Metadata only
Datum
2013-03Typ
- Report
ETH Bibliographie
yes
Altmetrics
Abstract
Presently, forensics analyses of security incidents rely largely on manual, ad-hoc, and very time-consuming processes. A security analyst needs to manually correlate evidence from diverse security logs with know-how about suspected malware and background knowledge on the configuration of an infrastructure to diagnose if, when, and how an incident happened. To improve our understanding of forensics analysis processes, in this work we analyze 200 infections detected within a large operational network during a period of four weeks. Based on the analyzed incidents, we investigate how to correlate data from four commonly-used security sources, namely IDS alerts, reconnaissance and vulnerability reports, blacklists, and a search engine, to expedite manual forensics analysis of compromised systems. We evaluate the complementary utility of the four data sources and interestingly find that the search engine provided useful evidence for diagnosing many more incidents than more traditional security sources, i.e., blacklists, reconnaissance and vulnerability reports. In addition, we build a decision support tool based on a C4.5 decision tree classifier that shows how to combine evidence from the four sources to verify different types of malware, like Torpig, SbBot, and FakeAV. Our evaluation shows that the derived decision tree helps to accurately diagnose infections, while it exhibits comparable performance with a more sophisticated SVM classifier, which however is much less interpretable for non statisticians. Finally, we identify prominent Snort alerts that were used in our analysis to validate active infections and classify them into different groups based on the type of malicious activity exhibited by the victim host. Mehr anzeigen
Publikationsstatus
publishedZeitschrift / Serie
TIK ReportBand
Verlag
ETH Zurich, Computer Engineering and Networks LaboratoryThema
Network forensics; IDS; Malware; InfectionsOrganisationseinheit
03234 - Plattner, Bernhard (emeritus) / Plattner, Bernhard (emeritus)
ETH Bibliographie
yes
Altmetrics