Dec. 5, 2005 to Dec. 9, 2005
Wei Wang , Iowa State University
Thomas E. Daniels , Iowa State University
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/CSAC.2005.14
In this paper, we present techniques for a network forensics analysis mechanism that includes effective evidence presentation, manipulation and automated reasoning. We propose the evidence graph as a novel graph model to facilitate the presentation and manipulation of intrusion evidence. For automated evidence analysis, we develop a hierarchical reasoning framework that includes local reasoning and global reasoning. Local reasoning aims to infer the roles of suspicious hosts from local observations. Global reasoning aims to identify group of strongly correlated hosts in the attack and derive their relationships. By using the evidence graph model, we effectively integrate analyst feedback into the automated reasoning process. Experimental results demonstrate the potential and effectiveness of our proposed approaches.
Wei Wang, Thomas E. Daniels, "Building Evidence Graphs for Network Forensics Analysis", ACSAC, 2005, Computer Security Applications Conference, Annual, Computer Security Applications Conference, Annual 2005, pp. 254-266, doi:10.1109/CSAC.2005.14