Network Forensics Method Based on Evidence Graph and Vulnerability Reasoning

Transcription

1 future internet Article Network Forensics Method Based on Evidence Graph Vulnerability Reasoning Jingsha He 1, Chengyue Chang 1, *, Peng He 2, * Muhammad Salman Pathan 1 1 Faculty Information Technology & Beijing Engineering Research Center for IoT Stware Systems, Beijing University Technology, Beijing , China; jhe@bjut.edu.cn (J.H.); muhammad.salman@nu.edu.pk (M.S.P.) 2 College Computer Information Technology, China Three Gorges University, Yichang , China * Correspondence: cychang@ s.bjut.edu.cn (C.C.); hpeng@ctgu.edu.cn (P.H.); Tel.: (C.C.); (P.H.) Academic Editors: Jiankun Hu Dino Giuli Received: 14 August 2016; Accepted: 18 October 2016; Published: 10 November 2016 Abstract: As Internet becomes larger in scale, more complex in structure more diversified in traffic, number crimes that utilize computer technologies is also increasing at a phenomenal rate. To react to increasing number computer crimes, field computer network forensics has emerged. The general purpose network forensics is to find malicious users or activities by garing dissecting firm evidences about computer crimes, e.g., hacking. However, due to large volume Internet traffic, not all traffic captured analyzed is valuable for investigation or confirmation. After analyzing some existing network forensics methods to identify common shortcomings, we propose in this paper a new network forensics method that uses a combination network vulnerability network evidence graph. In our proposed method, we use vulnerability evidence reasoning algorithm to reconstruct attack scenarios n backtrack network packets to find original evidences. Our proposed method can reconstruct attack scenarios effectively n identify multi-staged attacks through evidential reasoning. Results experiments show that evidence graph constructed using our method is more complete credible while possessing reasoning capability. Keywords: network forensics; evidence graph; vulnerability reasoning; vulnerability evidence reasoning algorithm 1. Introduction With emergence global information era, computer networks have become an indispensable infrastructure. As a result continuous development computer network technologies, number network fenses has been increasing rapidly, which has evolved from technical issues to global social issues, forcing national governments to adopt ways maintaining right users to implement tough sanctions on network criminals. In this context, network forensics can play an important role by fering scientifically proven methods to gar, process, interpret use digital evidence to provide a conclusive description cyber-crime activities [1]. Both traditional digital forensics network forensics would need to obtain or identify potential electronic evidence. However, network forensics is different from traditional digital forensics in that it needs to extract analyze dynamic communication data over network to provide valid electronic evidences about activities attackers to court. Network forensics have some common features with network intrusion detection, i.e., y all need to acquire network packets for analysis [2]. The main difference is that while network intrusion detection only needs to detect intrusions n Future Internet 2016, 8, 54; doi: /fi

2 Future Internet 2016, 8, respond to m, network forensics is science dealing with capturing, recording analyzing network events traffic in order to obtain evidences intrusions. Network forensic analysis is a process that analyzes intrusion evidence in networked environments to identify suspicious users as well as actions in an attack scenario. Unfortunately, overwhelming amount low quality network data makes it very difficult for analysts to obtain succinct presentation complex multi-staged intrusions. In current literature, network forensics techniques have been studied on basis forensic tools, process models framework implementations. However, re is still a lack comprehensive study on cybercrime investigation that uses network forensics frameworks along with a critical review present network forensics techniques [3]. In this paper, we present a modular analysis process in which evidence graph evidence reasoning are applied to network forensics analysis. While evidence graph provides basis for evidence analysis, vulnerability evidence reasoning algorithm is used to reconstruct attack scenarios so as to backtrack network packets to derive original evidences. We will also perform some experiments to validate our proposed method to compare our method to Wang s network forensics analysis method [4] primarily through using MIT Lincoln Laboratory LLDOS 1.0 LLDOS datasets [5] to demonstrate effectiveness accuracy our method. Experiment results will demonstrate that evidence graph constructed using proposed method is effective with certain reasoning ability thus can be used as a powerful tool for rapid effective network forensics analysis. The remainder this paper is organized as follows. Section 2 contains a literature review related research work. Section 3 presents proposed method Section 4 describes experiments as well as analysis results. Section 5 summarizes work that we have done outlines some ideas for future work. 2. Related Work Frequent occurrence computer fenses has prompted development network forensic technologies. In United States, computer-derived evidence has been accepted by court since Network forensics was first proposed in 1990s by Ranum [6], who has been credited with defining network forensics as capture, recording analysis network events in order to discover source security attacks or or problem incidents. Network forensics is defined by Palmer as use scientifically proven techniques to collect, identify, examine, correlate, analyze, document digital evidence from multiple, actively processing digital sources for purpose uncovering facts related to unauthorized activities meant to disrupt, corrupt, /or compromise system components as well as providing information to assist in response to or to recover from se activities [7]. Based on above definitions, Schwartz described aim network forensics as reconstruction network events to provide sufficient evidence to allow perpetrators to be prosecuted [8]. In order to acquire evidences, various network forensic methods have been proposed to collect analyze network data. Pilli proposed a method that collects packets under TCP/IP protocol to analyze common characteristics attacks so as to filter suspicious packets [9]. However, high data rate network traffic creates difficulties for network forensics in capture preservation all network packets [10]. Kaushik, through scanning ports, found that attackers could find potential loopholes n use se vulnerabilities to attack hosts [11]. Roussev et al. outlined a method collecting relevant data by utilizing latency-optimized target acquisition (LOTA) whereby data is collected sequentially without need for continually seeking to locate data [12]. Data integrity plays a vital role in process network forensics, which expresses ability keeping accurate, complete consistent data in network. Mukkamala proposed a method that uses artificial intelligence techniques, such as ANNs (Artificial Neural Networks) SVMs (Support Vector Machines), to ensure integrity evidence in network forensics [13]. Xie et al. designed

