A formal approach to analyzing cyber-forensics evidence
A formal approach to analyzing cyber-forensics evidence
The frequency and harmfulness of cyber-attacks are increasing every day, and with them also the amount of data that the cyber-forensics analysts need to collect and analyze. In this paper, we propose a formal analysis process that allows an analyst to filter the enormous amount of evidence collected and either identify crucial information about the attack (e.g., when it occurred, its culprit, its target) or, at the very least, perform a pre-analysis to reduce the complexity of the problem in order to then draw conclusions more swiftly and efficiently. We introduce the Evidence Logic EL for representing simple and derived pieces of evidence from different sources. We propose a procedure, based on monotonic reasoning, that rewrites the pieces of evidence with the use of tableau rules, based on relations of trust between sources and the reasoning behind the derived evidence, and yields a consistent set of pieces of evidence. As proof of concept, we apply our analysis process to a concrete cyber-forensics case study.
281-301
Karafili, Erisa
f5efa31c-22b8-443e-8107-e488bd28918e
Cristani, Matteo
f3a9bb30-a2f0-44b2-9157-a61d7ee719e9
Viganò, Luca
2d073750-e255-4946-93b0-984d67639e78
8 August 2018
Karafili, Erisa
f5efa31c-22b8-443e-8107-e488bd28918e
Cristani, Matteo
f3a9bb30-a2f0-44b2-9157-a61d7ee719e9
Viganò, Luca
2d073750-e255-4946-93b0-984d67639e78
Karafili, Erisa, Cristani, Matteo and Viganò, Luca
(2018)
A formal approach to analyzing cyber-forensics evidence.
Lopez, Javier, Zhou, Jianying and Soriano, Miguel
(eds.)
In Computer Security: ESORICS 2018.
Springer.
.
(doi:10.1007/978-3-319-99073-6_14).
Record type:
Conference or Workshop Item
(Paper)
Abstract
The frequency and harmfulness of cyber-attacks are increasing every day, and with them also the amount of data that the cyber-forensics analysts need to collect and analyze. In this paper, we propose a formal analysis process that allows an analyst to filter the enormous amount of evidence collected and either identify crucial information about the attack (e.g., when it occurred, its culprit, its target) or, at the very least, perform a pre-analysis to reduce the complexity of the problem in order to then draw conclusions more swiftly and efficiently. We introduce the Evidence Logic EL for representing simple and derived pieces of evidence from different sources. We propose a procedure, based on monotonic reasoning, that rewrites the pieces of evidence with the use of tableau rules, based on relations of trust between sources and the reasoning behind the derived evidence, and yields a consistent set of pieces of evidence. As proof of concept, we apply our analysis process to a concrete cyber-forensics case study.
Text
KarafiliCV_2_
- Accepted Manuscript
More information
Accepted/In Press date: 1 April 2016
e-pub ahead of print date: 8 August 2018
Published date: 8 August 2018
Identifiers
Local EPrints ID: 438976
URI: http://eprints.soton.ac.uk/id/eprint/438976
ISSN: 0302-9743
PURE UUID: 20bf2b10-3484-4962-bb4a-93903f8dd2f6
Catalogue record
Date deposited: 30 Mar 2020 16:31
Last modified: 17 Mar 2024 03:59
Export record
Altmetrics
Contributors
Author:
Erisa Karafili
Author:
Matteo Cristani
Author:
Luca Viganò
Editor:
Javier Lopez
Editor:
Jianying Zhou
Editor:
Miguel Soriano
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics