Logic-based Attribution and Forensics in Cyber Security

The AF-Cyber (Logic-based Attribution and Forensics in Cyber Security) project has studied the problem of attribution and digital investigation of cyber-attacks. The investigation of cyber-attacks is the process performed by cyber-security experts and forensics investigators, where the main goals are to identify, acquire, store, and analyse the evidence left after a cyber-attack. Performing a correct and swift investigation is crucial, as it permits to understand the vulnerabilities exploited, to put in place mitigative and preventive countermeasures, and discover who may be responsible the attack; this latter process is called attribution.

Analysing and attributing cyber-attacks is a difficult process as the evidence gathered may be contradictory especially when attackers use anti-forensics and deceptive techniques. Currently, attribution of cyber-attacks is mainly a manual process, performed by the forensic investigators, and is strictly bound by the knowledge of the investigator. Thus, is easily human biased and error-prone. Furthermore, investigators need to deal with an enormous amount of data that requires filtering, classification, and analysis.

AF-Cyber worked on formal methods and AI techniques that help the forensics investigators during the analysis and attribution of cyber-attacks. AF-Cyber developed a novel logic-based automatic reasoner, that given the cyber forensics evidence of an attack and information about its social aspects can assist the forensic investigators during the analysis and attribution process. AF-Cyber alleviates the work of the investigators as it: provides a solution for filtering the enormous amount of evidence; enables the investigator to identify a set of evidence that is consistent; allows to dynamically pinpoint new evidence that could be collected to reach more precise conclusions.

Specifically, the main project objectives have been:

1) Construct a knowledge base evidence and rules for attribution in cyber-attacks
2 & 3) Develop an automatic logic-based reasoner for representing and reasoning about attribution and provide support to the analyst
4) Design a methodology for dynamic forensic evidence collection

AF-Cyber’s main results are:
• Reducing the used resources during cyber-attack investigation using a novel technique to filter the collected evidence;
• Performing a rapid and goal-oriented analysis of the evidence left after an attack using a new automatic reasoner;
• This reasoner suggests to the user further evidence to be collected and enables investigators to share lessons learned across investigations;
• Novel methodologies to identify threat models and vulnerabilities;
• Innovative security solutions based on argumentation reasoning.

AF-Cyber worked on a real problem that our society (on a global level) is currently facing, i.e. preventing, mitigating, and attributing cyber-attacks. This problem will continue to persist in the future, given the increase of interconnectivity in our everyday life and the sophistication of cyber-attacks. AF-Cyber focused on swiftly identifying and analysing the evidence left after an attack. The results of AF-Cyber will not replace the analyst, as his/her knowledge is crucial but will assist the analyst towards achieving faster and more precise conclusions. AF-Cyber results play an important role in reducing human errors and possible biases as it permits to share lessons learned from past experiences. AF-Cyber solutions will help the analysts to conduct a swift and efficient analysis and attribution, that would permit to put in act efficient mitigative and preventive measures against attacks, and to put in place attacker-oriented countermeasures.

The main achievements are:
• An automatic logic-based reasoner that represents the cyber evidence and the social context of the cyber-attack. This reasoner is based on a novel logical framework that uses preference-based argumentation. This framework uses reasoning rules that describe the process followed by the analyst during the digital investigation of cyber-attacks. It also uses background knowledge, which is a set of general information that is commonly used by forensic investigators during their analysis.
• A novel constructed formalism, called Evidence Logic, that automatically filters the evidence using the analyst’s trust relations. This solution provides a major help in reducing the resources allocated to the identification of useful evidence.
• A new more expressive formalism for filtering cyber forensics evidence, called Time Stamped Logic.
• An algorithmic solution for dynamic evidence collection, where given the partial evidence of an attack and the system’s vulnerabilities, it identifies the nodes where to look for additional evidence.
• Preventive and mitigating security techniques: a solution that identifies and avoids online account vulnerabilities; a system that identifies and represents threats of hybrid systems; applications of preference-based argumentation to ensure the quality of shared data, network security, and security problems in other industries.
The results of AF-Cyber were disseminated through 6 peer-reviewed publications all accessible as Green Open Access. Furthermore, AF-Cyber results were disseminated in 12 scientific talks in international research institutes/conferences/workshops/seminars. Particular attention was placed on disseminating the results to the general public, where AF-Cyber was part of 7 public engagement activities.

The work performed during AF-Cyber is novel and relevant to our current interconnected society. AF-Cyber studied a very important problem, which is to help forensics analysts during the investigation of cyber-attacks. The direct implication of this work is a reduction of the resources used during these investigations. In particular, these translate into a faster analysis, and quick responses to attacks with efficient and attacker-oriented countermeasures. Given the increasing interconnectivity in our society, the work of AF-Cyber helps to discover cyber-criminals and to protect our society’s cyberspace.

The main contributions beyond the state of the art are:
• The construction of the first automatic logic-based reasoner for analysing and attributing cyber-attacks based on argumentation and abductive reasoning. This novel reasoner is the first that can deal with technical and social evidence while working with incomplete and conflicting pieces of evidence. This is the first time that a social model is used for solving the problem of cyber-attacks investigation together with the use of formal methods and AI techniques.
• The development of two novel formalisms that filter the evidence using the analyst’s trust relations. These formalisms are the first ones to deal with the problem of filtering cyber forensics evidence, by using formal methods techniques.
• Introduction of novel security solutions where preference-based argumentation is used to ensure the quality of shared data, network security, and security problems in other industries.
• Introduction of innovative preventive measures, to identify and prevent vulnerabilities and threats.
• A novel algorithmic solution that identifies where to look for evidence, given the partial evidence of an attack and the system’s vulnerabilities. The novelty of this work is the combination of techniques from digital forensics, like TRIAGE and cost-effectiveness, with attack-graphs techniques.