In this article we develop a novel graph-based approach toward network forensics analysis. Central to our approach is the evidence graph model that facilitates evidence presentation and automated reasoning. Based on the evidence graph, we propose a hierarchical reasoning framework that consists of two levels. Local reasoning aims to infer the functional states of network entities from local observations. Global reasoning aims to identify important entities from the graph structure and extract groups of densely correlated participants in the attack scenario. This article also presents a framework for interactive hypothesis testing, which helps to identify the attacker's nonexplicit attack activities from secondary evidence. We developed a prototype system that implements the techniques discussed. Experimental results on various attack datasets demonstrate that our analysis mechanism achieves good coverage and accuracy in attack group and scenario extraction with less dependence on hard-coded expert knowledge.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Carrier, B. D. and Spafford, E. H. 2004. Defining event reconstruction of digital crime scenes. J. Forensic Sci.
	2	Carvalho, J. P. and Tome, J. A. B. 1999a. Rule Based Fuzzy Cognitive Maps and Fuzzy Cognitive Maps - A Comparative Study. In Proceedings of the 18th International Conference of t he North American Fuzzy Information Processing Society (NAFIPS'99). New York.
	3	Carvalho, J. P. and Tome, J. A. B. 1999b. Rule-Based Fuzzy Cognitive Maps: Fuzzy Causal Relations. In Proceedings of the 8th International Fuzzy Systems Association World Congress (IFSA'99). Taiwan.
	4	F. Cuppens, Managing Alerts in a Multi-Intrusion Detection Environment, Proceedings of the 17th Annual Computer Security Applications Conference, p.22, December 10-14, 2001
	5	Frédéric Cuppens , Alexandre Miège, Alert Correlation in a Cooperative Intrusion Detection Framework, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.202, May 12-15, 2002
	6	Dain, O. and Cunningham, R. 2001a. Building scenarios from a heterogeneous alert stream. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (IAW'01). 231--235.
	7	Dain, O. and Cunningham, R. 2001b. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications (DMSA'01). 1--13.
	8	DARPA. MIT Lincoln Lab 2000 DARPA intrusion detection scenario specific datasets. Retrieved from http://www.ll.mit.edu/IST/ideval/data/2000/index.html.
	9	Debar, H., Dacer, M., and Wespi, A. 1999. A revised taxonomy for intrusion-detection systems. In IBM Research Report.
	10	Hervé Debar , Andreas Wespi, Aggregation and Correlation of Intrusion-Detection Alerts, Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, p.85-103, October 10-12, 2001
	11	Eckmann, S., Vigna, G., and Kemmerer, R. 2000. Statl: An attack language for state-based intrusion detection. Dept. of Computer Science, University of California, Santa Barbara.
	12	EnCase. EnCase Forensic Tool. Available at http://www.guidancesoftware.com.
	13	eTrust. eTrust Network Forensics Solution. Available at http://www3.ca.com/.
	14	Flowtools. flow-tools. Retrieved from http://www.splintered.net/sw/flow-tools/.
	15	IDMEF. Intrusion Detection Message Exchange Format. Internet draft available at http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-14.txt.
	16	Institute for Security Technology Studies. 2004. Law enforcement tools and technologies for investigating cyber attacks: Gap analysis report. Retrieved from http://www.ists.dartmouth.edu.
	17	Jajodia, S., Noels, S., and O'Berry, B. 2005. Topological analysis of network attack vulnerability. Managing Cyber Threats: Issues, Approaches and Challenges.
	18	K. Julisch, Mining Alarm Clusters to Improve Alarm Handling Efficiency, Proceedings of the 17th Annual Computer Security Applications Conference, p.12, December 10-14, 2001
	19	Klaus Julisch, Clustering intrusion detection alarms to support root cause analysis, ACM Transactions on Information and System Security (TISSEC), v.6 n.4, p.443-471, November 2003  [doi>10.1145/950191.950192]
	20	Kruegel, C. and Robertson, W. 2004. Alert Verification: Determing the success of intrusion attempts. In Proceedings of the 1st Workshop on the Detection of Intrusions and Malware Vulnerability Assessment (DIMVA'04). Dortmund, Germany.
	21	LEDA. LEDA graph library. Retrieved from http://www.algorithmic-solutions.com/enleda.htm.
	22	Morin, B. and Debar, H. 2003. Correlation of intrusion symptoms: an application of chronicles. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03).
	23	NetDetector. Available at http://www.niksun.com/Products-NetDetector.htm.
	24	NetFlow. Cisco IOS NetFlow protocol. Retrieved from http://www.cisco.com/en/US/products/ps6601/home.html.
	25	Peng Ning , Yun Cui , Douglas S. Reeves, Constructing attack scenarios through correlation of intrusion alerts, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA  [doi>10.1145/586110.586144]
	26	Peng Ning , Dingbang Xu, Learning attack strategies from intrusion alerts, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA  [doi>10.1145/948109.948137]
	27	Peng Ning , Dingbang Xu, Hypothesizing and reasoning about attacks missed by intrusion detection systems, ACM Transactions on Information and System Security (TISSEC), v.7 n.4, p.591-627, November 2004  [doi>10.1145/1042031.1042036]
	28	Cynthia Phillips , Laura Painton Swiler, A graph-based system for network-vulnerability analysis, Proceedings of the 1998 workshop on New security paradigms, p.71-79, September 22-26, 1998, Charlottesville, Virginia, United States  [doi>10.1145/310889.310919]
	29	Qin, X. and Lee, W. 2003. Statistical causality analysis of INFOSEC alert data. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03).
	30	Qin, X. and Lee, W. 2004. Discovering novel attack strategies from INFOSEC alerts. In Proceedings of the 9th European Symposium on Research in Computer Security (ESORICS'04).
	31	Ramakrishnan, C. and Sekar, R. 1998. Model-based vulnerability analysis of computer systems. In Proceedings of the 2nd International Workshop on Verification, Model Checking and Abstract Interpretation (UMCAI'98).
	32	Ronald W. Ritchey , Paul Ammann, Using Model Checking to Analyze Network Vulnerabilities, Proceedings of the 2000 IEEE Symposium on Security and Privacy, p.156, May 14-17, 2000
	33	Safeback. SafeBack Bit Stream Backup Software. Available at http://www.forensics-intl.com/safeback.html.
	34	Shanmugasundaram, K., Memon, N., Savant, A., and Bronnimann, H. 2003. ForNet: A Distributed Forensics Network. In Proceedings of the Second International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM'03).
	35	Oleg Sheyner , Joshua Haines , Somesh Jha , Richard Lippmann , Jeannette M. Wing, Automated Generation and Analysis of Attack Graphs, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.273, May 12-15, 2002
	36	Sheyner, O. and Wing, J. M. 2005. Tools for generating and analyzing attack graphs. In Proceedings of International Symposium on Formal Methods for Components and Objects (FMCO'05).
	37	Siraj, A., M.Bridges, S., and B.Vaughn, R. 2001. Fuzzy cognitive maps for decision support in an intelligent intrusion detection system. Tech. rep., Department of Computer Science, Mississippi State University.
	38	Softflowd. Retrieved from http://www.mindrot.com/softflowd.html.
	39	Alfonso Valdes , Keith Skinner, Probabilistic Alert Correlation, Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, p.54-68, October 10-12, 2001