ISU Electrical and Computer Engineering Archives

A graph oriented approach for network forensic analysis

Wang, Wei (2010) A graph oriented approach for network forensic analysis. PhD thesis, Iowa State University.

Full text available as:

PDF - Registered users only - Requires Adobe Acrobat Reader or other PDF viewer.


Network forensic analysis is a process that analyzes intrusion evidence captured from networked environment to identify suspicious entities and stepwise actions in an attack scenario. Unfortunately, the overwhelming amount and low quality of output from security sensors make it difficult for analysts to obtain a succinct high-level view of complex multi-stage intrusions. This dissertation presents a novel graph based network forensic analysis system. The evidence graph model provides an intuitive representation of collected evidence as well as the foundation for forensic analysis. Based on the evidence graph, we develop a set of analysis components in a hierarchical reasoning framework. Local reasoning utilizes fuzzy inference to infer the functional states of an host level entity from its local observations. Global reasoning performs graph structure analysis to identify the set of highly correlated hosts that belong to the coordinated attack scenario. In global reasoning, we apply spectral clustering and Pagerank methods for generic and targeted investigation respectively. An interactive hypothesis testing procedure is developed to identify "hidden attackers" from non-explicit-malicious evidence. Finally, we introduce the notion of target-oriented effective event sequence(TOEES) to semantically reconstruct stealthy attack scenarios with less dependency on ad-hoc expert knowledge. Well established computation methods used in our approach provide the scalability needed to perform post-incident analysis in large networks. We evaluate the techniques with a number of intrusion detection datasets and the experiment results show that our approach is effective in identifying complex multi-stage attacks.

EPrint Type:Thesis (PhD)
Uncontrolled Keywords:Network forensic analysis, evidence graph
Subjects:Computer Engineering > INFORMATION SYSTEMS SECURITY & NETWORKING > Information Assurance
Computer Engineering > INFORMATION SYSTEMS SECURITY & NETWORKING > Computer Networking and Security
ID Code:577
Identification Number:Identification Number UNSPECIFIED
Deposited By:Wei Wang
Deposited On:21 November 2010

Archive Staff Only: edit this record