Creating Integrated Evidence Graphs for Network Forensics

Liu, Changwei; Singhal, Anoop; Wijesekera, Duminda

doi:https://doi.org/10.1007/978-3-642-41148-9_16

July 19, 2023: URLs for CSRC publication details pages have changed. Legacy URLs should automatically redirect to the new URLs. However, links to the actual publications have NOT changed (e.g., DOIs and PDFs on nvlpubs.nist.gov). Please send inquiries to csrc-inquiry@nist.gov.

Conference Paper

Creating Integrated Evidence Graphs for Network Forensics

Documentation

Published: October 18, 2013

Author(s)

Changwei Liu, Anoop Singhal, Duminda Wijesekera

Conference

Name: Ninth IFIP WG 11.9 International Conference on Digital Forensics
Dates: 01/28/2013 - 01/30/2013
Location: Orlando, Florida, United States
Citation: Advances in Digital Forensics IX, vol. 410, pp. 227-241

Abstract

Evidence Graphs model network intrusion evidence and their dependencies, which helps network forensics analysts collate and visualize dependencies. In particular, probabilistic evidence graph provide a way to link probabilities associated with different attack paths with available evidence. Existing work in evidence graphs assume that all evidence is available as one graph. We show how to merge different evidence graphs with or without the help of attack graphs. We show this by providing algorithms and a case study based on attacks on a fileserver and a database server in a lab network environment. An integrated evidence graph that show all attacks launched toward a global network are more useful for forensics analysts and network administrators in searching for forensic evidence and safeguarding networks respectively.

Keywords

attack graph; forensic analysis; evidence graphs; vulnerability database

Control Families

None selected

Documentation

Publication:
https://doi.org/10.1007/978-3-642-41148-9_16

Supplemental Material:
None available

Document History:
10/18/13: Conference Paper (Final)