{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T12:11:34Z","timestamp":1763467894283,"version":"3.41.0"},"reference-count":39,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2008,10,1]],"date-time":"2008-10-01T00:00:00Z","timestamp":1222819200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["627409"],"award-info":[{"award-number":["627409"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2008,10]]},"abstract":"<jats:p>In this article we develop a novel graph-based approach toward network forensics analysis. Central to our approach is the evidence graph model that facilitates evidence presentation and automated reasoning. Based on the evidence graph, we propose a hierarchical reasoning framework that consists of two levels. Local reasoning aims to infer the functional states of network entities from local observations. Global reasoning aims to identify important entities from the graph structure and extract groups of densely correlated participants in the attack scenario. This article also presents a framework for interactive hypothesis testing, which helps to identify the attacker's nonexplicit attack activities from secondary evidence. We developed a prototype system that implements the techniques discussed. Experimental results on various attack datasets demonstrate that our analysis mechanism achieves good coverage and accuracy in attack group and scenario extraction with less dependence on hard-coded expert knowledge.<\/jats:p>","DOI":"10.1145\/1410234.1410238","type":"journal-article","created":{"date-parts":[[2008,11,6]],"date-time":"2008-11-06T13:49:43Z","timestamp":1225979383000},"page":"1-33","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":57,"title":["A Graph Based Approach Toward Network Forensics Analysis"],"prefix":"10.1145","volume":"12","author":[{"given":"Wei","family":"Wang","sequence":"first","affiliation":[{"name":"Iowa State University"}]},{"given":"Thomas E.","family":"Daniels","sequence":"additional","affiliation":[{"name":"Iowa State University"}]}],"member":"320","published-online":{"date-parts":[[2008,10]]},"reference":[{"doi-asserted-by":"crossref","unstructured":"Carrier B. D. and Spafford E. H. 2004. Defining event reconstruction of digital crime scenes. J. Forensic Sci. Carrier B. D. and Spafford E. H. 2004. Defining event reconstruction of digital crime scenes. J. Forensic Sci.","key":"e_1_2_1_1_1","DOI":"10.1520\/JFS2004127"},{"volume-title":"Proceedings of the 18th International Conference of t he North American Fuzzy Information Processing Society (NAFIPS'99)","author":"Carvalho J. P.","unstructured":"Carvalho , J. P. and Tome , J. A. B. 1999a. Rule Based Fuzzy Cognitive Maps and Fuzzy Cognitive Maps - A Comparative Study . In Proceedings of the 18th International Conference of t he North American Fuzzy Information Processing Society (NAFIPS'99) . New York. Carvalho, J. P. and Tome, J. A. B. 1999a. Rule Based Fuzzy Cognitive Maps and Fuzzy Cognitive Maps - A Comparative Study. In Proceedings of the 18th International Conference of t he North American Fuzzy Information Processing Society (NAFIPS'99). New York.","key":"e_1_2_1_2_1"},{"volume-title":"Proceedings of the 8th International Fuzzy Systems Association World Congress (IFSA'99)","author":"Carvalho J. P.","unstructured":"Carvalho , J. P. and Tome , J. A. B. 1999b. Rule-Based Fuzzy Cognitive Maps: Fuzzy Causal Relations . In Proceedings of the 8th International Fuzzy Systems Association World Congress (IFSA'99) . Taiwan. Carvalho, J. P. and Tome, J. A. B. 1999b. Rule-Based Fuzzy Cognitive Maps: Fuzzy Causal Relations. In Proceedings of the 8th International Fuzzy Systems Association World Congress (IFSA'99). Taiwan.","key":"e_1_2_1_3_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_4_1","DOI":"10.5555\/872016.872176"},{"volume-title":"Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP'02)","author":"Cuppens F.","unstructured":"Cuppens , F. and Miege , A . 