Forensic investigation framework for complex cyber attack on cyber physical system by using goals/sub-goals of an attack and epidemics of malware in a system

Abstract

A cyber attack on critical infrastructure differs from attack on general information and communication systems. Recent trends of cyber attacks on critical infrastructure are found to be complex cyber attacks (CCA) because they are multistage, multi-phase and multi-pace. Detection of these complex cyber attacks is yet a challenging problem because they are intractable to describe and analyze. In this paper, complex cyber attacks are analyzed and as a response to detection of an attack, a forensic investigation framework for CCA is proposed. This paper focuses on forensic investigation framework for CCA in cyber physical system, which is large and geographically distributed. A model for forensics investigation process is proposed which is based on goals and sub-goals of an attack. This helps to reconstruct the event and collect data for evidence. Since complex cyber attacks are constructed with a variety of malwares and some of them show the property of self-propagation, an epidemic analysis in forensic investigation process determines the spread of infection in large infrastructures. Addition of epidemic behavior of malware in forensic investigation process is helpful to understand the dynamics of infection in a large, heterogeneous infrastructure.