3 Future Internet 2016, 8, implemented PIDAS, a Provenance aware Intrusion Detection Analysis System that integrates both online intrusion detection fline forensic analysis. The method expresses reveals causality-based relationship between invasion process files that are infected [14]. However, network forensics is different from intrusion detection analysis by emphasizing on different points. Rekhis Boudriga developed an Investigation-based Temporal Logic Actions a high level specification language for digital investigation [15], entitled I-TLA I-TLA +, respectively. I-TLA + can be used to generate executable specifications attack scenarios, showing sufficient details about how an attack is conducted how system behaves accordingly. Our method will generate attack scenarios identify multi-staged attacks through evidential reasoning. Today s Industrial Control Systems (ICSs) operating in critical infrastructures (CIs) are becoming increasingly complex. Settanni et al. presented a collaborative approach to protecting cyber incident information in which extensive use proposed pan-european incident management system was outlined [16]. Cherdantseva et al. indicated that although re were already a number risk assessment methods for SCADA (Supervisory Control Data Acquisition) systems, re was still need for furr research improvement [17]. While being able to aid investigation attacks by tracing attacks back to ir sources attributing crimes to individuals, hosts or networks, network forensics should also have ability to predict future attacks by constructing attack patterns from existing traces intrusion data [18]. Network forensics should provide functionalities such as attacker identification attack reconstruction to complement traditional intrusion detection perimeter defense techniques in building a robust security mechanism. Chen et al. proposed a scalable forensics mechanism to identify origin stealthy self-propagating attacks [19] in which spatial temporal contact activities are utilized to reduce traffic volume to back track attacks. Causality reasoning on network events can help relationship discovery provide detailed insights on event relations. Zhang et al. applied machine learning methods to detecting malware activities through network traffic analysis [20] developed an approach to analyze programs as black boxes from network perspective. However, problem is different from one that we concern about. Ammann proposed a method based on map network vulnerability analysis, which shows evidences using an evidence graph [21]. Palmer proposed a method that uses an attack graph to display route attackers takes attack graph as evidence [7]. Rasmi et al. proposed to use attack graphs for network intrusion detection to identify intentions attackers, which can provide help for detection network intrusions [22,23]. Liu suggested a method to codify federal rules on digital evidence in a Prolog based tool to construct an evidence graph to visualize corresponding attack scenarios that have happened in an attacked network [24]. Wang Daniels (2008) developed a graph-based approach toward network forensics analysis. An evidence graph model would facilitate evidence presentation automated reasoning [25]. Tian developed a real-time network intrusion forensics method called NetForensic [2], thus introducing vulnerabilities into network intrusion forensics field. The evidence graph that is used to display network evidences has been gradually improved over years. Noneless, current network forensics methods exhibit following common shortcomings: Evidence from a single source (only network packets or alerts from network intrusion detection systems) may lead to incomplete or misleading evidences. Data preprocessing methods used in network forensics may lead to accuracy problem since such methods are generally less accurate to ensure that result data is truly related to particular crime event. Some methods do not employ data preprocessing, resulting in low efficiency when dealing with a huge quantity data. The network forensics method that we propose in this paper thus has following merits: Our method can process data from multiple sources, which would help to produce more complete evidences.

4 Future Internet 2016, 8, Our method uses machine learning algorithm SVM to filter suspicious data. Future Internet 2016, 8, Our method uses Event Vector (EV) to unify heterogeneous data before storing analyzing m. Our method Our method employs employs network network vulnerability vulnerability analysis analysis to to derive forensic forensicresults. results. 3. The 3. Proposed The Proposed Method Method Our proposed Our proposed method combines evidence graph vulnerability reasoning. reasoning. To ensure To ensure that that method follows certain procedures, we first propose a anew network forensics framework that that conforms conforms to to general general principles principles network network forensics. The framework is isshown shown in in Figure Figure Figure Figure 1. A1. Framework A for for Network Forensics. The functionality each component in framework is briefly described below: The functionality each component in framework is briefly described below: Data collection module collects digital evidence (network program logs network packets) Data from collection heterogeneous module nodes collects deployed digitalin evidence network (network in which program network logs packets are network primary packets) from sources heterogeneous network nodes program deployed logs are in network accessorial in ones. which network packets are primary Data preprocessing module adds digital signature timestamp to digital evidence to ensure sources network program logs are accessorial ones. integrity data. Data preprocessing Data storage module module stores adds collected digital data signature into a database timestamp to ensure to data digital authority evidence to nonrepudiation. data. ensure integrity Data Data storage stardization module stores module extracts collected data common into fields a from database collected to ensure data, converts data authority m non-repudiation. into a unified format presents results as an event vector. In addition, SVM is used to Data stardization filter out benign packets module extracts suspicious common packets so fields as to from reconstruct collected accurate data, evidence converts graph m using suspicious packets. into a unified format presents results as an event vector. In addition, SVM is used to filter Evidence reasoning module uses vulnerability evidence reasoning algorithm (VERA) to infer out benign packets suspicious packets so as to reconstruct accurate evidence graph using attacked nodes as well as attacking routes. Primary data can also be backtracked to provide suspicious packets. more clearer evidence. Evidence Evidence reasoning presentation module module uses uses vulnerability evidence evidence graph to reasoning show final algorithm evidence, which (VERA) would to infer attacked include nodes as intrusion well asnodes attacking as well as routes. operations Primary between data can nodes. also be backtracked to provide more Note clearer that core evidence. to our analysis method are data stardization module, evidence graph Evidence construction presentation module module evidence usesreasoning evidence module. graph The to evidence show final graph evidence, construction which module would include constructs intrusion evidence nodes graph as based well on as preprocessed operations data between updates nodes. graph attributes. Afterwards,

5 Future Internet 2016, 8, Note that core to our analysis method are data stardization module, evidence graph construction module evidence reasoning module. The evidence graph construction module constructs evidence graph based on preprocessed data updates graph attributes. Afterwards, evidence reasoning module performs attack scenario inference based on graph structure. In following, we will describe se main modules in more details Data Collection The Scientific Working Group for Digital Evidence (SWGDE) defined electronic evidence as information probative value that is stored or transmitted in a binary form [26]. Casey noted electronic evidence as any constitution or relevant digital data that is enough to prove a crime in terms computer network storage media [27]. In order to make evidence from network forensics valid, following principles should always be obeyed: Primitiveness evidence: evidence should never be changed or destroyed. Integrity evidence: analysis transmission process must ensure integrity data. Continuity evidence: when network evidence is submitted to court, evidence should illustrate process relevant events. Auntication evidence: whole process evidence collection must be properly supervised. The evidence in network forensics may come from multiple sources or different channels. In our study, cyber-crime data include but are not limited to following sources: Network packets; Operating system log files; Anti-virus stware log files; IIS server log files, FTP server log files, etc.; Firewall log files. Heterogeneous data is collected from above sources, among which network packets are primary source. Although attributes evidence may vary with different sources, some essential fields apply to all categories evidence should be converted into a unified format Data Stardization Tasks in data stardization stage include normalization filtration. All types evidence from heterogeneous sources should be converted into a uniform format for analysis Event Vector Event vector (EV) is defined as: EV = <ID, Source, Target, Operation, Timestamp, Data_Source>, which can be expressed as: Source Operation Target Timestamp In an EV, source represents main enforcer, target represents object that is bearer event, operation is an action that is executed by source that would influence target, timestamp indicates time operation, Data_Source indicates where digital vector originates from, i.e., a network packet or a log file. These data fields are stored in form an event vector, which would help to construct evidence graph. According to definition EV, a child process that is invoked by a parent process can be expressed as: Fork Parent Child Timestamp

