论文信息 - A Novel Methodology for Malware Intrusion Attack Path Reconstruction

A Novel Methodology for Malware Intrusion Attack Path Reconstruction

After an intrusion has propagated between hosts, or even between networks, determining the propagation path is critical to assess exploited network vulnerabilities, and also to determine the vector and intent of the initial intrusion. This work proposes a novel method for malware intrusion attack path reconstruction that extends post-mortem system state comparison methods with network-level correlation and timeline analysis. This work shows that intrusion-related events can be reconstructed at the host level and correlated between related hosts and networks to reconstruct the overall path of an attack. A case study is given that demonstrates the applicability of the attack path reconstruction technique.

Joshua James | Ahmed F. Shosha | Pavel Gladyshev

[1] Joshua James,et al. Temporal Analysis of Windows MRU Registry Keys , 2009, IFIP Int. Conf. Digital Forensics.

[2] Richard Lippmann,et al. Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[3] M. Tahar Kechadi,et al. On the persistence of deleted windows registry data structures , 2009, SAC '09.

[4] Joshua James,et al. A comparative methodology for the reconstruction of digital events using windows restore points , 2009, Digit. Investig..

[5] Kris Harms,et al. Forensic analysis of System Restore points in Microsoft Windows XP , 2006, Digit. Investig..

[6] M. Tahar Kechadi,et al. Extraction and Categorisation of User Activity from Windows Restore Points , 2008, J. Digit. Forensics Secur. Law.

[7] Ryan D. Pittman,et al. Windows Forensic Analysis , 2010 .

[8] Duminda Wijesekera,et al. Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[9] Ahmed Patel,et al. Formalising Event Time Bounding in Digital Investigations , 2005, Int. J. Digit. EVid..

[10] Harlan Carvey. Windows Forensic Analysis: DVD Toolkit , 2007 .

[11] Somesh Jha,et al. Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[12] Tahar Kechadi,et al. Extraction of User Activity through Comparison of Windows Restore Points , 2008 .