Abstract
Cyber attacks on the systems that support an enterprise’s mission can significantly impact its objectives. This chapter describes a layered graphical model designed to support forensic investigations by quantifying the mission impacts of cyber attacks. The model has three layers: (i) an upper layer that models operational tasks and their interdependencies that fulfill mission objectives; (ii) a middle layer that reconstructs attack scenarios based on the interrelationships of the available evidence; and (iii) a lower level that uses system calls executed in upper layer tasks in order to reconstruct missing attack steps when evidence is missing. The graphs constructed from the three layers are employed to compute the impacts of attacks on enterprise missions. The National Vulnerability Database – Common Vulnerability Scoring System scores and forensic investigator estimates are used to compute the mission impacts. A case study is presented to demonstrate the utility of the graphical model.
Chapter PDF
Similar content being viewed by others
References
L. Herbert, Specification, Verification and Optimization of Business Processes: A Unified Framework, Ph.D. Dissertation, Department of Applied Mathematics and Computer Science, Technical University of Denmark, Kongens Lyngby, Denmark, 2014.
S. Jajodia and S. Noel, Topological vulnerability analysis, in Cyber Situational Awareness, S. Jajodia, P. Liu, V. Swarup and C. Wang (Eds.), Springer, Boston, Massachusetts, pp. 139–154, 2010.
C. Liu, A. Singhal and D. Wijesekera, Mapping evidence graphs to attack graphs, Proceedings of the IEEE International Workshop on Information Forensics and Security, pp. 121–126, 2012.
C. Liu, A. Singhal and D. Wijesekera, A logic-based network forensic model for evidence analysis, in Advances in Digital Forensics XI, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 129–145, 2015.
C. Liu, A. Singhal and D. Wijesekara, A probabilistic network forensic model for evidence analysis, in Advances in Digital Forensics XII, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 189–210, 2016.
P. Mell and T. Grance, NIST Definition of Cloud Computing, NIST Special Publication 800-145, National Institute of Standards and Technology, Gaithersburg, Maryland, 2011.
S. Musman and A. Temin, A cyber mission impact assessment tool, Proceedings of the IEEE International Symposium on Technologies for Homeland Security, 2015.
National Institute of Standards and Technology, National Vulnerability Database, Gaithersburg, Maryland (nvd.nist.gov/vuln-metrics/cvss), 2018.
S. Noel, J. Ludwig, P. Jain, D. Johnson, R. Thomas, J. McFarland, B. King, S. Webster and B. Tello, Analyzing mission impacts of cyber actions (AMICA), Proceedings of the NATO IST-128 Workshop: Assessing Mission Impact of Cyberattacks, pp. 80–86, 2015.
OpenStack Foundation, Software, Austin, Texas (www.openstack.org/software), 2018.
X. Ou, S. Govindavajhala and A. Appel, MulVAL: A logic-based network security analyzer, Proceedings of the Fourteenth USENIX Security Symposium, 2005.
K. Ruan, J. Carthy, T. Kechadi and M. Crosbie, Cloud forensics, in Advances in Digital Forensics V, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 35–46, 2011.
M. Saudi, An Overview of a Disk Imaging Tool in Computer Forensics, InfoSec Reading Room, SANS Institute, Bethesda, Maryland, 2001.
X. Sun, J. Dai, P. Liu, A. Singhal and J. Yen, Towards probabilistic identification of zero-day attack paths, Proceedings of the IEEE Conference on Communications and Network Security, pp. 64–72, 2016.
X. Sun, A. Singhal and P. Liu, Towards actionable mission impact assessment in the context of cloud computing, in Data and Applications Security and Privacy XXXI, G. Livraga and S. Zhu (Eds), Springer International, Cham, Switzerland, pp. 259–274, 2017.
Y. Sun, T. Wu, X. Liu and M. Obaidat, Multilayered impact evaluation model for attacking missions, IEEE Systems Journal, vol. 10(4), pp. 1304–1315, 2016.
W. Wang and T. Daniels, A graph based approach toward network forensic analysis, ACM Transactions on Information and Systems Security, vol. 12(1), article no. 4, 2008.
Y. Yarom and K. Falkner, FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack, Proceedings of the Twenty-Third USENIX Security Symposium, pp. 719–732, 2014.
Y. Zhang, A. Juels, M. Reiter and T. Ristenpart, Cross-VM side channels and their use to extract private keys, Proceedings of the ACM Conference on Computer and Communications Security, pp. 305–316, 2012.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 IFIP International Federation for Information Processing
About this paper
Cite this paper
Liu, C., Singhal, A., Wijesekera, D. (2018). A Layered Graphical Model for Cloud Forensic Mission Attack Impact Analysis. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XIV. DigitalForensics 2018. IFIP Advances in Information and Communication Technology, vol 532. Springer, Cham. https://doi.org/10.1007/978-3-319-99277-8_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-99277-8_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99276-1
Online ISBN: 978-3-319-99277-8
eBook Packages: Computer ScienceComputer Science (R0)