6 Future Internet 2016, 8, The parent process is source, child process is target fork is operation. If child process writes into a file next, it can be expressed as: Child Write Timestamp File The child process is source, file is target write is operation. Similarly, according to definition EV, a network packet can be defined as <ID, IP1, IP2, Visit, Timestamp, Net packet>, which can be expressed as: IP1 Visit Timestamp IP2 Event vectors are used to unify collected data which will be used to construct evidence graph to facilitate analysis evidence for investigation Support Vector Machine (SVM) Machine learning techniques are widely used in data mining in general network traffic analysis in particular. Support vector machine (SVM) [28] is one most popular supervised learning algorithms for both regression classification problems due to its robustness high accuracy. SVM is capable accurately classifying network traffic through using a small set training samples, making it an effective tool to perform network packet classification. We will use widely popular open source SVM code LIBSVM [29] in our experiments to separate suspicious packets from all or packets. This is because large percentage redundancy that exists in network packets would make it difficult to analyze attacks in an efficient manner. We thus use SVM to filter out benign packets suspicious packets n use suspicious packets to construct an accurate evidence graph. The use LIBSVM generally involves two steps: first, training a data set to obtain a model second, using model to predict information a testing data set. We adopt data that was acquired from 1998 DARPA intrusion detection evaluation program which is blasted with multiple attacks in a local area network (LAN) that simulated a typical U.S. Air Force LAN. For each TCP/IP connection, 41 various quantitative qualitative features (KDD-CUP-99 [30] Task Description) were extracted. We partition packets into two classes: normal attack, where attack packets consist collection all 22 different attacks. In experiment, all attack packets are classified labeled as +1 normal data as 1. We use a training set 7312 data items with 41 features. The data set contains benign packets suspicious packets. First, we transform each every packet into a matrix that consists 41 features a class flag as shown in following example records: duration, protocol_type, service, flag, src_bytes, dst_bytes, l, wrong_fragment, urgent, hot, num_failed_logins, Logged in, num_compromised, root_shell, SU_attempted, num_root, num_file_creations, num_shells, num_access_files, num_outbound_cmds, is_hot_login, is_guest_login, count, serror_rate, rerror_rate, same_srv_rate, diff_srv_rate, srv_count, srv_serror_rate, srv_rerror_rate, srv_diff_host_rate, dst_host_count, dst_host_srv_count, dst_host_same_srv_rate, dst_host_diff_srv_rate, dst_host_same_src_port_rate, dst_host_srv_diff_host_rate, dst_host_serror_rate, dst_host_srv_serror_rate, dst_host_rerror_rate, dst_host_srv_rerror_rate 0,tcp,http,SF,210,151,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,8,0.00,0.00,0.00,0.00,1.00,0.00,0.00,8,89,1.00,0.00, 0.12,0.04,0.00,0.00,0.00,0.00 0,tcp,http,SF,212,786,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,8,8,0.00,0.00,0.00,0.00,1.00,0.00,0.00,8,99,1.00,0.00, 0.12,0.05,0.00,0.00,0.00,0.00

7 Future Internet 2016, 8, All packets are transformed into above format are n stored in a matrix named data as training data. Then, we place class tag (1 or 1) in a label variable. The data matrix is an attribute matrix where number rows columns are determined by number samples number attributes, respectively. The label variable is a class tag (1 or 1). Lastly, we use Future Internet 2016, 8, LIBSVM to build a classification model which we have used to test 6980 data items with 41 features. The method The method processing processing test test data data is is same as above Table Table 1 lists 1 lists results results while while Figure Figure 2 shows 2 shows ROC ROC curve. curve. Table Testing Results. Parameter Training Dataset Testing Dataset Parameter Data volume Training 7312 Dataset Testing 6980 Dataset Support Data volume vector number Support Kernel vector function number RBF 567 Kernel C (optimal) function RBF 16 γ C (average (optimal) optimal) γ (averagetime optimal) s Time 1.63 s Figure ROC curve. Network Network packet packet classification classification would would filter filter out out suspicious packets packets from from a dataset a dataset result result will be stored in form event vector. With data stardization, we can use stardized will be stored in form event vector. With data stardization, we can use stardized data data to construct an evidence graph. to construct SVM an evidence is used to filter graph. out benign packets suspicious packets so as to construct a more accurate SVM evidence is used graph to filter using out benign suspicious packets packets. Therefore, suspicious packets key to SVM so as classification to construct is to a more filter out accurate evidence suspicious graph using packets suspicious ROC curve packets. shows Therefore, TPR FPR key attack to SVM class. classification TPR expresses is totrue filter out suspicious positive packets rate as Y axis ROC curve ROC shows curve while TPR FPR expresses FPR attack false class. positive TPR rate expresses as X axis true positive rate ROC as curve. YWe axis can see from ROC Figure curve 2 while high FPR accuracy expresses SVM in filtering false positive out suspicious rate aspackets. X axis ROC curve. We can see from Figure 2 high accuracy SVM in filtering out suspicious packets Evidence Graph 3.3. Evidence The Graph evidence graph is foundation our forensic analysis since it provides an intuitive representation collected forensic evidences. Therefore, constructing a complete evidence graph is The evidence graph is foundation our forensic analysis since it provides an intuitive most important step in our method. According to definition EV, each collected representation forensic evidences collected can forensic be expressed evidences. by an EV. Therefore, We can n constructing build an evidence a complete graph evidence based on graph is most EVs. important step in our method. According to definition EV, each collected forensic evidences An evidence can be graph expressed (EG) is a by directed an EV. graph We can EG n = <V, build E> in an which evidence V is graph set based vertices onthat EVs. An should evidence include graph all (EG) objects is ain directed event graph vectors EG = E <V, is E> set in which edges {<S, V ist, Timestamp S, set vertices T that shouldv include & Path(S, all T)>} describing objects in relationships event vectors between Evertices is set a finite edges set. Path(S, {<S, T, T) Timestamp S, indicates a one way path from vertex S to vertex T. T V & Path(S, T)>} describing relationships between vertices a finite set. Path(S, T) indicates The evidence graph is an effective mechanism that helps to incorporate relevant information a one-way path from vertex S to vertex T. into evidence reasoning process. Each path in evidence graph has following attributes:

