Automated Analysis of Multi-Source Logs for Network Forensics

Nowadays, one of the reasons for the lack of legal sanctions taken against attackers is that the collection and analysis of forensic evidence is very troublesome and time-consuming. There are many research results about events correlation but not directly suitable for network forensics. The work presented in this paper is based on an idea to collect the evidences from multiple network sensors and analyze them to improve the quality of forensic evidence automatically. This paper discusses the issues of log evidence first. The framework of IEAAS (Automated Analysis System of Intrusion Evidences) is illustrated with LCA (Log Collection Agent) in network sensors and multiple modules in IEAAS. Analysis mechanism is discussed, particularly the improved aggregation algorithm and evidence preservation method are described. Then a series of experiments are performed to validate our method on actual attack network environments of CERNET. The results of experiments show that our approach is practical and effective for dynamic forensics to augment the computer crime investigatorspsila efforts.