A logic-based network forensic model for evidence analysis

Abstract

Many attackers tend to use sophisticated multi-stage and/or multi-host attack techniques and anti-forensic tools to cover their traces. Due to the limitations of current intrusion detection and network forensic analysis tools, reconstructing attack scenarios from evidence left behind by attackers of enterprise systems is challenging. In particular, reconstructing attack scenarios using intrusion detection system alerts and system logs that have too many false positives is a big challenge. This chapter presents a model and an accompanying software tool that systematically addresses the reconstruction of attack scenarios in a manner that could stand up in court. The problems faced in such reconstructions include large amounts of data (including irrelevant data), missing evidence and evidence corrupted or destroyed by anti-forensic techniques. The model addresses these problems using various methods, including mapping evidence to system vulnerabilities, inductive reasoning and abductive reasoning, to reconstruct attack scenarios. The Prolog-based system employs known vulnerability databases and an anti-forensic database that will eventually be extended to a standardized database like the NIST National Vulnerability Database. The system, which is designed for network forensic analysis, reduces the time and effort required to reach definite conclusions about how network attacks occurred.