Title: Development and Evaluation of Intelligent Network Forensic System LIFT Using Bayesian Network for Targeted Attack Detection and Prevention

Issue Number: Vol. 7, No. 4
Year of Publication: Dec - 2018
Page Numbers: 344-353
Authors: Ryoichi Sasaki, Hiroshi Yamaki, Yoshio Kakizaki, Kazuki Shimazaki, Masato Terada, Tetsutaro Uehara
Journal Name: International Journal of Cyber-Security and Digital Forensics (IJCSDF)
- Hong Kong
DOI:  http://dx.doi.org/10.17781/P002473


Recently, the number of cyber attacks targeting companies or government departments has been increasing. Although such organizations are required to prepare countermeasures against targeted attacks, it is very difficult to implement these measures during an attack without the assistance of a support system. Therefore, the authors developed the Live and Intelligent Network Forensic Technologies (LIFT) system to guide the attack response using artificial intelligence techniques, such as a Bayesian network. This system analyzes collected logs, detects clues (signs) of attacks, then uses Bayesian networks to estimate the probability of an attack from the detected clues. If the certainty factor is large enough, an attack is assumed to be occurring, or else the LIFT system requires the collection of additional clues from the logs. Moreover, the LIFT system guides the implementation of countermeasures and/or conducts automatic operations with knowledge of the relation between the event and the proposed action, which would be a guide to the operator or an automatic operation. The authors developed a prototype of the LIFT system and applied this prototype to attack sequences that occurred in the past. As a result, it was confirmed that LIFT was able to detect the clue and event and recommended a countermeasure appropriately because the abnormal clue ended when the recommended countermeasure was conducted.