8 Future Internet 2016, 8, The evidence graph is an effective mechanism that helps to incorporate relevant information Future Internet 2016, 8, into evidence reasoning process. Each path in evidence graph has following attributes: timestamp, timestamp, operation operation data data source. source. In In evidence graph, digital evidences are aresorted sorted by by time time based on based on timestamps, timestamps, starting starting from from first in record, moving to to next next along along time time ending at at last. The operation between two two nodes nodes is very is very significant. significant. Operations Operations such as such FTP as FTP upload are very dangerous to target. In proposed network forensics method, network packets packets carry acarry higher a higher level level importance importance to prove to prove validity evidence. Figure Figure 3 illustrates 3 illustrates proposed proposed algorithmic algorithmic procedure procedure for for constructing an an evidence evidence graph. graph. Figure Figure 3. The 3. The Algorithm for for Constructing an Evidence Graph Evidence 3.4. Evidence Reasoning Reasoning Our method applies evidence reasoning to network forensics based on evidence graph, Our method applies evidence reasoning to network forensics based on evidence graph, taking taking into consideration node vulnerabilities as well as connections between nodes. The analysis into consideration results should show node vulnerabilities details network as well forensics as connections evidence between attack nodes. scenarios The including analysis results shouldidentification show details key nodes network in forensics evidence evidence graph as well attack as key scenarios steps attacks. including identification key nodes in evidence graph as well as key steps attacks Vulnerability Relevance Analysis Vulnerability Relevance Analysis Analysis past attacks that exploited network vulnerabilities indicates that attackers usually Analysis use multiple past hosts attacks vulnerabilities that exploited to attack network a network vulnerabilities or a host indicates nodes. Thus, that attackers relevance usually use multiple vulnerabilities hosts has vulnerabilities become increasingly to attack important a network in network a security. host nodes. Thus, relevance vulnerabilities National has become Vulnerability increasingly Database important (NVD) [31] inhas network been widely security. used in various areas. Based on regular rules vulnerabilities, we can establish relationships between vulnerabilities in NVD. National Vulnerability Database (NVD) [31] has been widely used in various areas. Based on Common Vulnerabilities & Exposures (CVE) [32] can be used as a data dictionary to unify names regular rules vulnerabilities, we can establish relationships between vulnerabilities in NVD. information security vulnerabilities or weaknesses. Common Vulnerability Scoring System (CVSS) Common Vulnerabilities & Exposures (CVE) [32] can be used as a data dictionary to unify names [33] is a free open industry stard which can be used to assess mark security information vulnerabilities. security vulnerabilities or weaknesses. Common Vulnerability Scoring System (CVSS) [33] is a free The open process industry scanning stardvulnerabilities which can beinvolves used tour assess steps: (1) mark scan security target vulnerabilities. network; (2) The determine process existence scanning vulnerabilities through involves comparing four steps: with NVD (1) records; scan (3) target query CVE network; to (2) determine existence names vulnerabilities; through (4) calculate comparing vulnerability with NVDscores records; through (3) query CVSS CVE to determine vulnerability names scoring vulnerabilities; system. (4) calculate vulnerability scores through CVSS vulnerability scoring system.

9 Future Internet 2016, 8, Nessus is a popular tool that can be used to scan vulnerabilities to update vulnerability database at any time. Nessus is fully compatible with CVE. To better underst, following example is used to illustrate process constructing vulnerability database. Scanning target using Nessus would identify a vulnerability named CVE which should appear in vulnerability report by Nessus. In report, every vulnerability will have Risk information. In this case, risk information for CVE is as follows: Risk Factor: Medium CVSS Base Score: 4.0 CVSS Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N CVSS Temporal Vector: CVSS2#E:ND/RL:OF/RC:C CVSS Temporal Score: 3.5 As shown above, influence vulnerability CVE is medium. Table 2 shows detail CVSS base score Table 3 shows detail CVSS temporal Score. Table 2. CVSS Base Score. Base Metric Evaluation Score Access Vector Network 1.0 Access Complexity High 0.35 Auntication None Confidentiality Impact Partial Integrity Impact Partial Availability Impact None 0.0 Base Score = round_to_1_decimal (((0.6 Impact) + (0.4 Exploitability) 1.5) f(impact)) Impact = (1 (1 ConfImpact) (1 IntegImpact) (1 AvailImpact)) Exploitability = 20 Access Vector Access Complexity Auntication f(impact) = 0 if Impact = 0, orwise Table 3. CVSS Temporal Score. Base Metric Evaluation Score Exploitability Not Defined 1.0 Remediation Level Official Fix 0.87 Report Confidence Confirmed 1.0 Temporal Score = round_to_1_decimal (Base Score Exploitability Remediation Level Report Confidence) From vulnerability report, we can see all vulnerabilities as well as scores vulnerabilities target Such information is n stored in a network vulnerability database as shown in Table 4. Table 4. Network Vulnerability Database. Host Average Base Score Average Temporal Score Average Score Through this process, we can obtain vulnerability scores for network hosts store m in a network vulnerability database that provides information about vulnerabilities each host in network.

