Abstract
After an intrusion has propagated between hosts, or even between networks, determining the propagation path is critical to assess exploited network vulnerabilities, and also to determine the vector and intent of the initial intrusion. This work proposes a novel method for malware intrusion attack path reconstruction that extends post-mortem system state comparison methods with network-level correlation and timeline analysis. This work shows that intrusion-related events can be reconstructed at the host level and correlated between related hosts and networks to reconstruct the overall path of an attack. A case study is given that demonstrates the applicability of the attack path reconstruction technique.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Symantec. Internet Security Threat Report, vol. 16 (2010)
Gladyshev, P., Patel, A.: Formalizing Event Time Bounding in Digital Investigations. International Journal of Digital Evidence 4(2) (2005)
Zhu, Y., James, J., Gladyshev, P.: A comparative methodology for the reconstruction of digital events using Windows Restore Points. Paper Presented at the Digital Investigation Conference (2009)
Microsoft. About System Restore (2010), http://msdn.microsoft.com/en-us/library/aa378724(v=vs.85).aspx (retrieved 2011)
Harms, K.: Forensic analysis of System Restore points in Microsoft Windows XP. Digital Investigation 3, 151–158 (2006)
Carvey, H.: Windows Forensic Analysis DVD ToolKit (2009)
Kahvedzic, D., Kechadi, T.: Extraction of User Activity through Comparison of Windows Restore Points (2008)
Kahvedzic, D., Kechadi, T.: On the persistence of deleted windows registry data structures. Paper Presented at the ACM Symposium on Applied Computing, Honolulu, Hawaii (2009)
TechNet, Microsoft (2002). Windows XP System Restore, http://technet.microsoft.com/en-us/library/bb490854.aspx (2011)
Microsoft. Monitored File Name Extensions (2010), http://msdn.microsoft.com/en-us/library/aa378870(v=vs.85).aspx (retrieved 2011)
Microsoft. Microsoft PE and COFF Specification (2011), http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx (retrieved 2011)
Zhu, Y., Gladyshev, P.: Temporal Analysis of Windows MRU registry Keys. Advances in Digital Forensics 306, 83–93 (2009)
Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. Paper Presented at the 9th ACM Conference on Computer and Communications Security, Washington, DC, USA (2002)
Ingols, K., Lippmann, R., Piwowarski, K.: Practical Attack Graph Generation for Network Defense. Paper Presented at the Annual Computer Security Applications Conference (2006)
Sheyner, O., Haines, J., Jha, S., Lippmann, R.: Automated Generation and Analysis of Attack Graphs. Paper Presented at the IEEE Symposium on Security and Privacy, Los Alamitos, CA, USA (2002)
AccessData. Forensic Toolkit (2010), http://www.accessdata.com/forensictoolkit.html (retrieved November 4, 2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Shosha, A.F., James, J.I., Gladyshev, P. (2012). A Novel Methodology for Malware Intrusion Attack Path Reconstruction. In: Gladyshev, P., Rogers, M.K. (eds) Digital Forensics and Cyber Crime. ICDF2C 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 88. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35515-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-35515-8_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35514-1
Online ISBN: 978-3-642-35515-8
eBook Packages: Computer ScienceComputer Science (R0)