| Author(s): |
Changwei Liu; Anoop Singhal; Duminda Wijesekera; |
| Title: |
Mapping Evidence Graphs to Attack Graphs |
| Published: |
January 17, 2013 |
| Abstract: |
Attack graphs compute potential attack paths from a system configuration and known vulnerabilities of a system. Evidence graphs model intrusion evidence and dependencies among them for forensic analysis. In this paper, we show how to map evidence graphs to attack graphs. This mapping is useful for application of attack graphs and evidence graphs for forensic analysis. In addition to helping to refine attack graphs by comparing attack paths in both attack graphs and evidence graphs, important probabilistic information contained in evidence graphs can be used to compute or refine potential attack success probabilities contained in repositories like CVSS. Conversely, attack graphs can be used to add missing evidence or remove irrelevant evidence to build a complete evidence graph. In particular, when attackers use anti-forensics tools to destroy or distort evidence, attack graphs can help investigators recover the attack scenarios and explain the lack of evidence for missing steps. We illustrate the mapping using a database attack as a case study. |
| Conference: |
2012 IEEE International Workshop on Information Forensics and Security (WIFS) |
| Proceedings: |
IEEE International Workshop on Information Forensics and Security |
| Pages: |
pp. 121 - 126 |
| Location: |
Tenerife, -1 |
| Dates: |
December 2-5, 2012 |
| Keywords: |
anti-forensics; anti-forensics vulnerability database; attack graph; forensic analysis |
| Research Areas: |
Information Technology, Computer Security |
| DOI: |
10.1109/WIFS.2012.6412636 (Note: May link to a non-U.S. Government webpage) |
| PDF version: |
 Click here to retrieve PDF version of paper (819KB) |
