A uniformed evidence process model for big data forensic analysis

Abstract

Nowadays attacks, such as Advanced Persistent Threat (APT), usually consist of multiple attacking steps and disguise themselves as normal behaviors, which increase the difficulty to detect them and decrease the accuracy of detection results. APT attack aimed forensic analysis today faced lots of challenges, especially because the large amount of data it involves. Although graph model can describe the causal relationships among the steps in one attack progress, it cannot accurately infer the attacker’s intent, because of the uncertainty of the detection results for each step. This paper proposes a uniformed evidence process model for big data forensic analysis which can be used to identify the attacker, infer the attack process and reconstruct the attack scenario. Specifically our proposed model include: (1) Evidence Collection. Collect all the useful information through large amount of alerts, logs and traffic evidence. (2) Evidence normalization. Normalize data for different kinds of evidence information. (3) Evidence Preservation. Address the demand of centralized systems to store all the information so that users can retrieve the information as necessary. (4) Evidence Analysis. The loaded relevant resources are analyzed to understand the happened crime and collect digital evidence through reconstructing timeline, establishing facts and identifying suspect. (5) Data Presentation and visualization. It generally concerned with presenting the findings of the investigation process to the court of law. Our proposed method can be used in big data forensic analysis, and can greatly improve the efficiency and accuracy of forensic reasoning.