Digital Forensics and Cyber Crime. Third International ICST Conference, ICDF2C 2011, Dublin, Ireland, October 26-28, 2011, Revised Selected Papers

Research Article

A Novel Methodology for Malware Intrusion Attack Path Reconstruction

Download57 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-35515-8_11,
        author={Ahmed Shosha and Joshua James and Pavel Gladyshev},
        title={A Novel Methodology for Malware Intrusion Attack Path Reconstruction},
        proceedings={Digital Forensics and Cyber Crime. Third International ICST Conference, ICDF2C 2011, Dublin, Ireland, October 26-28, 2011, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2012},
        month={12},
        keywords={Malware Analysis Attack Path Reconstruction Digital Forensics Network Forensics Automatic Event Reconstruction},
        doi={10.1007/978-3-642-35515-8_11}
    }
    
  • Ahmed Shosha
    Joshua James
    Pavel Gladyshev
    Year: 2012
    A Novel Methodology for Malware Intrusion Attack Path Reconstruction
    ICDF2C
    Springer
    DOI: 10.1007/978-3-642-35515-8_11
Ahmed Shosha1,*, Joshua James1,*, Pavel Gladyshev1,*
  • 1: University College Dublin
*Contact email: ahmed.shosha@ucdconnect.ie, joshua.james@ucd.ie, pavel.gladychev@ucd.ie

Abstract

After an intrusion has propagated between hosts, or even between networks, determining the propagation path is critical to assess exploited network vulnerabilities, and also to determine the vector and intent of the initial intrusion. This work proposes a novel method for malware intrusion attack path reconstruction that extends post-mortem system state comparison methods with network-level correlation and timeline analysis. This work shows that intrusion-related events can be reconstructed at the host level and correlated between related hosts and networks to reconstruct the overall path of an attack. A case study is given that demonstrates the applicability of the attack path reconstruction technique.