2002. Alert Correlation in a Cooperative Intrusion Detection Framework . In Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP'02) . Cuppens, F. and Miege, A. 2002. Alert Correlation in a Cooperative Intrusion Detection Framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP'02).","key":"e_1_2_1_5_1"},{"volume-title":"Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (IAW'01)","author":"Dain O.","unstructured":"Dain , O. and Cunningham , R . 2001a. Building scenarios from a heterogeneous alert stream . In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (IAW'01) . 231--235. Dain, O. and Cunningham, R. 2001a. Building scenarios from a heterogeneous alert stream. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (IAW'01). 231--235.","key":"e_1_2_1_6_1"},{"volume-title":"Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications (DMSA'01)","author":"Dain O.","unstructured":"Dain , O. and Cunningham , R . 2001b. Fusing a heterogeneous alert stream into scenarios . In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications (DMSA'01) . 1--13. Dain, O. and Cunningham, R. 2001b. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications (DMSA'01). 1--13.","key":"e_1_2_1_7_1"},{"unstructured":"DARPA. MIT Lincoln Lab 2000 DARPA intrusion detection scenario specific datasets. Retrieved from http:\/\/www.ll.mit.edu\/IST\/ideval\/data\/2000\/index.html.  DARPA. MIT Lincoln Lab 2000 DARPA intrusion detection scenario specific datasets. Retrieved from http:\/\/www.ll.mit.edu\/IST\/ideval\/data\/2000\/index.html.","key":"e_1_2_1_8_1"},{"doi-asserted-by":"crossref","unstructured":"Debar H. Dacer M. and Wespi A. 1999. A revised taxonomy for intrusion-detection systems. In IBM Research Report. Debar H. Dacer M. and Wespi A. 1999. A revised taxonomy for intrusion-detection systems. In IBM Research Report .","key":"e_1_2_1_9_1","DOI":"10.1016\/S1389-1286(98)00017-6"},{"doi-asserted-by":"publisher","key":"e_1_2_1_10_1","DOI":"10.5555\/645839.670735"},{"key":"e_1_2_1_11_1","volume-title":"Statl: An attack language for state-based intrusion detection. Dept. of Computer Science","author":"Eckmann S.","year":"2000","unstructured":"Eckmann , S. , Vigna , G. , and Kemmerer , R . 2000 . Statl: An attack language for state-based intrusion detection. Dept. of Computer Science , University of California , Santa Barbara . Eckmann, S., Vigna, G., and Kemmerer, R. 2000. Statl: An attack language for state-based intrusion detection. Dept. of Computer Science, University of California, Santa Barbara."},{"unstructured":"EnCase. EnCase Forensic Tool. Available at http:\/\/www.guidancesoftware.com.  EnCase. EnCase Forensic Tool. Available at http:\/\/www.guidancesoftware.com.","key":"e_1_2_1_12_1"},{"unstructured":"eTrust. eTrust Network Forensics Solution. Available at http:\/\/www3.ca.com\/.  eTrust. eTrust Network Forensics Solution. Available at http:\/\/www3.ca.com\/.","key":"e_1_2_1_13_1"},{"unstructured":"Flowtools. flow-tools. Retrieved from http:\/\/www.splintered.net\/sw\/flow-tools\/.  Flowtools. flow-tools. Retrieved from http:\/\/www.splintered.net\/sw\/flow-tools\/.","key":"e_1_2_1_14_1"},{"unstructured":"IDMEF. Intrusion Detection Message Exchange Format. Internet draft available at http:\/\/www.ietf.org\/internet-drafts\/draft-ietf-idwg-idmef-xml-14.txt.  IDMEF. Intrusion Detection Message Exchange Format. Internet draft available at http:\/\/www.ietf.org\/internet-drafts\/draft-ietf-idwg-idmef-xml-14.txt.","key":"e_1_2_1_15_1"},{"unstructured":"Institute for Security Technology Studies. 2004. Law enforcement tools and technologies for investigating cyber attacks: Gap analysis report. Retrieved from http:\/\/www.ists.dartmouth.edu. Institute for Security Technology Studies. 