10 Future Internet 2016, 8, Future Internet 2016, 8, Vulnerability Evidence Reasoning Algorithm We We propose propose a Vulnerability a Vulnerability Evidence Evidence Reasoning Reasoning Algorithm Algorithm (VERA) (VERA) based based on on evidence evidence graph graph network network vulnerability vulnerability database. database. The algorithmic The algorithmic procedure procedure is illustrated is illustrated in Figure 4. in Using Figure this4. algorithm, Using this we algorithm, can inferwe attacked can infer nodes attacked as well nodes as attacking as well as routes. attacking In VERA, routes. each In VERA, network each node network has two node important has two important values: values: degree importance degree importance node (called node Nodeworth) (called Nodeworth) that that links (Linkworth). links (Linkworth). Nodeworth Nodeworth is defined as is defined value as vulnerabilities value vulnerabilities that a host has that while a host Linkworth has while is Linkworth sum is Nodeworth sum all Nodeworth nodes that all have nodes outgoing that links have to outgoing node. links In our to case, node. value In our case, Nodeworth value is Nodeworth summation is summation average base score average average base score temporal score, average as illustrated temporal in score, Table as 4. If illustrated a network in host Table is vulnerable, 4. If a network it can be host easily is attacked vulnerable, compromised. it can be easily The attacked initial value compromised. Nodeworth is The initial average value value Nodeworth vulnerability is average a node. value vulnerability a node. 1 / n 1 n Figure 4. The Procedure for Vulnerability Evidence Reasoning. Figure 4. The Procedure for Vulnerability Evidence Reasoning Following are steps VERA algorithm to to be be applied to to network forensics: H is is adjacency adjacency matrix matrix for for evidence evidence graph graph assuming assuming that that set set nodes nodes N = {nn = {n1, n2,, 1, n 2,..., n n }. nn}. For any node ni N, yi is Nodeworth node, zi is Linkworth node, Ai For any node n is i N, y i is Nodeworth node, z i is Linkworth node, A i is set set nodes that have outgoing links to node, Bi nodes that have outgoing links to node, B is set nodes to which this node i is set nodes to which this node has outgoing has outgoing links. links. Z is Z is Linkworth Linkworth all all nodes. nodes. 2. Initialize Nodeworth vector y Linkworth vector:

11 Future Internet 2016, 8, Initialize Nodeworth vector y Linkworth vector: y 0 = ( Vul1 n, Vul 2 n,..., Vul n n ) T (1) z 0 = ( 1 n, 1 n,..., 1 n ) T (2) Then, (Vul 1, Vul 2,..., Vul n ) is average vulnerability score a host node. 3. At kth iteration, Nodeworth node n i is y k i which is equal to sum z i, i.e., y = H T Z. y k i = i A i z i (3) 4. After a new Nodeworth vector y is obtained in previous step, Linkworth host is sum y i. i.e., Z = Hy. zi k = y i (4) i B i 5. The sum each vector is equal to 1. Thus, execute two steps until y converge. n i=1 y 2 i = 1, n i=1 z 2 i = 1 (5) Y contains Nodeworth values all nodes which are sorted in an ascending order. The more vulnerable a node is, higher score node. Z contains Linkworth values all nodes in descending order. If a link connects important nodes, it is easy to be attacked. In addition to definitions Nodeworth Linkworth, we can also consider relevance vulnerability. We can thus consider a node with a high Nodeworth value to be a potential cidate attack a node with a high Linkworth value to be a potential victim. Based on network vulnerability result VERA, we can identify attacker victim in evidence graph reconstruct attack scenario. 4. Experiments Analysis In this paper, we designed two sets experiments to evaluate our network forensics approach. The first experiment was performed based on test data collected from a small network environment we set up in our lab to validate our proposed approach. Given limited amount traffic small scale experimental environment in first experiment, we carried out anor experiment by using a well-known dataset widely used in network security research to furr validate our proposed approach. We will describe experiments that we performed along with an analysis results from experiment that used more general datasets Experiment with Collected Data In this experiment, we set up a test network environment with real network traffic, simulated some network attacks applied our proposed network forensics approach to detect attacks. Our experimental network setup followed very closely that Lincoln Laboratory for generating intrusion detection evaluation datasets [4]. The whole experimental network setup includes test network segment attack segment with test network segment including a Windows target, a Linux target a traffic generator. The Windows target has some common loopholes backdoors Linux target fers services such as WWW, FTP, Telnet, Finger, etc. The traffic generator was used to generate background traffic Snort stware was used to collect network packets

12 Future Internet 2016, 8, Future Internet 2016, 8, that were stored in a database. A Windows attacker was used to generate attacks host adopts multiple attacks. Any Linux kind attacker attacks simulates could be considered, to generatebut multiple due to attacks limited hostscale install network attack tool. as well as Any kind excessive attacks number could be malicious considered, attacks, but it due may tonot be limited feasible scale to simulate network every type as well attacks. as excessive Using number simulated malicious network attacks, environment, it maywe not collected be feasible a moderate to simulate amount every network type packets attacks. Using stored simulated packets network in a environment, MySQL database we collected that were alater moderate classified amount by SVM network through which packets suspicious stored packets were in an MySQL obtained database stored that were in later database classified in by form SVM event through vector. which Finally, suspicious we applied packets were VERA n obtained algorithm to derive storedattack in routes database in attackers form with event vector. original Finally, evidence we graph applied being VERAstored algorithm in an adjacency to derive attack matrix. routes attackers with original evidence graph being stored in an adjacency We performed matrix. experiment several times with traffic generator generating We performed background traffic experiment ranging several from hundreds times with to thouss traffic generator network generating packets. In all background cases, we traffic ranging simulated from hundreds same attack, to thouss used SVM to network classify packets. packets In all to arrive cases, at an we evidence simulated graph same shown in Figure 5. attack, used SVM to classify packets to arrive at an evidence graph shown in Figure 5. Figure Figure 5. The5. Evidence The Evidence Graph Graph First Experiment First Experiment Scenario. Scenario. From From evidence, evidence, graph shown graph shown in Figure in Figure 5, we can 5, we clearly can clearly see see succinct succinct complete complete attack attack procedure. procedure. First, First, attacker attacker used telnet used telnet from host from host to logto into log host into host Then, Then, attacker attacker used instructions used instructions useradd useradd groupadd groupadd to addto access add access privileges. privileges. Next, Next, attacker reset attacker reset password password though though instruction instruction passwd. passwd. Second, Second, host host used used FTP FTP upload script upload toscript accessto host access host webshell webshell to operate to operate files on files server on server In addition, In addition, host host remotely remotely logged logged into into The attacker The attacker used used instruction instruction Tar to pack Tar up to script pack up files script files backup backup it. Lastly, it. Lastly, host host launched launched an ARP an ARP attack attack to to host host Experiment 4.2. Experiment with External with External Datasets Datasets To perform To aperform more comprehensive a more comprehensive experiment experiment to be able to to be compare able to compare our experiment our experiment results results to those fromto some those existing from some methods, existing inmethods, particular in particular work by Wang work [3], by Wang we employed [3], we employed MIT Lincoln MIT Lab Lincoln DARPA 2000 Lab DARPA LLDOS dataset LLDOS 1.0 MIT dataset Lincoln Lab MIT 2000 Lincoln DARPA Lab 2000 intrusion DARPA detection intrusion scenario detection scenario [5] [5] in this experiment. The datasets were generated in MIT Lincoln Lab by using 14 hosts to in this experiment. The datasets were generated in MIT Lincoln Lab by using 14 hosts to simulate simulate external Internet environment to visit a service provider that deployed 39 hosts in external Internet environment to visit a service provider that deployed 39 hosts in network network 6 hosts in a DMZ zone. These systems used a variety general purpose operating 6 hosts in a DMZ zone. These systems used a variety general purpose operating systems such as systems such as Windows, Linux Red Hat 5.0, Sun OS Solaris 2.7. Both LLDOS 1.0 Windows, Linux Red Hat 5.0, Sun OS Solaris 2.7. Both LLDOS 1.0 LLDOS [5] LLDOS [5] datasets contain a number attack sessions. datasets contain a number attack sessions. The experiment was conducted based on framework network forensics shown in Figure The 1. experiment Both LLDOS was 1.0 conducted LLDOS based on datasets framework were stored network in a MySQL forensics database shown that in were Figure classified 1. Both LLDOS by SVM. 1.0 Suspicious LLDOSdata 2.0.2packets datasets were were also stored stored in in a MySQL database database in form that were event classified vector. by Figure SVM. Suspicious 6 shows data evidence packets graph were also stored initial construction in database inevent form vector with event all vector. nodes Figure edges 6 shows for evidence evidences. graph initial construction event vector with all nodes edges for evidences.

