Authors: Wei Wang (Iowa State University), Thomas Daniels (Iowa State University)
DFRWS USA 2005
We develop a prototype network forensics analysis tool that integrates presentation, manipulation and automated reasoning of intrusion evidence. We propose the evidence graph as a novel graph model to facilitate the presentation and manipulation of intrusion evidence. For automated evidence analysis, we develop a hierarchical reasoning framework that includes local reasoning and global reasoning. In local reasoning, we apply Rule-based Fuzzy Cognitive Maps (RBFCM) to model the state evolution of suspicious hosts. In global reasoning, we aim to identify group of strongly correlated hosts in the attack and derive their relationships in the attack scenario. Our analysis mechanism effectively integrates analyst feedbacks into the automated reasoning process. Experimental results demonstrate the potential of our proposed techniques.