A Formal Approach to Analyzing Cyber-Forensics Evidence

  • Erisa KarafiliEmail author
  • Matteo Cristani
  • Luca Viganò
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11098)


The frequency and harmfulness of cyber-attacks are increasing every day, and with them also the amount of data that the cyber-forensics analysts need to collect and analyze. In this paper, we propose a formal analysis process that allows an analyst to filter the enormous amount of evidence collected and either identify crucial information about the attack (e.g., when it occurred, its culprit, its target) or, at the very least, perform a pre-analysis to reduce the complexity of the problem in order to then draw conclusions more swiftly and efficiently.

We introduce the Evidence Logic \(\mathcal {EL}\) for representing simple and derived pieces of evidence from different sources. We propose a procedure, based on monotonic reasoning, that rewrites the pieces of evidence with the use of tableau rules, based on relations of trust between sources and the reasoning behind the derived evidence, and yields a consistent set of pieces of evidence. As proof of concept, we apply our analysis process to a concrete cyber-forensics case study.



Erisa Karafili was supported by the European Union’s H2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No. 746667.


  1. 1.
    Ågotnes, T., Balbiani, P., van Ditmarsch, H., Seban, P.: Group announcement logic. J. Appl. Logic 8(1), 62–81 (2010)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Alchourròn, C.E., Gärdenfors, P., Makinson, D.: On the logic of theory change: partial meet contraction and revision functions. J. Symbolic Logic 50, 510–530 (1985)MathSciNetCrossRefGoogle Scholar
  3. 3.
    Alechina, N., Jago, M., Logan, B.: Preference-based belief revision for rule-based agents. Synthese 165(2), 159–177 (2008)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Augusto, J.C., Simari, G.R.: Temporal defeasible reasoning. Knowl. Inf. Syst. 3(3), 287–318 (2001)CrossRefGoogle Scholar
  5. 5.
    Balbiani, P., van Ditmarsch, H., Herzig, A., de Lima, T.: A tableau method for public announcement logics. In: Olivetti, N. (ed.) TABLEAUX 2007. LNCS (LNAI), vol. 4548, pp. 43–59. Springer, Heidelberg (2007). Scholar
  6. 6.
    Balbiani, P., Guiraud, N., Herzig, A., Lorini, E.: Agents that speak: modelling communicative plans and information sources in a logic of announcements. In: AAMAS 2011, vol. 1–3. pp. 1207–1208 (2011)Google Scholar
  7. 7.
    Baltag, A., Smets, S.: Conditional doxastic models: a qualitative approach to dynamic belief revision. Electr. Notes Theor. Comput. Sci. 165, 5–21 (2006)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Barber, K.S., Kim, J.: Belief revision process based on trust: agents evaluating reputation of information sources. In: AGENTS 2000, pp. 73–82 (2000)Google Scholar
  9. 9.
    van Benthem, J.: Dynamic logic for belief revision. J. Appl. Non-class. Logics 17(2), 129–155 (2007)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Dix, J., Hansson, S.O., Kern-Isberner, G., Simari, G.R.: Belief change and argumentation in multi-agent scenarios. Ann. Math. Artif. Intell. 78(3), 177–179 (2016)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Governatori, G., Terenziani, P.: Temporal extensions to defeasible logic. In: Orgun, M.A., Thornton, J. (eds.) AI 2007. LNCS (LNAI), vol. 4830, pp. 476–485. Springer, Heidelberg (2007). Scholar
  12. 12.
    Hunter, A., Booth, R.: Trust-sensitive belief revision. In: IJCAI 2015, pp. 3062–3068 (2015)Google Scholar
  13. 13.
    Lorini, E., Jiang, G., Perrussel, L.: Trust-based belief change. In: ECAI 2014 - Including PAIS 2014, pp. 549–554 (2014)Google Scholar
  14. 14.
    Plaza, J.: Logics of public communications. Synthese 158(2), 165–179 (2007)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Shakarian, P., Simari, G.I., Moores, G., Parsons, S.: Cyber attribution: an argumentation-based approach. In: Cyber Warfare - Building the Scientific Foundation, pp. 151–171 (2015)Google Scholar
  16. 16.
    Shakarian, P., et al.: Belief revision in structured probabilistic argumentation - model and application to cyber security. Ann. Math. Artif. Intell. 78(3–4), 259–301 (2016)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Van Ditmarsch, H., van Der Hoek, W., Kooi, B.: Dynamic Epistemic Logic, vol. 337. Springer, Heidelberg (2007). Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Department of ComputingImperial College LondonLondonUK
  2. 2.Dipartimento di InformaticaUniversità di VeronaVeronaItaly
  3. 3.Department of InformaticsKing’s College LondonLondonUK

Personalised recommendations