as a novel graph model to facilitate the presentation and manipulation of intrusion evidence. For automated evidence analysis, we develop a hierarchical reasoning framework that includes local reasoning and global reasoning. Local reasoning aims to infer the roles of suspicious hosts from local observations. Global reasoning aims to identify group of strongly correlated hosts in the attack and derive their relationships. By using the evidence graph model, we effectively integrate analyst feedback into the automated reasoning process. Experimental results demonstrate the potential and effectiveness of our proposed approaches

Keywords

computer networks; security of data; analyst feedback; automated evidence analysis; automated reasoning; evidence graph model; global reasoning; hierarchical reasoning framework; intrusion evidence manipulation; intrusion evidence presentation; local reasoning; network forensics analysis; Background noise; Computer errors; Computer security; Delay; Digital forensics; Feedback; Information analysis; Intrusion detection; Prototypes; Redundancy;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Security Applications Conference, 21st Annual

Conference_Location

Tucson, AZ

ISSN

1063-9527

Print_ISBN

0-7695-2461-3

Type

conf

DOI

10.1109/CSAC.2005.14

Filename

1565253