Anoop Singhal

Techniques and Challenges for Network Forensics

Network forensics is the science that deals with the capture, recording and analysis of network events and traffic for detecting intrusions and investigating them. Network forensics involves post mortem investigation of the attack and is initiated after the attack has happened. It addresses the need for dedicated investigative capabilities for investigation of malicious behavior in networks. Modern-day attackers tend to use sophisticated multi-stage, multi-host attack techniques and anti-forensics tools to cover their attack traces. Due to the current limitations of intrusion detection and forensic analysis tools, reconstructing attack scenarios from evidence left behind by the attackers of an enterprise system is challenging. In particular, reconstructing attack scenarios by using the information from IDS alerts and system logs that have a large number of false positives is a big challenge. 

In this talk, we will present a model [1] that systematically addresses how to resolve the above problems to reconstruct the attack scenario. These problems include a large amount of data including non-relevant data, missing evidence or evidence destroyed by anti-forensic techniques.  Our system is based on a Prolog reasoning system MulVAL [2] using known vulnerability databases and an anti-forensics database that we plan to extend to a standardized database like the NIST National Vulnerability Database (NVD).
 

[1] C. Liu, A. Singhal, D. Wijesekara, “A Logic Based Network Forensics Model for Evidence Analysis”, IFIP International Conference on Digital Forensics, Orlando, Florida, January 24-26 2015.

[2] MulVALV1.1, Jan30, 2012. http://people.cis.ksu.edu/xou/mulval/.


Speaker Bio:
Dr. Anoop Singhal, is currently a Senior Computer Scientist in the Computer Security Division at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD.  He received his Ph.D. in Computer Science from Ohio State University, Columbus, Ohio. His research interests are in network security, network forensics, cloud computing security and data mining systems. He is a member of ACM, senior member of the IEEE and he has co-authored over 50 technical papers in leading conferences and journals. He has two patents in the area of attack graphs and he has also co-edited a book on Secure Cloud Computing.