Skip navigation

Data-driven decision support for optimizing cyber forensic investigations

Data-driven decision support for optimizing cyber forensic investigations

Nisioti, Antonia, Loukas, George ORCID: 0000-0003-3559-5182, Laszka, Aron and Panaousis, Emmanouil ORCID: 0000-0001-7306-4062 (2021) Data-driven decision support for optimizing cyber forensic investigations. IEEE Transactions on Information Forensics and Security, 16. pp. 2397-2412. ISSN 1556-6013 (Print), 1556-6021 (Online) (doi:

PDF (Author's Accepted Manuscript)
30998 PANAOUSIS_Data-driven_Decision_Support_For_Cyber_Forensic_Investigations_(AAM)_2021.pdf - Accepted Version

Download (464kB) | Preview


Cyber attacks consisting of several attack actions can present considerable challenge to forensic investigations. Consider the case where a cybersecurity breach is suspected following the discovery of one attack action, for example by observing the modification of sensitive registry keys, suspicious network traffic patterns, or the abuse of legitimate credentials. At this point, the investigator can have multiple options as to what to check next to discover the rest, and will likely pick one based on experience and training. This will be the case at each new step. We argue that the efficiency of this aspect of the job, which is the selection of what next step to take, can have significant impact on its overall cost (e.g., the duration) of the investigation and can be improved through the application of constrained optimization techniques. Here, we present DISCLOSE, the first data-driven decision support framework for optimizing forensic investigations of cybersecurity breaches. DISCLOSE benefits from a repository of known adversarial tactics, techniques, and procedures (TTPs), for each of which it harvests threat intelligence information to calculate its probabilistic relations with the rest. These relations, as well as a proximity parameter derived from the projection of quantitative data regarding the adversarial TTPs on an attack life cycle model, are both used as input to our optimization framework. We show the feasibility of this approach in a case study that consists of 31 adversarial TTPs, data collected from 6 interviews with experienced cybersecurity professionals and data extracted from the MITRE ATT&CK STIX repository and the Common Vulnerability Scoring System (CVSS).

Item Type: Article
Uncontrolled Keywords: cyber forensics, digital forensics, multi-stage attacks, decision support, optimization
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Faculty / Department / Research Group: Faculty of Liberal Arts & Sciences
Faculty of Liberal Arts & Sciences > Internet of Things and Security (ISEC)
Faculty of Liberal Arts & Sciences > School of Computing & Mathematical Sciences (CAM)
Last Modified: 19 Apr 2021 08:49
Selected for GREAT 2016: None
Selected for GREAT 2017: None
Selected for GREAT 2018: None
Selected for GREAT 2019: None
Selected for REF2021: None

Actions (login required)

View Item View Item


Downloads per month over past year

View more statistics