2004. Law enforcement tools and technologies for investigating cyber attacks: Gap analysis report. Retrieved from http:\/\/www.ists.dartmouth.edu.","key":"e_1_2_1_16_1"},{"unstructured":"Jajodia S. Noels S. and O'Berry B. 2005. Topological analysis of network attack vulnerability. Managing Cyber Threats: Issues Approaches and Challenges. Jajodia S. Noels S. and O'Berry B. 2005. Topological analysis of network attack vulnerability. Managing Cyber Threats: Issues Approaches and Challenges .","key":"e_1_2_1_17_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_18_1","DOI":"10.5555\/872016.872179"},{"doi-asserted-by":"publisher","key":"e_1_2_1_19_1","DOI":"10.1145\/950191.950192"},{"volume-title":"Proceedings of the 1st Workshop on the Detection of Intrusions and Malware Vulnerability Assessment (DIMVA'04)","author":"Kruegel C.","unstructured":"Kruegel , C. and Robertson , W . 2004. Alert Verification: Determing the success of intrusion attempts . In Proceedings of the 1st Workshop on the Detection of Intrusions and Malware Vulnerability Assessment (DIMVA'04) . Dortmund, Germany. Kruegel, C. and Robertson, W. 2004. Alert Verification: Determing the success of intrusion attempts. In Proceedings of the 1st Workshop on the Detection of Intrusions and Malware Vulnerability Assessment (DIMVA'04). Dortmund, Germany.","key":"e_1_2_1_20_1"},{"unstructured":"LEDA. LEDA graph library. Retrieved from http:\/\/www.algorithmic-solutions.com\/enleda.htm.  LEDA. LEDA graph library. Retrieved from http:\/\/www.algorithmic-solutions.com\/enleda.htm.","key":"e_1_2_1_21_1"},{"volume-title":"Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03)","author":"Morin B.","unstructured":"Morin , B. and Debar , H . 2003. Correlation of intrusion symptoms: an application of chronicles . In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03) . Morin, B. and Debar, H. 2003. Correlation of intrusion symptoms: an application of chronicles. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03).","key":"e_1_2_1_22_1"},{"unstructured":"NetDetector. Available at http:\/\/www.niksun.com\/Products-NetDetector.htm.  NetDetector. Available at http:\/\/www.niksun.com\/Products-NetDetector.htm.","key":"e_1_2_1_23_1"},{"unstructured":"NetFlow. Cisco IOS NetFlow protocol. Retrieved from http:\/\/www.cisco.com\/en\/US\/products\/ps6601\/home.html.  NetFlow. Cisco IOS NetFlow protocol. Retrieved from http:\/\/www.cisco.com\/en\/US\/products\/ps6601\/home.html.","key":"e_1_2_1_24_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_25_1","DOI":"10.1145\/586110.586144"},{"doi-asserted-by":"publisher","key":"e_1_2_1_26_1","DOI":"10.1145\/948109.948137"},{"doi-asserted-by":"publisher","key":"e_1_2_1_27_1","DOI":"10.1145\/1042031.1042036"},{"doi-asserted-by":"publisher","key":"e_1_2_1_28_1","DOI":"10.1145\/310889.310919"},{"volume-title":"Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03)","author":"Qin X.","unstructured":"Qin , X. and Lee , W . 2003. Statistical causality analysis of INFOSEC alert data . In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03) . Qin, X. and Lee, W. 2003. Statistical causality analysis of INFOSEC alert data. In Proceedings of the 6th International Symposium on Recent Advances in Intrusion Detection (RAID'03).","key":"e_1_2_1_29_1"},{"volume-title":"Proceedings of the 9th European Symposium on Research in Computer Security (ESORICS'04)","author":"Qin X.","unstructured":"Qin , X. and Lee , W . 2004. Discovering novel attack strategies from INFOSEC alerts . In Proceedings of the 9th European Symposium on Research in Computer Security (ESORICS'04) . Qin, X. and Lee, W. 2004. Discovering novel attack strategies from INFOSEC alerts. In Proceedings of the 9th European Symposium on Research in Computer Security (ESORICS'04).","key":"e_1_2_1_30_1"},{"volume-title":"Proceedings of the 2nd International Workshop on Verification, Model Checking and Abstract Interpretation (UMCAI'98)","author":"Ramakrishnan C.","unstructured":"Ramakrishnan , C. and Sekar , R . 1998. Model-based vulnerability analysis of computer systems . In Proceedings of the 2nd International Workshop on Verification, Model Checking and Abstract Interpretation (UMCAI'98) . Ramakrishnan, C. and Sekar, R. 1998. Model-based vulnerability analysis of computer systems. In Proceedings of the 2nd International Workshop on Verification, Model Checking and Abstract Interpretation (UMCAI'98).","key":"e_1_2_1_31_1"},{"doi-asserted-by":"publisher","key":"e_1_2_1_32_1","DOI":"10.5555\/882494.884423"},{"unstructured":"Safeback. SafeBack Bit Stream Backup Software. Available at http:\/\/www.forensics-intl.com\/safeback.html.  