A Model Towards Using Evidence from Security Events for Network Attack Analysis

Changwei Liu, Anoop Singhal, Duminda Wijesekera

Abstract

Constructing an efficient and accurate model from security events to determine an attack scenario for an enterprise network is challenging. In this paper, we discuss how to use evidence obtained from security events to construct an attack scenario and build an evidence graph. To achieve the accuracy and completeness of the evidence graph, we use Prolog inductive and abductive reasoning to correlate evidence by reasoning the causality, and use an anti-forensics database and a corresponding attack graph to find the missing evidence. In addition, because the constructed scenario and supplied evidence might need to stand up in the court of law, the federal rules of evidence are also taken into account to predetermine the admissibility of the evidence.

References

  1. H. Debar ,A. Wespi, “Aggregation and correlation of intrusion-detection alerts”, In Recent Advances in Intrusion Detection, LNCS 2212, pages 85 - 103, 2001.
  2. Keppens, J. and Zeleznikow, J. (2003). “A Model based Reasoning approach for generating plausible crime scenarios from evidence”, Proceedings of the 9th International Conference of Artificial Intelligence and Law, 51-59. ACM Press, New York.
  3. K. F Sagonas, T. Swift, D.S. Warren, “XSB as an Efficient Deductive Database Engine”, In Proc. of the 1994 ACM SIGMOD International Conference on Management of Data, ACM Press, 1994, pp. 442-453.
  4. P. Sommer, “Intrusion Detection Systems as Evidence”, Recent Advances in Intrusion Detection 1998, RAID98, Electronic version retrieved 17th December 2003
  5. S. P. Peisert, “A Model of Forensic Analysis Using Goal-Oriented Logging”, PhD thesis, Department of Computer Science and Engineering, University of California, San Diego, March 2007.
  6. J. Keppens, Q. Shen, and B. Schafer, “Probabilistic abductive computation of evidence collection strategies in crime investigation”, In PTroceedings of the 10th International Conference on Artificial Intelligence and Law, 2005.
  7. W.Wang, T.E.Daniels, “A graph based approach toward network forensics analysis”, ACM Transactions on Information and Systems Security 12 (1) (2008).
  8. Federal Rules of Evidence, Dec 1, 2010.
  9. O. Dain,R. Cunningham, “Building scenarios from a heterogeneous alert stream”, In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, pages 231-235, June 2001.
  10. S. Jha, O. Sheyner, and J. Wing. “Two formal analyses of attack graphs”, In Proceedings of the 2002 Computer Security Foundations Workshop, pages 45-59, Nova Scotia, June 2002.
  11. C. Liu, A. Singhal, D. Wijesekera, “Mapping Evidence Graphs to Attack Graphs”, IEEE International Workshop on Information Forensics and Security, December, 2012.
  12. C. Liu, A. Singhal, D. Wijesekera. “Using Attack Graphs in Forensic Examinations”, ARES, page 596-603. IEEE Computer Society, (2012).
  13. MulVALV1.1, Jan30, 2012. http://people.cis.ksu.edu/xou/mulval/.
  14. M. Whitteker, “Anti-forensics: Breaking the forensic process”, Information Systems Security Association Journal, pp. 10-16, November 2008.
  15. Ou, X., Boyer, W.F., McQueen, M.A., “A scalable approach to attack graph generation”, In 13th ACM Conference on Computer and Communications Security (CCS), pp.336345 (2006).
  16. A. Singhal, X. Ou, “Security risk analysis of enterprise networks using probabilistic attack graphs”, Technical Report NISTIR 7788, National Institute of Standards and Technology, September 2011.
  17. David S. Warren et al, “The XSB system version 3.1 volume 1: Programmer's manual”, Technical Report Version released on August, 30, Stony Brook University, USA, 2007.
  18. C. Liu, A. Singhal, D. Wijesekera, “Merging Evidence Sub Graphs to Create an Integrated Evidence Graph for Network Forensics Analysis”, Ninth Annual IFIP WG 11.9 International Conference on Digital Forensics, January, 2013
  19. National Vulnerability Database, http://nvd.nist.gov.
  20. A. Jaquith, “Security Metrics: Replacing Fear, Uncertainty, and Doubt”, Addison Wesley, Mar 26, 2007.
  21. Rogers, M. (2006, March 22), Panel session at CERIAS 2006 Information Security Symposium, retrieved September 11, 2007, from http://www.cerias.purdue.edu/symposium/ 2006/materials/pdfs/antiforensics.pdf
  22. Erbacher, R. F., “Validation for Digital Forensics”, In: 2010 Seventh International Conference on Information Technology: New Generations, ITNG (2010).
  23. S. Garfinkel, “Network forensics: tapping the Internet,” http://www.oreillynet.com/pub /a/network/2002/04/26/nettap.html.
  24. Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006), “Guide to Integrating Forensics Techniques into Incident Response”, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-86, NIST, Computer Security Division, Information Technology Laboratory, Gaithersburg, MD. http://csrc.nist.gov/publications/nistpubs/800- 86/SP800-86.pdf, December 4, 2006.
  25. S. Chen, K. Zeng, and P. Mohapatra, “Efficient data capturing for network forensics in cognitive radio networks,” in19th IEEE International Conf. on Network Protocols, 2011.
Download


Paper Citation


in Harvard Style

Liu C., Singhal A. and Wijesekera D. (2014). A Model Towards Using Evidence from Security Events for Network Attack Analysis . In Proceedings of the 11th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2014) ISBN 978-989-758-031-4, pages 83-95. DOI: 10.5220/0004980300830095


in Bibtex Style

@conference{wosis14,
author={Changwei Liu and Anoop Singhal and Duminda Wijesekera},
title={A Model Towards Using Evidence from Security Events for Network Attack Analysis},
booktitle={Proceedings of the 11th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2014)},
year={2014},
pages={83-95},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004980300830095},
isbn={978-989-758-031-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 11th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2014)
TI - A Model Towards Using Evidence from Security Events for Network Attack Analysis
SN - 978-989-758-031-4
AU - Liu C.
AU - Singhal A.
AU - Wijesekera D.
PY - 2014
SP - 83
EP - 95
DO - 10.5220/0004980300830095