Forensic Analysis of Network Attacks: Restructuring Security Events as Graphs and Identifying Strongly Connected Sub-graphs

Laetitia Leichtnam; Eric Totel; Nicolas Prigent; Ludovic Me

doi:10.1109/EuroSPW51379.2020.00083

Forensic Analysis of Network Attacks: Restructuring Security Events as Graphs and Identifying Strongly Connected Sub-graphs

Laetitia Leichtnam, Eric Totel, Nicolas Prigent, Ludovic Me

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

When analyzing the security of activities in a highly distributed system, an analyst faces a huge number of events, mainly coming from network supervision mechanisms. To analyze this huge amount of information, the analyst often starts from an indicator of compromise (IoC), an observable that suggests that a compromise may have occurred, and looks for the information related to this IoC as it could help to explain the related security incident. This approach is referred to as forensic analysis. In this paper, we propose an approach to treat automatically network events to provide the analyst with a new way to determine the subset of information related to a given IoC. This approach relies firstly on the generation of graphs between so-called "Security Objects"that are built from the logged network events, and secondly on the automatic processing of these graphs based on graphs communities analysis.

Original language	English
Title of host publication	Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	565-573
Number of pages	9
ISBN (Electronic)	9781728185972
DOIs	https://doi.org/10.1109/EuroSPW51379.2020.00083
Publication status	Published - 1 Sept 2020
Externally published	Yes
Event	5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020 - Virtual, Genoa, Italy Duration: 7 Sept 2020 → 11 Sept 2020

Publication series

Name	Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020

Conference

Conference	5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020
Country/Territory	Italy
City	Virtual, Genoa
Period	7/09/20 → 11/09/20

Keywords

forensic
intrusion detection

Access to Document

10.1109/EuroSPW51379.2020.00083

Cite this

Leichtnam, L., Totel, E., Prigent, N., & Me, L. (2020). Forensic Analysis of Network Attacks: Restructuring Security Events as Graphs and Identifying Strongly Connected Sub-graphs. In Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020 (pp. 565-573). Article 9229766 (Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/EuroSPW51379.2020.00083

Leichtnam, Laetitia ; Totel, Eric ; Prigent, Nicolas et al. / Forensic Analysis of Network Attacks : Restructuring Security Events as Graphs and Identifying Strongly Connected Sub-graphs. Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020. Institute of Electrical and Electronics Engineers Inc., 2020. pp. 565-573 (Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020).

@inproceedings{c8a06344f0454ea3b108de8926da76db,

title = "Forensic Analysis of Network Attacks: Restructuring Security Events as Graphs and Identifying Strongly Connected Sub-graphs",

abstract = "When analyzing the security of activities in a highly distributed system, an analyst faces a huge number of events, mainly coming from network supervision mechanisms. To analyze this huge amount of information, the analyst often starts from an indicator of compromise (IoC), an observable that suggests that a compromise may have occurred, and looks for the information related to this IoC as it could help to explain the related security incident. This approach is referred to as forensic analysis. In this paper, we propose an approach to treat automatically network events to provide the analyst with a new way to determine the subset of information related to a given IoC. This approach relies firstly on the generation of graphs between so-called {"}Security Objects{"}that are built from the logged network events, and secondly on the automatic processing of these graphs based on graphs communities analysis.",

keywords = "forensic, intrusion detection",

author = "Laetitia Leichtnam and Eric Totel and Nicolas Prigent and Ludovic Me",

note = "Publisher Copyright: {\textcopyright} 2020 IEEE.; 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020 ; Conference date: 07-09-2020 Through 11-09-2020",

year = "2020",

month = sep,

day = "1",

doi = "10.1109/EuroSPW51379.2020.00083",

language = "English",

series = "Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "565--573",

booktitle = "Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020",

}

Leichtnam, L, Totel, E, Prigent, N & Me, L 2020, Forensic Analysis of Network Attacks: Restructuring Security Events as Graphs and Identifying Strongly Connected Sub-graphs. in Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020., 9229766, Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020, Institute of Electrical and Electronics Engineers Inc., pp. 565-573, 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020, Virtual, Genoa, Italy, 7/09/20. https://doi.org/10.1109/EuroSPW51379.2020.00083

Forensic Analysis of Network Attacks: Restructuring Security Events as Graphs and Identifying Strongly Connected Sub-graphs. / Leichtnam, Laetitia; Totel, Eric; Prigent, Nicolas et al.
Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020. Institute of Electrical and Electronics Engineers Inc., 2020. p. 565-573 9229766 (Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Forensic Analysis of Network Attacks

T2 - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020

AU - Leichtnam, Laetitia

AU - Totel, Eric

AU - Prigent, Nicolas

AU - Me, Ludovic

PY - 2020/9/1

Y1 - 2020/9/1

N2 - When analyzing the security of activities in a highly distributed system, an analyst faces a huge number of events, mainly coming from network supervision mechanisms. To analyze this huge amount of information, the analyst often starts from an indicator of compromise (IoC), an observable that suggests that a compromise may have occurred, and looks for the information related to this IoC as it could help to explain the related security incident. This approach is referred to as forensic analysis. In this paper, we propose an approach to treat automatically network events to provide the analyst with a new way to determine the subset of information related to a given IoC. This approach relies firstly on the generation of graphs between so-called "Security Objects"that are built from the logged network events, and secondly on the automatic processing of these graphs based on graphs communities analysis.

AB - When analyzing the security of activities in a highly distributed system, an analyst faces a huge number of events, mainly coming from network supervision mechanisms. To analyze this huge amount of information, the analyst often starts from an indicator of compromise (IoC), an observable that suggests that a compromise may have occurred, and looks for the information related to this IoC as it could help to explain the related security incident. This approach is referred to as forensic analysis. In this paper, we propose an approach to treat automatically network events to provide the analyst with a new way to determine the subset of information related to a given IoC. This approach relies firstly on the generation of graphs between so-called "Security Objects"that are built from the logged network events, and secondly on the automatic processing of these graphs based on graphs communities analysis.

KW - forensic

KW - intrusion detection

U2 - 10.1109/EuroSPW51379.2020.00083

DO - 10.1109/EuroSPW51379.2020.00083

M3 - Conference contribution

AN - SCOPUS:85097047020

T3 - Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020

SP - 565

EP - 573

BT - Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 7 September 2020 through 11 September 2020

ER -

Leichtnam L, Totel E, Prigent N, Me L. Forensic Analysis of Network Attacks: Restructuring Security Events as Graphs and Identifying Strongly Connected Sub-graphs. In Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020. Institute of Electrical and Electronics Engineers Inc. 2020. p. 565-573. 9229766. (Proceedings - 5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020). doi: 10.1109/EuroSPW51379.2020.00083

Forensic Analysis of Network Attacks: Restructuring Security Events as Graphs and Identifying Strongly Connected Sub-graphs

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this