Abstract
Nowadays attacks, such as Advanced Persistent Threat (APT), usually consist of multiple attacking steps and disguise themselves as normal behaviors, which increase the difficulty to detect them and decrease the accuracy of detection results. APT attack aimed forensic analysis today faced lots of challenges, especially because the large amount of data it involves. Although graph model can describe the causal relationships among the steps in one attack progress, it cannot accurately infer the attacker’s intent, because of the uncertainty of the detection results for each step. This paper proposes a uniformed evidence process model for big data forensic analysis which can be used to identify the attacker, infer the attack process and reconstruct the attack scenario. Specifically our proposed model include: (1) Evidence Collection. Collect all the useful information through large amount of alerts, logs and traffic evidence. (2) Evidence normalization. Normalize data for different kinds of evidence information. (3) Evidence Preservation. Address the demand of centralized systems to store all the information so that users can retrieve the information as necessary. (4) Evidence Analysis. The loaded relevant resources are analyzed to understand the happened crime and collect digital evidence through reconstructing timeline, establishing facts and identifying suspect. (5) Data Presentation and visualization. It generally concerned with presenting the findings of the investigation process to the court of law. Our proposed method can be used in big data forensic analysis, and can greatly improve the efficiency and accuracy of forensic reasoning.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Palmer G (2001) Report from the first digital forensic research workshop (DFRWS). Utica, New York
Justice USDO (2008) Electronic crime scene investigation: a guide for first responders, 2nd edn. National Institute of Justice
Yen TF, Oprea A, Onarlioglu K, Leetham T, Robertson W, Juels A Kirda E (2013) Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks. In: Proceedings of the annual computer security applications conference (ACSAC)
Vallentin M, Paxson V, Sommer R (2016) VAST: a unified platform for interactive network forensics. In: Proceedings of the 13th USENIX symposium on networked systems design and implementation, pp 345–362
Halboob W, Mahmod R, Abulaish M, Abbas H, Saleem K (2015) Data warehousing based computer forensics investigation framework. In: 2015 12th international conference on information technology—new generations, pp 163–168
Song IY, Maguire JD, Lee KJ, Choi N, Hu XH, Chen P. Designing a data warehouse for cyber crimes. J Dig Forensics Secur Law 1(3):5–22
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Wang, N., Tan, Y., Guo, S. (2019). A Uniformed Evidence Process Model for Big Data Forensic Analysis. In: Park, J., Loia, V., Choo, KK., Yi, G. (eds) Advanced Multimedia and Ubiquitous Engineering. MUE FutureTech 2018 2018. Lecture Notes in Electrical Engineering, vol 518. Springer, Singapore. https://doi.org/10.1007/978-981-13-1328-8_82
Download citation
DOI: https://doi.org/10.1007/978-981-13-1328-8_82
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-1327-1
Online ISBN: 978-981-13-1328-8
eBook Packages: EngineeringEngineering (R0)