Abstract
This paper proposes a new correlation method for the automatic identification of malware traces across multiple computers. The method supports forensic investigations by efficiently identifying patterns in large, complex datasets using link mining techniques. Digital forensic processes are followed to ensure evidence integrity and chain of custody.
Keywords
Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Y. Al-Hammadi and U. Aickelin, Detecting botnets through log correlation, Proceedings of the Workshop on Monitoring, Attack Detection and Mitigation, 2006.
A. Arnes, P. Haas, G. Vigna and R. Kemmerer, Using a virtual security testbed for digital forensic reconstruction, Computer Virology, vol. 2(4), pp. 275–289, 2007.
D. Ayers, A second generation computer forensic analysis system, Digital Investigation, vol. 6(S), pp. 34–42, 2009.
B. Carrier, The Sleuth Kit (www.sleuthkit.org).
A. Case, A. Cristina, L. Marziale, G. Richard and V. Roussev, FACE: Automated digital evidence discovery and correlation, Digital Investigation, vol. 5(S), pp. 65–75, 2008.
H. Chen, W. Chung, J. Xu, G. Wang and Y. Qin, Crime data mining: A general framework and some examples, IEEE Computer, vol. 37(4), pp. 50–56, 2004.
M. Cohen, S. Garfinkel and B. Schatz, Extending the Advanced Forensic Format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow, Digital Investigation, vol. 6(S), pp. 57–68, 2009.
A. Flaglien, Cross-Computer Malware Detection in Digital Forensics, M.Sc. Thesis, Information Security Program, Faculty of Computer Science and Media Technology, Gjovik University College, Gjovik, Norway, 2010.
A. Flaglien, A. Mallasvik, M. Mustorp and A. Arnes, Storage and exchange formats for digital evidence, presented at the NISK Conference, 2010.
S. Garfinkel, Forensic feature extraction and cross-drive analysis, Digital Investigation, vol. 3(S), pp. 71–81, 2006.
S. Garfinkel, Automating disk forensic processing with SleuthKit, XML and Python, Proceedings of the Fourth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, pp. 73–84, 2009.
L. Getoor, Link mining: A new data mining challenge, ACM SIGKDD Explorations, vol. 5(1), pp. 84–89, 2003.
L. Getoor and C. Diehl, Link mining: A survey, ACM SIGKDD Explorations, vol. 7(2), pp. 3–12, 2005.
P. Gladyshev, Formalizing Event Reconstruction in Digital Investigations, Ph.D. Dissertation, Department of Computer Science, University College Dublin, Dublin, Ireland, 2004.
G. Gu, R. Perdisci, J. Zhang and W. Lee, BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection, Proceedings of the Seventeenth USENIX Security Symposium, pp. 139–154, 2008.
M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann and I. Witten, The WEKA data mining software: An update, ACM SIGKDD Explorations, vol. 11(1), pp. 10–18, 2009.
J. Han and M. Kamber, Data Mining: Concepts and Techniques, Morgan Kaufmann, San Francisco, California, 2006.
D. Hand, H. Mannila and P. Smyth, Principles of Data Mining, MIT Press, Cambridge, Massachusetts, 2001.
S. Hoffman, China hackers launch cyber attack on India, Dalai Lama, CRN (www.crn.com/security/224201581), April 6, 2010.
T. Khabaza, Hard Hats for Data Miners: Myths and Pitfalls of Data Mining, White Paper, SPSS, Zurich, Switzerland, 2005.
J. Mena, Investigative Data Mining for Security and Criminal Detection, Elsevier Science, Burlington, Massachusetts, 2003.
E. Messmer, The botnet world is booming, Network World, July 9, 2009.
National Institute of Standards and Technology, National Software Reference Library, Gaithersburg, Maryland (www.nsrl.nist.gov).
G. Richard and V. Roussev, Next-generation digital forensics, Communications of the ACM, vol. 49(2), pp. 76–80, 2006.
C. Schiller, J. Binkley, D. Harley, G. Evron, T. Bradley, C. Willems and M. Cross, Botnets: The Killer Web App, Syngress, Rockland, Massachusetts, 2007.
S. Theodoridis and K. Koutroumbas, Pattern Recognition, Academic Press, San Diego, California, 2006.
I. Witten and E. Frank, Data Mining: Practical Machine Learning Tools and Techniques, Morgan Kaufmann, San Francisco, California, 2005.
X. Wu and V. Kumar (Eds.), The Top Ten Algorithms in Data Mining, Chapman and Hall/CRC, Boca Raton, Florida, 2009.
Y. Zeng, X. Hu and K. Shin, Detection of botnets using combined host- and network-level information, Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 291–300, 2010.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Flaglien, A., Franke, K., Arnes, A. (2011). Identifying Malware Using Cross-Evidence Correlation. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics VII. DigitalForensics 2011. IFIP Advances in Information and Communication Technology, vol 361. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24212-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-24212-0_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24211-3
Online ISBN: 978-3-642-24212-0
eBook Packages: Computer ScienceComputer Science (R0)