Skip navigation

Data-driven decision support for optimizing cyber forensic investigations

Data-driven decision support for optimizing cyber forensic investigations

Nisioti, Antonia, Loukas, George ORCID logoORCID: https://orcid.org/0000-0003-3559-5182, Laszka, Aron and Panaousis, Emmanouil ORCID logoORCID: https://orcid.org/0000-0001-7306-4062 (2021) Data-driven decision support for optimizing cyber forensic investigations. IEEE Transactions on Information Forensics and Security, 16. pp. 2397-2412. ISSN 1556-6013 (Print), 1556-6021 (Online) (doi:10.1109/TIFS.2021.3054966)

[thumbnail of Author's Accepted Manuscript]
Preview
PDF (Author's Accepted Manuscript)
30998 PANAOUSIS_Data-driven_Decision_Support_For_Cyber_Forensic_Investigations_(AAM)_2021.pdf - Accepted Version

Download (464kB) | Preview

Abstract

Cyber attacks consisting of several attack actions can present considerable challenge to forensic investigations. Consider the case where a cybersecurity breach is suspected following the discovery of one attack action, for example by observing the modification of sensitive registry keys, suspicious network traffic patterns, or the abuse of legitimate credentials. At this point, the investigator can have multiple options as to what to check next to discover the rest, and will likely pick one based on experience and training. This will be the case at each new step. We argue that the efficiency of this aspect of the job, which is the selection of what next step to take, can have significant impact on its overall cost (e.g., the duration) of the investigation and can be improved through the application of constrained optimization techniques. Here, we present DISCLOSE, the first data-driven decision support framework for optimizing forensic investigations of cybersecurity breaches. DISCLOSE benefits from a repository of known adversarial tactics, techniques, and procedures (TTPs), for each of which it harvests threat intelligence information to calculate its probabilistic relations with the rest. These relations, as well as a proximity parameter derived from the projection of quantitative data regarding the adversarial TTPs on an attack life cycle model, are both used as input to our optimization framework. We show the feasibility of this approach in a case study that consists of 31 adversarial TTPs, data collected from 6 interviews with experienced cybersecurity professionals and data extracted from the MITRE ATT&CK STIX repository and the Common Vulnerability Scoring System (CVSS).

Item Type: Article
Uncontrolled Keywords: cyber forensics, digital forensics, multi-stage attacks, decision support, optimization
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Faculty / School / Research Centre / Research Group: Faculty of Engineering & Science
Faculty of Engineering & Science > Internet of Things and Security Research Centre (ISEC)
Faculty of Engineering & Science > School of Computing & Mathematical Sciences (CMS)
Last Modified: 10 Mar 2022 11:00
URI: http://gala.gre.ac.uk/id/eprint/30998

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year

View more statistics