Published: October 18, 2013
Author(s)
Changwei Liu, Anoop Singhal, Duminda Wijesekera
Conference
Name: Ninth IFIP WG 11.9 International Conference on Digital Forensics
Dates: 01/28/2013 - 01/30/2013
Location: Orlando, Florida, United States
Citation: Advances in Digital Forensics IX, vol. 410, pp. 227-241
Evidence Graphs model network intrusion evidence and their dependencies, which helps network forensics analysts collate and visualize dependencies. In particular, probabilistic evidence graph provide a way to link probabilities associated with different attack paths with available evidence. Existing work in evidence graphs assume that all evidence is available as one graph. We show how to merge different evidence graphs with or without the help of attack graphs. We show this by providing algorithms and a case study based on attacks on a fileserver and a database server in a lab network environment. An integrated evidence graph that show all attacks launched toward a global network are more useful for forensics analysts and network administrators in searching for forensic evidence and safeguarding networks respectively.
Evidence Graphs model network intrusion evidence and their dependencies, which helps network forensics analysts collate and visualize dependencies. In particular, probabilistic evidence graph provide a way to link probabilities associated with different attack paths with available evidence. Existing...
See full abstract
Evidence Graphs model network intrusion evidence and their dependencies, which helps network forensics analysts collate and visualize dependencies. In particular, probabilistic evidence graph provide a way to link probabilities associated with different attack paths with available evidence. Existing work in evidence graphs assume that all evidence is available as one graph. We show how to merge different evidence graphs with or without the help of attack graphs. We show this by providing algorithms and a case study based on attacks on a fileserver and a database server in a lab network environment. An integrated evidence graph that show all attacks launched toward a global network are more useful for forensics analysts and network administrators in searching for forensic evidence and safeguarding networks respectively.
Hide full abstract
Keywords
attack graph; forensic analysis; evidence graphs; vulnerability database
Control Families
None selected