Data-driven decision support for optimizing cyber forensic investigations
Nisioti, Antonia, Loukas, George ORCID: https://orcid.org/0000-0003-3559-5182, Laszka, Aron and Panaousis, Emmanouil ORCID: https://orcid.org/0000-0001-7306-4062 (2021) Data-driven decision support for optimizing cyber forensic investigations. IEEE Transactions on Information Forensics and Security, 16. pp. 2397-2412. ISSN 1556-6013 (Print), 1556-6021 (Online) (doi:10.1109/TIFS.2021.3054966)
Preview |
PDF (Author's Accepted Manuscript)
30998 PANAOUSIS_Data-driven_Decision_Support_For_Cyber_Forensic_Investigations_(AAM)_2021.pdf - Accepted Version Download (464kB) | Preview |
Abstract
Cyber attacks consisting of several attack actions can present considerable challenge to forensic investigations. Consider the case where a cybersecurity breach is suspected following the discovery of one attack action, for example by observing the modification of sensitive registry keys, suspicious network traffic patterns, or the abuse of legitimate credentials. At this point, the investigator can have multiple options as to what to check next to discover the rest, and will likely pick one based on experience and training. This will be the case at each new step. We argue that the efficiency of this aspect of the job, which is the selection of what next step to take, can have significant impact on its overall cost (e.g., the duration) of the investigation and can be improved through the application of constrained optimization techniques. Here, we present DISCLOSE, the first data-driven decision support framework for optimizing forensic investigations of cybersecurity breaches. DISCLOSE benefits from a repository of known adversarial tactics, techniques, and procedures (TTPs), for each of which it harvests threat intelligence information to calculate its probabilistic relations with the rest. These relations, as well as a proximity parameter derived from the projection of quantitative data regarding the adversarial TTPs on an attack life cycle model, are both used as input to our optimization framework. We show the feasibility of this approach in a case study that consists of 31 adversarial TTPs, data collected from 6 interviews with experienced cybersecurity professionals and data extracted from the MITRE ATT&CK STIX repository and the Common Vulnerability Scoring System (CVSS).
Item Type: | Article |
---|---|
Uncontrolled Keywords: | cyber forensics, digital forensics, multi-stage attacks, decision support, optimization |
Subjects: | Q Science > QA Mathematics > QA75 Electronic computers. Computer science |
Faculty / School / Research Centre / Research Group: | Faculty of Engineering & Science Faculty of Engineering & Science > Internet of Things and Security Research Centre (ISEC) Faculty of Engineering & Science > School of Computing & Mathematical Sciences (CMS) |
Last Modified: | 10 Mar 2022 11:00 |
URI: | http://gala.gre.ac.uk/id/eprint/30998 |
Actions (login required)
View Item |
Downloads
Downloads per month over past year