Building Evidence Graphs for Network Forensics Analysis

Wei Wang
Iowa State University

Thomas E. Daniels
Iowa State University

In this paper, we present techniques for a network forensics
analysis mechanism that includes effective evidence presentation,
manipulation and automated reasoning. We propose the evidence
graph as a novel graph model to facilitate the presentation and
manipulation of intrusion evidence. For automated evidence
analysis, we develop a hierarchical reasoning framework that
includes local reasoning and global reasoning. Local reasoning
aims to infer the roles of suspicious hosts from local
observations. Global reasoning aims to identify group of strongly
correlated hosts in the attack and derive their relationships. By
using the evidence graph model, we effectively integrates analyst
feedbacks into the automated reasoning process. We develop a
prototype tool and experimental results demonstrate the potential
of our proposed approaches.

Keywords: Network Forensics, Intrusion Evidence, Evidence Graph, Hierarchical Reasoning Framework

Read Paper Read Paper (in PDF)