Network forensics is an important step for investigating and resolving security incidents. It involves collecting, recording and analyzing network traffic and logs to identify attacks, their impact, and causes. The volume of the various sources of security relevant data collected from a large number of devices on a network is overwhelming and hard to use in real-time analytics for timely response. Although traditional security appliances such as Security Information and Event Management (SIEM) systems are still being heavily used in enterprise network environments, the security alerts generated contain too many false positives. It remains a major challenge to automatically correlate the collected data and transform them into actionable information. More research is needed in designing methods, systems, and platforms that can facilitate network forensic procedures. There is growing need for techniques and tools to support efficient data collection and processing, real-time log searching, and smart evidence correlation. There is increasing need for tools, processes, and workflows that enable “hunting” for threats within the collected data that are not defined as malicious by existing automated tools. Network forensic investigation is both a labor and intelligence intensive task; human knowledge and expertise is crucial, but currently the majority of analysts’ time is spent on data processing as opposed to real intelligent investigation. How to design technologies and tools to better support human analysts is a fertile area for multi-disciplinary research that involves social and behavioral sciences. With the emergence of smart embedded devices, how to conduct network forensics for Internet of Things (IoT) and Cyber Physical Systems (CPS) present unique new challenges. Moreover, how evidence is collected and processed from network has a major impact on whether they are admissible in court. Research is needed to ensure that results of analyzing breaches and attacks also support legal prosecution. The aim of this workshop is to provide a venue for research that closes the gap between network forensics research and practical security operational needs, for discussing experiences, challenges, and lessons learned, and to foster multi-disciplinary collaboration, and collaboration between academia, industry, and government.

The Network Forensics Workshop will be a full-day workshop, with one or two invited speakers, peer-reviewed paper presentations, a panel discussion, and poster presentations during the breaks.

Topics of interests include, but are not limited to:
1)    Data collection and processing for network forensics
2)    Evidential reasoning techniques
3)    Data fusion and aggregation
4)    Threat intelligence
5)    Big-data security analytics
6)    Operational incident response
7)    Automatic evidence correlation
8)    Live forensics
9)    Incident triage and handling under limited budget
10) Visualization techniques for forensic analysis
11) Network forensics for embedded devices, IoT, and CPS
12) Threat identification through decoy devices, e.g., honey pots
13) Human aspects in network forensics
14) Legal aspects in network forensics
15) Impact of organizational policies on network forensics