Development of Intellectual Network Forensic System LIFT against Targeted Attacks

Recently, the number of targeted attacks to specific organizations, such as companies or governments, has been increasing. Although such organizations are required to conduct to protect against the attack or mitigate the effect of the targeted attack, it is very difficult to perform the proper operation without the assistance of a support system. Therefore, the authors developed the Live and Intelligent Network Forensic Technologies (LIFT) system to guide the proper operation and/or conduct an automatic operation using artificial intelligence. The LIFT system collects the logs from servers, PCs, and communication equipment such as routers and detects abnormal signs from the collected logs. Next, the LIFT system calculates the certainty factor of an event occurrence by using the knowledge of the relation between the detected signs and the estimated event. If the certainty factor is large enough, the event is assumed to occur, or else the LIFT system requires collecting additional logs or results of a memory dump. Moreover, the LIFT system guides the proper operation and/or conducts an automatic operation with the knowledge of the relation between the event and proposed action, which would be a guide or automatic operation. If the knowledge described is given to the LIFT system, a total simulation can be performed in the LIFT system based on rule-based technology, which is one of the artificial intelligence technologies. This paper describes the objective to develop the LIFT system, the overview of the system, the developed prototype of the LIFT system and the experimental results of applying the LIFT system prototype. From the experimental results, we confirm that the LIFT system can be a useful tool to perform the proper operation against a targeted attack.