Published: April 27, 2014
Author(s)
Changwei Liu (GMU), Anoop Singhal (NIST), Duminda Wijesekera (GMU)
Conference
Name: 11th International Workshop on Security in Information Systems (WOSIS 2014)
Dates: 04/27/2014
Location: Lisbon, Portugal
Citation: A Model Towards Using Evidence from Security Events for Network Attack Analysis, pp. 8
Constructing an efficient and accurate model from security events to determine an attack scenario for an enterprise network is challenging. In this paper, we discuss how to use evidence obtained from security events to construct an attack scenario and build an evidence graph. To achieve the accuracy and completeness of the evidence graph, we use Prolog inductive and abductive reasoning to correlate evidence by reasoning the causality, and use an anti-forensics database and a corresponding attack graph to find the missing evidence. In addition, because the constructed scenario and supplied evidence might need to stand up in the court of law, the federal rules of evidence are also taken into account to predetermine the admissibility of the evidence.
Constructing an efficient and accurate model from security events to determine an attack scenario for an enterprise network is challenging. In this paper, we discuss how to use evidence obtained from security events to construct an attack scenario and build an evidence graph. To achieve the accuracy...
See full abstract
Constructing an efficient and accurate model from security events to determine an attack scenario for an enterprise network is challenging. In this paper, we discuss how to use evidence obtained from security events to construct an attack scenario and build an evidence graph. To achieve the accuracy and completeness of the evidence graph, we use Prolog inductive and abductive reasoning to correlate evidence by reasoning the causality, and use an anti-forensics database and a corresponding attack graph to find the missing evidence. In addition, because the constructed scenario and supplied evidence might need to stand up in the court of law, the federal rules of evidence are also taken into account to predetermine the admissibility of the evidence.
Hide full abstract
Keywords
network forensics; anti-forensics; evidence graph; attack graph; inductive reasoning; abductive reasoning; admissibility
Control Families
None selected