13 Future Future Internet 2016, 8, 8, Future Internet 2016, 8, (a) (b) (a) (b) Figure 6. The Original Evidence Graph. (a) LLDOS 1.0; (b) LLDOS Figure 6. The Original Evidence Graph. (a) LLDOS 1.0; (b) LLDOS Figure 6. The Original Evidence Graph. (a) LLDOS 1.0; (b) LLDOS In order to use VERA algorithm to derive attack routes as well as attackers, original In evidence order to graph use is VERA saved algorithm in an adjacency to derive matrix attack which routes is denoted as well by as H in attackers, VERA algorithm. original In orderevidence to use graph VERAis algorithm saved in toan derive adjacency attack matrix routes which as well is denoted as attackers, by H in original VERA evidence algorithm. Figure graph 7 shows is saved infinal an adjacency evidence matrix graph for which is LLDOS denoted 1.0 by dataset H in after VERA running algorithm. VERA algorithm, Figure Figure 7which shows 7 shows provides final a final clear evidence intuitive graph graph for evidence for LLDOS attacker dataset First, after running attacker derived VERA algorithm, algorithm, range which which IP provides addresses provides a clear a clear destination intuitive intuitive hosts evidence evidence used host attacker attacker. First, First, attacker to scan attacker derived entire derived range range range IP IP addresses. IP addresses Second, destination attacker hosts executed hosts used Ping used host host with Sadmind option to scan to check entire range wher range IP Sadmind addresses. IP service Second, was available attacker in which executed attacker Ping selected with host Sadmind option toas check a wher source wher Sadmind attack. Sadmind Third, service service buffer was was overflow available attack in in which was launched attacker through selected Sadmind host vulnerability in as as a a source source Solaris operating attack. attack. Third, system. Third, buffer Fourth, buffer overflow overflow attacker attack acquired was was launched launched root through authority through Sadmind Sadmind via Telnet vulnerability RPC in to in Solaris install operating Solaris Mstream operating system. backdoor. system. Fourth, Finally, Fourth, attacker attacker acquired used acquired root authority root authority to via manage Telnet via Telnet RPC torpc install to launch Mstream install a DDoS backdoor. Mstream attack backdoor. Finally, whose scenario Finally, attacker is exactly used attacker used same as that to manage detected to manage by MIT Lincoln to launch to a DDoS Laboratory. launch attack a DDoS whose attack scenario whose is exactly scenario is same exactly as that detected same as by that detected MIT Lincoln by Laboratory. MIT Lincoln Laboratory. Figure 7. LLDOS 1.0 Dataset Evidence Graph (Omission DDoS Attacks). Figure 7. LLDOS 1.0 Dataset Evidence Graph (Omission DDoS Attacks). Figure 7. LLDOS 1.0 Dataset Evidence Graph (Omission DDoS Attacks).