Safeback. SafeBack Bit Stream Backup Software. Available at http:\/\/www.forensics-intl.com\/safeback.html.","key":"e_1_2_1_33_1"},{"volume-title":"Proceedings of the Second International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM'03)","author":"Shanmugasundaram K.","unstructured":"Shanmugasundaram , K. , Memon , N. , Savant , A. , and Bronnimann , H . 2003. ForNet: A Distributed Forensics Network . In Proceedings of the Second International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM'03) . Shanmugasundaram, K., Memon, N., Savant, A., and Bronnimann, H. 2003. ForNet: A Distributed Forensics Network. In Proceedings of the Second International Workshop on Mathematical Methods, Models and Architectures for Computer Networks Security (MMM'03).","key":"e_1_2_1_34_1"},{"volume-title":"Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP'02)","author":"Sheyner O.","unstructured":"Sheyner , O. , Haines , J. , Jha , S. , Lippmann , R. , and Wing , J. M . 2002. Automated generation and analysis of attack graphs . In Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP'02) . Oakland, CA. Sheyner, O., Haines, J., Jha, S., Lippmann, R., and Wing, J. M. 2002. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP'02). Oakland, CA.","key":"e_1_2_1_35_1"},{"volume-title":"Proceedings of International Symposium on Formal Methods for Components and Objects (FMCO'05)","author":"Sheyner O.","unstructured":"Sheyner , O. and Wing , J. M . 2005. Tools for generating and analyzing attack graphs . In Proceedings of International Symposium on Formal Methods for Components and Objects (FMCO'05) . Sheyner, O. and Wing, J. M. 2005. Tools for generating and analyzing attack graphs. In Proceedings of International Symposium on Formal Methods for Components and Objects (FMCO'05).","key":"e_1_2_1_36_1"},{"volume-title":"Department of Computer Science","author":"Siraj A., M.","unstructured":"Siraj , A., M. Bridges , S. , and B. Vaughn , R. 2001. Fuzzy cognitive maps for decision support in an intelligent intrusion detection system. Tech. rep ., Department of Computer Science , Mississippi State University . Siraj, A., M.Bridges, S., and B.Vaughn, R. 2001. Fuzzy cognitive maps for decision support in an intelligent intrusion detection system. Tech. rep., Department of Computer Science, Mississippi State University.","key":"e_1_2_1_37_1"},{"unstructured":"Softflowd. Retrieved from http:\/\/www.mindrot.com\/softflowd.html.  Softflowd. Retrieved from http:\/\/www.mindrot.com\/softflowd.html.","key":"e_1_2_1_38_1"},{"volume-title":"Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01)","author":"Valdes A.","unstructured":"Valdes , A. and Skinner , K . 2001. Probablistic alert correlation . In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01) . Valdes, A. and Skinner, K. 2001. Probablistic alert correlation. In Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID'01).","key":"e_1_2_1_39_1"}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1410234.1410238","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1410234.1410238","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T13:29:36Z","timestamp":1750253376000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1410234.1410238"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2008,10]]},"references-count":39,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2008,10]]}},"alternative-id":["10.1145\/1410234.1410238"],"URL":"https:\/\/doi.org\/10.1145\/1410234.1410238","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"type":"print","value":"1094-9224"},{"type":"electronic","value":"1557-7406"}],"subject":[],"published":{"date-parts":[[2008,10]]},"assertion":[{"value":"2006-06-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2008-05-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2008-10-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}