A Formal Approach to Analyzing Cyber-Forensics Evidence

The frequency and harmfulness of cyber-attacks are increasing every day, and with them also the amount of data that the cyber-forensics analysts need to collect and analyze. In this paper, we propose a formal analysis process that allows an analyst to filter the enormous amount of evidence collected and either identify crucial information about the attack (e.g., when it occurred, its culprit, its target) or, at the very least, perform a pre-analysis to reduce the complexity of the problem in order to then draw conclusions more swiftly and efficiently. We introduce the Evidence Logic EL for representing simple and derived pieces of evidence from different sources. We propose a procedure, based on monotonic reasoning, that rewrites the pieces of evidence with the use of tableau rules, based on relations of trust between sources and the reasoning behind the derived evidence, and yields a consistent set of pieces of evidence. As proof of concept, we apply our analysis process to a concrete cyber-forensics case study.

[1]  Emiliano Lorini,et al.  Agents that speak: modelling communicative plans and information sources in a logic of announcements , 2011, AAMAS.

[2]  Paulo Shakarian,et al.  Cyber Attribution: An Argumentation-Based Approach , 2015, Cyber Warfare.

[3]  Paulo Shakarian,et al.  Belief revision in structured probabilistic argumentation , 2015, Annals of Mathematics and Artificial Intelligence.

[4]  W. Hoek,et al.  Dynamic Epistemic Logic , 2007 .

[5]  K. Suzanne Barber,et al.  Belief Revision Process Based on Trust: Agents Evaluating Reputation of Information Sources , 2000, Trust in Cyber-societies.

[6]  Peter Gärdenfors,et al.  On the logic of theory change: Partial meet contraction and revision functions , 1985, Journal of Symbolic Logic.

[7]  Emiliano Lorini,et al.  Trust-based belief change , 2014, ECAI.

[8]  Jürgen Dix,et al.  Belief change and argumentation in multi-agent scenarios , 2016, Annals of Mathematics and Artificial Intelligence.

[9]  Guillermo R. Simari,et al.  Temporal Defeasible Reasoning , 2001, Knowledge and Information Systems.

[10]  Johan van Benthem,et al.  Dynamic logic for belief revision , 2007, J. Appl. Non Class. Logics.

[11]  Brian Logan,et al.  Preference-based belief revision for rule-based agents , 2008, Synthese.

[12]  Andreas Herzig,et al.  A Tableau Method for Public Announcement Logics , 2007, TABLEAUX.

[13]  Richard Booth,et al.  Trust-Sensitive Belief Revision , 2015, IJCAI.

[14]  Jan A. Plaza,et al.  Logics of public communications , 2007, Synthese.

[15]  Guido Governatori,et al.  Temporal Extensions to Defeasible Logic , 2007, Australian Conference on Artificial Intelligence.

[16]  Alexandru Baltag,et al.  Conditional Doxastic Models: A Qualitative Approach to Dynamic Belief Revision , 2006, WoLLIC.

[17]  Philippe Balbiani,et al.  Group announcement logic , 2010, J. Appl. Log..