Metadata only
Date
2013-03Type
- Report
ETH Bibliography
yes
Altmetrics
Abstract
Presently, forensics analyses of security incidents rely largely on manual, ad-hoc, and very time-consuming processes. A security analyst needs to manually correlate evidence from diverse security logs with know-how about suspected malware and background knowledge on the configuration of an infrastructure to diagnose if, when, and how an incident happened. To improve our understanding of forensics analysis processes, in this work we analyze 200 infections detected within a large operational network during a period of four weeks. Based on the analyzed incidents, we investigate how to correlate data from four commonly-used security sources, namely IDS alerts, reconnaissance and vulnerability reports, blacklists, and a search engine, to expedite manual forensics analysis of compromised systems. We evaluate the complementary utility of the four data sources and interestingly find that the search engine provided useful evidence for diagnosing many more incidents than more traditional security sources, i.e., blacklists, reconnaissance and vulnerability reports. In addition, we build a decision support tool based on a C4.5 decision tree classifier that shows how to combine evidence from the four sources to verify different types of malware, like Torpig, SbBot, and FakeAV. Our evaluation shows that the derived decision tree helps to accurately diagnose infections, while it exhibits comparable performance with a more sophisticated SVM classifier, which however is much less interpretable for non statisticians. Finally, we identify prominent Snort alerts that were used in our analysis to validate active infections and classify them into different groups based on the type of malicious activity exhibited by the victim host. Show more
Publication status
publishedJournal / series
TIK ReportVolume
Publisher
ETH Zurich, Computer Engineering and Networks LaboratorySubject
Network forensics; IDS; Malware; InfectionsOrganisational unit
03234 - Plattner, Bernhard (emeritus) / Plattner, Bernhard (emeritus)
More
Show all metadata
ETH Bibliography
yes
Altmetrics