European Commission logo
English English
CORDIS - EU research results

Logic-based Attribution and Forensics in Cyber Security

Article Category

Article available in the following languages:

Automated tool strengthens cybercrime fight

A logic-based tool could help analysts to efficiently and accurately assess cyberattacks and strengthen cybersecurity.

Security icon Security

In our homes and offices, we are surrounded by smart devices designed to make life easier. These devices enable us to connect with each other, keep fit and healthy and work more efficiently. “Connectivity is an important component not only in everyday life but across all sectors,” says AF-Cyber Marie Skłodowska-Curie Individual Fellowship recipient Erisa Karafili, now a lecturer in cybersecurity at the University of Southampton, UK. “Think about the tracing apps that different countries are developing and using to keep the spread of the COVID-19 virus under control.” The downside of living in such a connected world is that we are now more susceptible to cyberattacks. Increased connectivity has brought about an unprecedented loss of privacy, where data – even private data – can be collected and used without us knowing or even noticing. “Phenomena like cyberbullying and vote manipulation have also increased,” adds Karafili. “In 2015, there was even an example of a car being successfully hacked remotely.” A key problem in tackling cyberattacks is that when these connected devices were first developed, strong security features were not a priority. Educating users to adopt stronger passwords, to not open suspicious emails and to not share private information online also remains an ongoing challenge.

Supporting cybercrime investigation

The AF-Cyber project, hosted by Imperial College London, UK, has sought to strengthen our defences against cyberattacks with the development of a logic-based analytical tool. This project’s goal was to help analysts in their assessments and attributions of cyberattacks. Karafili studied how past attacks were assessed and attributed. Attribution is the process of identifying where the attack came from, and who the perpetrator of the attack was. A thorough analysis was performed, with all evidence categorised. Karafili next set about developing a tool to emulate the reasoning and investigation process typically followed by security analysts. The created reasoner was then implemented, validated and evaluated. “While working on providing support to cyberattack analysts, we identified and worked on solving other related problems,” she notes. “These included reducing the amount of evidence that analysts need to examine. This was achieved by automatically filtering evidence and identifying crucial evidence that analysts can then collect.” The main challenge faced was finding datasets to test the tool. “One reason for this is that attributing cyberattacks can be a controversial subject,” she explains. “Often, you might find different attributions for the same cyberattack.” Karafili therefore focused most of her work on providing analytical support, through the suggestion of probable investigation paths to follow, possible crucial missing evidence and possible explanations for the given results.

Towards full automation

The main result of the AF-Cyber project has been the construction of the first automatic, logic-based reasoner for analysing and attributing cyberattacks. This was the first time that a social model was used to help cyberattack investigations, along with formal analysis methods and AI techniques. The social model used represented how real cybercrime analysts perform their investigations. “This project laid the theoretical foundations on which new tools can be developed,” Karafili points out. “I am currently working on integrating the technology developed in AF-Cyber into existing cyberattack analysis tools.” Karafili is confident that AF-Cyber represents an important stepping-stone towards full automation of cyberattack analysis and attribution.


AF-Cyber, cyberattack, cybercrime, connectivity, apps, data, cyberbullying, security, logic-based

Discover other articles in the same domain of application