Abstract
Probabilistic evidence graphs can be used to model network intrusion evidence and the underlying dependencies to support network forensic analysis. The graphs provide a means for linking the probabilities associated with different attack paths with the available evidence. However, current work focused on evidence graphs assumes that all the available evidence can be expressed using a single, small evidence graph. This paper presents an algorithm for merging evidence graphs with or without a corresponding attack graph. The application of the algorithm to a file server and database server attack scenario yields an integrated evidence graph that shows the global scope of the attack. The global graph provides a broader context and better understandability than multiple local evidence graphs.
Chapter PDF
Similar content being viewed by others
References
P. Ammann, D. Wijesekera and S. Kaushik, Scalable, graph-based network vulnerability analysis, Proceedings of the Ninth ACM Conference on Computer and Communications Security, pp. 217–224, 2002.
T. Cormen, C. Leiserson, R. Rivest and C. Stein, Introduction to Algorithms, MIT Press, Cambridge, Massachusetts, 2009.
J. Homer, A. Varikuti, X. Ou and M. McQueen, Improving attack graph visualization through data reduction and attack grouping, Proceedings of the Fifth International Workshop on Visualization for Cyber Security, pp. 68–79, 2008.
K. Ingols, R. Lippmann and K. Piwowarski, Practical attack graph generation for network defense, Proceedings of the Twenty-Second Annual Computer Security Applications Conference, pp. 121–130, 2006.
S. Jha, O. Sheyner and J. Wing, Two formal analyses of attack graphs, Proceedings of the Fifteenth Computer Security Foundations Workshop, p. 49, 2002.
C. Liu, A. Singhal and D. Wijesekera, Mapping evidence graphs to attack graphs, Proceedings of the IEEE International Workshop on Information Forensics and Security, pp. 121–126, 2012.
V. Mehta, C. Bartzis, H. Zhu, E. Clarke and J. Wing, Ranking attack graphs, Proceedings of the Ninth International Conference on Recent Advances in Intrusion Detection, pp. 127–144, 2006.
National Institute of Standards and Technology, National Vulnerability Database, Version 2.2, Gaithersburg, Maryland ( nvd.nist.gov ).
X. Ou, W. Boyer and M. McQueen, A scalable approach to attack graph generation, Proceedings of the Thirteenth ACM Conference on Computer and Communications Security, pp. 336–345, 2006.
O. Sheyner, J. Haines, S. Jha, R. Lippmann and J. Wing, Automated generation and analysis of attack graphs, Proceedings of the IEEE Symposium on Security and Privacy, pp. 273–284, 2002.
A. Singhal and X. Ou, Security Risk Analysis of Enterprise Networks using Probabilistic Attack Graphs, NIST Interagency Report 7788, National Institute of Standards and Technology, Gaithersburg, Maryland, 2011.
L. Wang, T. Islam, T. Long, A. Singhal and S. Jajodia, An attack graph based probabilistic security metric, Proceedings of the Twenty-Second Annual IFIP WG 11.3 Conference on Data and Applications Security, pp. 283–296, 2008.
W. Wang and T. Daniels, A graph based approach toward network forensic analysis, ACM Transactions on Information and Systems Security, vol. 12(1), article no. 4, 2008.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Liu, C., Singhal, A., Wijesekera, D. (2013). Creating Integrated Evidence Graphs for Network Forensics. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics IX. DigitalForensics 2013. IFIP Advances in Information and Communication Technology, vol 410. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41148-9_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-41148-9_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41147-2
Online ISBN: 978-3-642-41148-9
eBook Packages: Computer ScienceComputer Science (R0)