Forensic Intrusion analysis, i.e. the process of combing through recorded security alerts and audit logs to identify true successful and attempted attacks, remains a formidably difficult problem in practice. The biggest cause of this problem is the large rate of false positives in the sensors and analytic tools used by IDS systems to detect malicious activities — automated analysis is currently unable to differentiate the nearly certain attacks from those that are merely possible. Standard Bayesian theory has not been effective in this regard because of the impossibility of good prior knowledge such as probability of attack. The second biggest cause of the problem is that the "evidence" has to be put together from multiple sources with varying semantics and flaws. We cannot efficiently account for correlation and duplication, in addition to the false positives, among these sources. All this contributes to tremendous uncertainty in analysis, which has not been dealt with directly. Finally, we are far from automated forensic analysis — helping a human forensic investigator work more efficiently is the realistic goal at present — but we can apply technical tools in this space and work towards eventual, if distant, automation.
This talk will cover the work that we have been conducting on some of these questions such as representing and handling uncertainty and correlation in attack analysis, a rigorous theory of hypothesis in digital forensics, and a new kind of incident visualization suitable for forensic investigation. We will end with some open problems both theoretical and practical that need to be addressed in this space.
S. Raj Rajagopalan is a Research Scientist at HP Labs located in Princeton, NJ where he is a member of the Cloud and Security Lab. He is currently working in security forensics, intrusion detection, and related areas. He has been with HP since 2004, before which he was at the Security and Cryptology Group in Applied Research at Telcordia (formerly Bellcore).