Automated Analysis of Multi-Source Logs for Network Forensics

Nowadays, one of the reasons for the lack of legal sanctions taken against attackers is that the collection and analysis of forensic evidence is very troublesome and time-consuming. There are many research results about events correlation but not directly suitable for network forensics. The work presented in this paper is based on an idea to collect the evidences from multiple network sensors and analyze them to improve the quality of forensic evidence automatically. This paper discusses the issues of log evidence first. The framework of IEAAS (Automated Analysis System of Intrusion Evidences) is illustrated with LCA (Log Collection Agent) in network sensors and multiple modules in IEAAS. Analysis mechanism is discussed, particularly the improved aggregation algorithm and evidence preservation method are described. Then a series of experiments are performed to validate our method on actual attack network environments of CERNET. The results of experiments show that our approach is practical and effective for dynamic forensics to augment the computer crime investigators’ efforts.

[1]  Ding Liping,et al.  Study on Relevant Law and Technology Issues about Computer Forensics , 2005 .

[2]  Bruce J. Nikkel A portable network forensic evidence collector , 2006, Digit. Investig..

[3]  Dong Li,et al.  Attack scenario construction with a new sequential mining technique , 2007, Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007).

[4]  Vivek Kumar Sehgal,et al.  On Path-length and Routing-tag Algorithm for Hybrid Irregular Multi-stage Interconnection Networks , 2007 .

[5]  Peter Sommer,et al.  Intrusion detection systems as evidence , 1999, Comput. Networks.

[6]  Peter Stephenson The Application of Intrusion Detection Systems in a Forensic Environment ( Extended , 2000 .

[7]  Mohamed Saleh,et al.  Analyzing multiple logs for forensic evidence , 2007, Digit. Investig..

[8]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[9]  Karl N. Levitt,et al.  Automated analysis for digital forensic science: semantic integrity checking , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[10]  Dong Li,et al.  Reducing False Positives Based on Time Sequence Analysis , 2007, Fourth International Conference on Fuzzy Systems and Knowledge Discovery (FSKD 2007).

[11]  Hervé Debar,et al.  Time series modeling for IDS alert management , 2006, ASIACCS '06.