Building Evidence Graphs for Network Forensics Analysis
- 5 January 2006
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- p. 254-266
- https://doi.org/10.1109/csac.2005.14
Abstract
In this paper, we present techniques for a network forensics analysis mechanism that includes effective evidence presentation, manipulation and automated reasoning. We propose the evidence graph as a novel graph model to facilitate the presentation and manipulation of intrusion evidence. For automated evidence analysis, we develop a hierarchical reasoning framework that includes local reasoning and global reasoning. Local reasoning aims to infer the roles of suspicious hosts from local observations. Global reasoning aims to identify group of strongly correlated hosts in the attack and derive their relationships. By using the evidence graph model, we effectively integrate analyst feedback into the automated reasoning process. Experimental results demonstrate the potential and effectiveness of our proposed approaches.Keywords
This publication has 9 references indexed in Scilit:
- Alert correlation in a cooperative intrusion detection frameworkPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2005
- Rule based fuzzy cognitive maps and fuzzy cognitive maps-a comparative studyPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2003
- ForNet: A Distributed Forensics NetworkLecture Notes in Computer Science, 2003
- Single-packet IP tracebackIEEE/ACM Transactions on Networking, 2002
- Fuzzy cognitive maps for decision support in an intelligent intrusion detection systemPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- M2D2: A Formal Data Model for IDS Alert CorrelationLecture Notes in Computer Science, 2002
- Constructing attack scenarios through correlation of intrusion alertsPublished by Association for Computing Machinery (ACM) ,2002
- Aggregation and Correlation of Intrusion-Detection AlertsLecture Notes in Computer Science, 2001
- Probabilistic Alert CorrelationLecture Notes in Computer Science, 2001