14 Future Internet 2016, 8, Future Internet 2016, 8, Figure 8 shows final evidence graph for LLDOS dataset after running VERA algorithm, Figure 8 which shows provides final a evidence rar complete graph for attack LLDOS procedure Same dataset as in after running LLDOS 1.0 VERA dataset Figure 8 shows final evidence graph for LLDOS dataset after running VERA algorithm, scenario, which attacker provides carried a rar out attacks complete in attack procedure. by utilizing Same as in Sadmins LLDOS vulnerability 1.0 dataset in algorithm, which provides a rar complete attack procedure. Same as in LLDOS 1.0 dataset scenario, Solaris OS attacker operating carried system out attacks successfully in obtained by utilizing root authority Sadmins on both vulnerability in scenario, attacker carried out attacks in by utilizing Sadmins vulnerability in Solaris OS operating However, system attacks successfully in obtained LLDOS root dataset authority were more on both complex subtle. Solaris OS operating However, system attacks successfully in LLDOS obtained dataset root authority were more on both complex The attacker selected HINFO DNS query to get details a target host (a DNS server) subtle. The attacker selected However, HINFO DNS attacks query in to LLDOS get details dataset a were target more host complex (a DNS server) subtle. compromised DNS server via Sadmins vulnerability in Solaris OS. Finally, attacker The compromised attacker selected DNS server HINFO via DNS Sadmins query to vulnerability get details in Solaris a target OS. Finally, host (a DNS attacker server) uploaded attack scripts an Mstream backdoor program to target DNS server via FTP. uploaded compromised attack scripts DNS an server Mstream via backdoor Sadmins program vulnerability to in target Solaris DNS OS. server Finally, via FTP. attacker uploaded attack scripts an Mstream backdoor program to target DNS server via FTP. Figure 8. The Evidence Graph LLDOS Dataset (Omission DDoS Attack). Figure 8. The Evidence Graph LLDOS Dataset (Omission DDoS Attack). Figure 8. The Evidence Graph LLDOS Dataset (Omission DDoS Attack). To compare our method to Wang s method [3], we first show evidence graph from Wang s work To in compare Figure 9. our To method better perform to Wang s method comparison, [3], we we first first show simplify Figure evidence 9 graph express from Wang s result work in Figure in Figure 10. Comparison 9. To better perform Figures 7 comparison, 10 as shown we first in Figure simplify 11 Figure clearly 9 shows express that our method result in can Figure generate 10. Comparison a more complete Figures evidence 7 graph. 10 as In shown addition, in Figure evidence 11 clearly graph shows can that show our method process can attacks generate in a more details. complete Although evidence Figure graph. 10 Inidentifies addition, evidence graph as a can victim, showit is in process fact not a attacks victim in more ficial details. statement Although shown Figure in Figure identifies 11, indicating a deficiency as a asvictim, a victim, Wang s it is itin isfact network in fact not not a forensics victim a victim in method. in ficial ficial statement shown shown in infigure Figure11, 11, indicatinga a deficiency Wang s network forensics method. Figure 9. Wang s LLDOS 1.0 Dataset Evidence Graph (Omission DDoS Attack). Figure 9. Wang s LLDOS 1.0 Dataset Evidence Graph (Omission DDoS Attack). Figure 9. Wang s LLDOS 1.0 Dataset Evidence Graph (Omission DDoS Attack).

15 Future Internet 2016, 8, Future Future Internet Internet 2016, 2016, 8, 8, We also compared results running LLDOS dataset. Although it was claimed that Wang s We algorithm also compared could effectively results address running multi staged LLDOS attack dataset. scenarios, Although it is not it was much claimed useful that to demonstrate Wang s We algorithm also compared attacks could in effectively results LLDOS address running multi staged dataset. LLDOS In contrast, attack dataset. scenarios, our method Although it is identified not it was much claimed useful whole that to attack Wang s demonstrate scenario algorithm attacks could LLDOS in effectively LLDOS dataset address as shown multi-staged dataset. in In Figure contrast, attack 8. scenarios, our method it isidentified not much useful whole to attack demonstrate scenario attacks LLDOS in LLDOS dataset dataset. as shown Inin contrast, Figure 8. our method identified whole attack scenario LLDOS dataset as shown in Figure 8. Figure 10. Wang s simplified evidence graph (omission DDoS attack). Figure 10. Wang s simplified evidence graph (omission DDoS attack). Figure 11. Comparison between VERA Wang s method. Figure 11. Comparison between VERA Wang s method. Comprehensive comparison analysis clearly indicates that our method is is more effective than Comprehensive comparison analysis clearly indicates that our method is more effective than Wang s method in following aspects: Wang s method in following aspects: Sources data. The evidences in our method come from multiple sources, including not only Sources data. The evidences in our method come from multiple sources, including not only selected network packets but also web application logs. selected network packets but Sufficiency forensics analysis. also web Our application logs. proposed method can sufficiently analyze evidence to Sufficiency ensure validity forensics analysis. original analysis. Our evidence. Our proposed proposed method method can sufficiently can sufficiently analyze analyze evidence evidence to ensure to Completeness ensure validity validity original evidence original evidence. reasoning. evidence. Our proposed method combines evidence graph with network Completeness vulnerabilities, evidence making reasoning. algorithm Our proposed more effective method while combines lower in evidence time complexity. graph with network vulnerabilities, making algorithm more effective while lower in time complexity.

16 Future Internet 2016, 8, Conclusions Future Direction In this paper, we presented a method for network forensics that combines evidence graph with vulnerability evidence reasoning. To ensure that method follows certain procedures, we first proposed a new network forensics framework that conforms to general principles network forensics. Based on architecture network forensics, we can use program logs network packets from multiple sources to provide data for digital evidence. We also suggested adding a digital signature timestamps to digital evidence to ensure integrity data to convert heterogeneous data to a uniform format to protect tractability data. Based on network forensics method, we introduced score vulnerability to network forensics to ensure relevance digital evidence proposed our VERA algorithm to infer attacked nodes as well as attacking routes. For visualization final evidence, we used evidence graph to exhibit attacked nodes attacking routes. Experimental results show that our method can realize reconstruction attack scenarios more effectively while possessing capability analyzing multi-staged attacks. The proposed method still has some limitations though. First, re are a variety network program logs, so developing more powerful classification algorithms is key for web log classification analysis. Second, SVM can be furr improved to filter out benign packets suspicious packets so as to construct a more accurate evidence graph by using suspicious packets. Third, VERA algorithm needs to be furr improved to achieve an even higher level accuracy efficiency in identification attacked nodes as well as attacking routes. In addition, more experiment is needed in which data collected from a network environment that can more closely reflect scale today s Internet as well as common attack patterns. This is because although we have demonstrated effectiveness our proposed method compared it with some existing work, experiment was performed based on datasets that may not accurately reflect traffic attack scenarios in today s networks. Given scale complexity today s networks, it would be more challenging to distinguish between benign packets malicious ones, making it more difficult to train SVM classifier. Thus, small-scale network environment that we set up for experiment can hardly generate sufficient network traffic to adequately test effectiveness efficiency SVM classifier. Consequently, adaptability accuracy our proposed method needs to be furr verified with more experimental data due to lack more recent test datasets limitations our lab environment at current time. There are a lot challenges in field network forensics research. Beyond study in this paper, re are many more issues that need to be furr studied. In future, we will focus our research on evidence reasoning on distribution vulnerabilities. We will also implement proposed method to conduct experiments in real networks. Furr optimization basic method as well as more comprehensive experiment should always accompany any extensions beyond our current research which should include use more recent datasets as soon as y become available generation datasets that can better reflect both traffic situations attack patterns in today s networks. Acknowledgments: The work presented in this paper has been supported by funding from National High-Tech R&D Program (863 Program) (2015AA017204), National Natural Science Foundation China ( ) Beijing Natural Science Foundation ( ). Author Contributions: Jingsha He, ideas general approach; Chengyue Chang, algorithm design, experiment analysis; Peng He, general discussion some contribution on ideas; Muhammad Salman Pathan, discussion paper editing. Conflicts Interest: The authors declare no conflict interest. References 1. Arasteh, A.R.; Debbabi, M. Analyzing Multiple Logs for Forensic Evidence. Digit. Investig. 2007, 4, [CrossRef]

