A Logic-Based Network Forensic Model for Evidence Analysis

Modern-day attackers tend to use sophisticated multi-stage/multi-host attack techniques and anti-forensics tools to cover their attack traces. Due to the limitations of current intrusion detection and forensic anal­ ysis tools, reconstructing attack scenarios from evidence left behind by the attackers of an enterprise system is challenging. In particular, re­ constructing attack scenarios by using intrusion detection system (IDS) alerts and system logs that have too many false positives is a big chal­ lenge. In this paper, we present a model and an accompanying software tool that systematically addresses how to resolve the above problems to reconstruct attack scenarios that could stand up in court. These prob­ lems include a large amount of data including non-relevant data, missing evidence and incomplete evidence destroyed by using anti-forensic tech­ niques. Our system is based on a Prolog system using known vulnera­ bility databases and an anti-forensic database that we plan to extend to a standardized database like the existing NIST National Vulnerability Database (NVD). In this model, we use different methods, including mapping the evi­ dence to system vulnerabilities, inductive reasoning and abductive rea­ soning, to reconstruct attack scenarios. The goal of this work is to reduce the security investigators’ time and effort in reaching definite conclusion about how an attack occurred. Our results indicate that such a reasoning system can be useful for network forensics analysis.