•   When: Monday, November 23, 2015 from 10:00 AM to 12:00 PM
•   Speakers: Changwei Liu
•   Location: Nguyen Engineering, Room 4801
•   Export to iCal

Abstract

Network forensics is the science that addresses the capture, recording and analysis of network events and traffic for detecting intrusions and investigating them. To avoid being caught, modern-day attackers tend to use sophisticated attack techniques including multi-stage/multi-host attack and anti-forensics to cover their attack traces. Due to the limitations of current intrusion detection systems and forensic analysis tools, reconstructing attack scenarios from evidence left behind by the attackers of an enterprise system is challenging. In particular, reconstructing attack scenarios by using evidence including intrusion detection system (IDS) alerts and system logs that have too many false positives is a challenge. Researchers have proposed aggregating redundant IDS alerts and using pre-defined attack scenario to reconstruct multi-step/multi-host attacks. To automate the process of constructing attacks, other researchers proposed using fuzzy rule based hierarchical reasoning framework to correlate alerts to reconstruct attack scenarios. However, this approach cannot handle missing evidence. Also, it does not provide any method to check if the constructed evidence graph has any legal standing.

To solve these problems, I designed a rule-based system to automate the attack scenario reconstruction process that is cognizant of the admissibility standards for evidence. My system provides the methodologies that (1) coalesce security event alerts and system logs by using correlation rules, (2) explain missing evidence by using “what if” scenarios, the support of a constructed anti-forensic database and an expert knowledge database, (3) determine the acceptability standards of evidence according to federal standards and the support of expert knowledge. I prototyped my system by extending Prolog with default and logical negations with probabilities.