17 Future Internet 2016, 8, Tian, Z.H.; Yu, X.Z.; Zhang, H.L.; Fang, B.X. A Real-time Network Intrusion Forensics Method Based on Evidence Reasoning Network. Chin. J. Comput. 2014, 5, Khan, S.; Gani, A. Network Forensics: Review, Taxonomy, Open Challenges. J. Netw. Comput. Appl. 2016, 66, [CrossRef] 4. Wang, W. A Graph Oriented Approach for Network Forensic Analysis. Ph.D. Thesis, Iowa State University, Iowa, IA, USA, MIT Lincoln Laboratory LLDOS Dataset. Available online: html (accessed on 21 October 2016). 6. Ranum, M.J. Network Forensics Traffic Monitoring. Comput. Secur. J. 1997, 13, Palmer, G. A Road Map for Digital Forensic Research; Digital Forensic Research Workshop. In Proceedings Digital Forensic Research Conference, Utica, NY, USA, 7 8 August Schwartz, E. Network Packet Forensics. In Cyber Forensics; Bayuk, J., Ed.; Humana Publishers: New York, NY, USA, 2011; pp Pilli, E.S.; Joshi, R.C.; Niyogi, R. Data Reduction by Identification Correlation TCP/IP Attack Attributes for Network Forensics. In Proceedings International Conference & Workshop on Emerging Trends in Technology, Mumbai, India, February 2011; pp Clegg, R.G.; Withall, M.S.; Moore, A.W.; Phillips, I.W.; Parish, D.J.; Rio, M.; La, R.; Haddadi, H.; Kyriakopoulos, K.; Auge, J.; et al. Challenges in Capture Dissemination Measurements from High- Speed Networks. 2013; arxiv preprint. arxiv: Kaushik, A.K.; Pilli, E.S.; Joshi, R.C. Network Forensic System for Port Scanning Attack. In Proceedings 2010 IEEE 2nd International Advanced Computing Conference, Patiala, India, 1 March 2010; pp Roussev, V.; Quates, C.; Martell, R. Real-time digital forensics triage. Digit. Investig. 2013, 10, [CrossRef] 13. Mukkamala, S.; Sung, A.H. Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligent Techniques. Int. J. Digit. Evid. 2003, 4, Xie, Y.L.; Feng, D.; Tan, Z.P.; Zhou, J.Z. Unifying Intrusion Detection Forensic Analysis via Provenance Awareness. Future Gener. Comput. Syst. 2016, 61, [CrossRef] 15. Rekhis, S.; Boudriga, N. Logic-based Approach for Digital Forensic Investigation in Communication. Comput. Secur. 2011, 30, [CrossRef] 16. Settanni, G.; Skopik, F.; Shovgenya, Y. A Collaborative Cyber Incident Management System for European Interconnected Critical Infrastructures. J. Inf. Secur. Appl [CrossRef] 17. Cherdantseva, Y.; Burnap, P.; Blyth, A. A Review Cyber Security Risk Assessment Methods for SCADA Systems. Comput. Secur. 2016, 56, [CrossRef] 18. Alneyadi, S.; Sithirasenan, E.; Muthukkumarasamy, V. A Survey on Data Leakage Prevention Systems. J. Netw. Comput. Appl. 2016, 62, [CrossRef] 19. Chen, L.M.; Chen, M.C. A Scalable Network Forensics Mechanism for Stealthy Self-propagating Attacks. Comput. Commun. 2013, 36, [CrossRef] 20. Zhang, H.; Yao, D.; Ramakrishnan, N. Causality Reasoning about Network Events for Detecting Stealthy Malware Activities. Comput. Secur. 2016, 58, [CrossRef] 21. Ammann, P.; Wijesekera, D.; Kaushik, S. Scalable, Graph-based Network Vulnerability Analysis. In Proceedings 9th ACM Conference on Computer Communications Security, Washington, DC, USA, November 2002; pp Rasmi, M.; Jantan, A. AIA: Attack Intention Analysis Algorithm Based on D-S Theory with Causal Technique for Network Forensics A Case Study. Int. J. Digit. Content Technol. Appl. 2011, 9, Rasmi, M.; Jantan, A. Attack Intention Analysis Model for Network Forensics. In Stware Engineering Computer Systems, 2nd ed.; Zain, J.M., Ed.; Springer: Berlin/Heidelberg, Germany, 2011; Volume 180, pp Liu, C.; Singhal, A.; Wijesekera, D. Relating Admissibility Stards for Digital Evidence to Attack Scenario Reconstruction. J. Digit. Forensics Secur. Law. 2014, 9, Wang, W.; Daniels, T.E. A Graph Based Approach toward Network Forensics Analysis. ACM Trans. Inf. Syst. Secur. 2008, 12, [CrossRef] 26. Hall, G.A.; Davis, W.P. Toward Defining Intersection Forensics Information Technology. Int. J. Digit. Evid. 2005, 4, 1 20.

18 Future Internet 2016, 8, Casey, E. Digital Evidence Computer Crime: Forensic Science, Computers, Interne, 3rd ed.; Academic Publishers: Manhattan, NY, USA, Boser, B.E.; Guyon, I.M.; Vapnik, V.N. A Training Algorithm for Optimal Margin Classifiers. In Proceedings 5th Annual Workshop on Computational Learning Theory, New York, USA, 1 July 1996; pp Chang, C.C.; Lin, C.J. Libsvm: A Library for Support Vector Machines. ACM Trans. Intell. Syst. Technol. 2011, 2, [CrossRef] 30. KDD-CUP-99 Task. Available online: (accessed on 21 October 2016). 31. National Vulnerability Database. Available online: (accessed on 21 October 2016). 32. Common Vulnerabilities Exposures. Available online: (accessed on 21 October 2016). 33. Common Vulnerability Scoring System. Available online: (accessed on 21 October 2016) by authors; licensee MDPI, Basel, Switzerl. This article is an open access article distributed under terms conditions Creative Commons Attribution (CC-BY) license (