A graph based approach toward network forensics analysis

ACM Transactions on Information and System Security

Volumn 12, Issue 1, 2008, Pages

  Wang, Wei ^a   Daniels, Thomas E ^a  

^a Iowa State University of Science and Technology   (United States)

Author keywords

Evidence graph; Hierarchical reasoning; Network forensics

Indexed keywords

AUTOMATA THEORY;

ATTACK SCENARIOS; AUTOMATED REASONINGS; DATA SETS; EVIDENCE GRAPH; EXPERT KNOWLEDGES; FUNCTIONAL STATES; GRAPH BASED; GRAPH MODELS; GRAPH STRUCTURES; HIERARCHICAL REASONING; HIERARCHICAL REASONINGS; HYPOTHESIS TESTING; LOCAL REASONINGS; NETWORK FORENSICS; PROTOTYPE SYSTEMS; VARIOUS ATTACKS;

GRAPH THEORY;

EID: 56349109092     PISSN: 10949224     EISSN: 15577406     Source Type: Journal    
DOI: 10.1145/1410234.1410238     Document Type: Article

References (38)

1. CARRIER, B. D. AND SPAFFORD, E. H. 2004. Defining event reconstruction of digital crime scenes. J. Forensic Sci.
2. CARVALHO, J. P. AND TOME, J. A. B. 1999a. Rule Based Fuzzy Cognitive Maps and Fuzzy Cognitive Maps - A Comparative Study. In Proceedings of the 18th International Conference of the North American Fuzzy Information Processing Society (NAFIPS'99). New York.
3. CARVALHO, J. P. AND TOME, J. A. B. 1999b. Rule-Based Fuzzy Cognitive Maps: Fuzzy Causal Relations. In Proceedings of the 8th International Fuzzy Systems Association World Congress (IFSA'99). Taiwan.
4. CUPPENS, F. 2001. Managing alerts in a multi-intrusion detecttion environment. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC'01).
5. CUPPENS, F. AND MIEGE, A. 2002. Alert Correlation in a Cooperative Intrusion Detection Framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP'02).
6. DAIN, O. AND CUNNINGHAM, R. 2001a. Building scenarios from a heterogeneous alert stream. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (IAW'01). 231-235.
7. DAIN, O. AND CUNNINGHAM, R. 2001b. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications (DMSA'01). 1-13.
8. DARPA. MIT Lincoln Lab 2000 DARPA intrusion detection scenario specific datasets. Retrieved from http://www.ll.mit.edu/IST/ideval/data/2000/index.html.
9. DEBAR, H., DACER, M., AND WESPI, A. 1999. A revised taxonomy for intrusion-detection systems. In IBM Research Report.
10. DEBAR, H. AND WESPI, A. 2001. Aggregation and Correlation of Intrusion-Detection Alerts. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01).
11. ECKMANN, S., VIGNA, G., AND KEMMERER, R. 2000. Statl: An attack language for state-based intrusion detection. Dept. of Computer Science, University of California, Santa Barbara.
12. EnCase. EnCase Forensic Tool. Available at http://www.guidancesoftware. com.
13. eTrust. eTrust Network Forensics Solution. Available at http://www3.ca.com/.
14. Flowtools. flow-tools. Retrieved from http://www.splintered.net/sw/flow- tools/.
15. IDMEF. Intrusion Detection Message Exchange Format. Internet draft available at http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-14. txt.
16. INSTITUTE FOR SECURITY TECHNOLOGY STUDIES. 2004. Law enforcement tools and technologies for investigating cyber attacks: Gap analysis report. Retrieved from http://www.ists.dartmouth. edu.
17. JAJODIA, S., NOELS, S., AND O'BERRY, B. 2005. Topological analysis of network attack vulnerability. Managing Cyber Threats: Issues, Approaches and Challenges.
18. JULISCH, K. 2001. Mining alarm clusters to improve alarm handling efficiency. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC'01). 12-21.
19. JULISCH, K. 2003. Clustering intrusion detection alarms to support root cause analysis. In ACM Trans. Inf. Syst. Secur. 443-471.
20. KRUEGEL, C. AND ROBERTSON, W. 2004. Alert Verification: Determing the success of intrusion attempts. In Proceedings of the 1st Workshop on the Detection of Intrusions and Malware Vulnerability Assessment (DIMVA'04). Dortmund, Germany.
21. LEDA. LEDA graph library. Retrieved from http://www.algorithmic- solutions.com/enleda.htm.
22. MORIN, B. AND DEBAR, H. 2003. Correlation of intrusion symptoms: an application of chronicles. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03).
23. NetDetector. Available at http://www.niksun.com/Products-NetDetector.htm.
24. NetFlow. Cisco IOS NetFlow protocol. Retrieved from http://www.cisco.com/ en/US/products/ps6601/home.html.
25. NING, P., CUI, Y., AND REEVES, D. S. 2002. Constructing attack scenarios through correlation of intrusion alerts. In 9th ACM Conference on Computer and Communications Security (CCS'02).
26. NING, P. AND XU, D. 2003. Learning attack stratagies from intrusion alerts. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS'03). 200-209.
27. NING, P. AND XU, D. 2004. Hypothesizing and reasoning about attacks missed by intrusion detection systems. ACM Trans. Inf. Syst. Secur. 7, 4, 591-627.
28. PHILLIPS, C. AND SWILER, L. 1998. A graph-based system for network vulnerability analysis. In Proceedings of the New Security Paradigm Workshop. Charlottesville, VA.
29. QIN, X. AND LEE, W. 2003. Statistical causality analysis of INFOSEC alert data. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03).
30. QIN, X. AND LEE, W. 2004. Discovering novel attack strategies from INFOSEC alerts. In Proceedings of the 9th European Symposium on Research in Computer Security (ESORICS'04).
31. RAMAKRISHNAN, C. AND SEKAR, R. 1998. Model-based vulnerability analysis of computer systems. In Proceedings of the 2nd International Workshop on Verification, Model Checking and Abstract Interpretation (UMCAI'98).
32. RITCHEY, R. W. AND AMMANN, P. 2000. Using model checking to analyze network vulnerabilities. In Proceedings of the 2000 IEEE Symposium on Security and Privacy (SP'00). Washington, DC. Safeback. SafeBack Bit Stream Backup Software. Available at http://www.forensics-intl.com/ safeback.html.
33. SHANMUGASUNDARAM, K., MEMON, N., SAVANT, A., AND BRONNIMANN, H. 2003. ForNet: A Distributed Forensics Network. In Proceedings of the Second International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM'03).
34. SHEYNER, O., HAINES, J., JHA, S., LIPPMANN, R., AND WING, J. M. 2002. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP'02). Oakland, CA.
35. SHEYNER, O. AND WING, J. M. 2005. Tools for generating and analyzing attack graphs. In Proceedings of International Symposium on Formal Methods for Components and Objects (FMCO'05).
36. SIRAJ, A., M.BRIDGES, S., AND B.VAUGHN, R. 2001. Fuzzy cognitive maps for decision support in an intelligent intrusion detection system. Tech. rep., Department of Computer Science, Mississippi State University.
37. Softflowd. Retrieved from http://www.mindrot.com/softflowd.html.
38. VALDES, A. AND SKINNER, K. 2001. Probablistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01).