Abstract
Presently, forensics analyses of security incidents rely largely on manual, ad-hoc, and very time-consuming processes. A security analyst needs to manually correlate evidence from diverse security logs with expertise on suspected malware and background on the configuration of an infrastructure to diagnose if, when, and how an incident happened. To improve our understanding of forensics analysis processes, in this work we analyze the diagnosis of 200 infections detected within a large operational network. Based on the analyzed incidents, we build a decision support tool that shows how to correlate evidence from different sources of security data to expedite manual forensics analysis of compromised systems. Our tool is based on the C4.5 decision tree classifier and shows how to combine four commonly-used data sources, namely IDS alerts, reconnaissance and vulnerability reports, blacklists, and a search engine, to verify different types of malware, like Torpig, SbBot, and FakeAV. Our evaluation confirms that the derived decision tree helps to accurately diagnose infections, while it exhibits comparable performance with a more sophisticated SVM classifier, which however is much less interpretable for non statisticians.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (2002)
Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)
Advanced automated threat analysis system, http://www.threatexpert.com
AlienVault, http://www.alienvault.com/
Anonymous postmasters early warning system, http://www.apews.org
Cooperative Network Security Community, http://www.dshield.org
Emerging Threats web page, http://www.emergingthreats.net
GFI Languard, http://www.gfi.com/network-security-vulnerability-scanner
IBM Tivoli SCM, http://www-01.ibm.com/software/tivoli/
Shadowserver Foundation web page, http://www.shadowserver.org
The Nessus vulnerability scanner, http://www.tenable.com/products/nessus
The Open Vulnerability Assessment System, http://www.openvas.org
The Urlblacklist web page, http://www.urlblacklist.org
Friedman, N., Geiger, D., Goldszmidt, M.: Bayesian network classifiers. Mach. Learn. 29, 131–163 (1997)
Morin, B., Debar, H.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)
Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th CCS ACM Conference (2002)
Platt, J.C.: Sequential minimal optimization: A fast algorithm for training support vector machines (1998)
Qin, X.: A probabilistic-based framework for infosec alert correlation. PhD thesis, Atlanta, GA, USA (2005) AAI3183248
Qin, X., Lee, W.: Statistical Causality Analysis of INFOSEC Alert Data. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–93. Springer, Heidelberg (2003)
Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1, 81–106 (1986)
Raftopoulos, E., Dimitropoulos, X.: Detecting, validating and characterizing computer infections in the wild. In: Proceedings of IMC 2011, NY, USA (2011)
Raftopoulos, E., Dimitropoulos, X.: Technical report: Shedding light on data correlation during network forensics analysis. TIK Technical Report 346, ETH Zurich (2012)
Ren, H., Stakhanova, N., Ghorbani, A.A.: An Online Adaptive Approach to Alert Correlation. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 153–172. Springer, Heidelberg (2010)
Sadoddin, R., Ghorbani, A.: Alert correlation survey: framework and techniques. In: Proceedings of PST 2006, pp. 37:1–37:10. ACM, New York (2006)
A free lightweight network IDS for UNIX and Windows, http://www.snort.org
Trestian, I., Ranjan, S., Kuzmanovi, A., Nucci, A.: Unconstrained endpoint profiling (googling the internet). SIGCOMM Comput. Commun. Rev. (2008)
Witten, I.H., Frank, E.: Data Mining: Practical machine learning tools and techniques, 2nd edn. Morgan Kaufmann (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Raftopoulos, E., Egli, M., Dimitropoulos, X. (2013). Shedding Light on Log Correlation in Network Forensics Analysis. In: Flegel, U., Markatos, E., Robertson, W. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2012. Lecture Notes in Computer Science, vol 7591. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37300-8_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-37300-8_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-37299-5
Online ISBN: 978-3-642-37300-8
eBook Packages: Computer ScienceComputer Science (R0)