SlideShare ist ein Scribd-Unternehmen logo

Semantically-Enabled Digital Investigations

Als PPTX, PDF herunterladen
I
inbroker

Semantically-enabled Digital Investigations Leveraging Semantic Web technologies for representing, integrating, correlating and querying multi-domain digital forensic data

Technologie
1 von 25
Semantically-enabled Digital Investigations by Spyridon Dosis
Outline • Problem • Background • Developed Method • Demonstration • Conclusions 2015-05-17 ISACA Dagen 2013
Problem Area • Complex attacks against networked systems • Multiple data sources of possible evidentiary value – Volume & Variety – ”looking for a needle in a stack of needles” – Paul Pillar, CIA CoA • Analysis of the collected digital data – Least formalized process step – Rely on investigators’ expertise and experience 2015-05-17 ISACA Dagen 2013
Digital Evidence / Investigations • Reliable digital data that support hypothesizing about a security incident • Sound methods for collecting and interpreting digital data • Reconstruct events found to be criminal (DF) • Investigate and learn from information security breaches (IR)2015-05-17 ISACA Dagen 2013
Forensic Tools • Interpreters between data abstraction layers – e.g. Reconstruct raw disk data into filesystem hierarchy and objects (files, directories) • Evidence- but not investigation- centric design • Limited tool interoperability – Manual integration of tool findings – Multiple (proprietary, undocumented) data formats/models 2015-05-17 ISACA Dagen 2013
A Digital Investigation Example ISACA Dagen 20132015-05-17
Semantic Web & Linked Data Technologies • ”… information is given well-defined meaning, better enabling computers and people to work in cooperation” – (Tim Berners Lee, 2001) • Ontology – ”explicit and formal specification of a conceptualization” – Entities, attributes, relationships • Metadata - Context-based or domain- specific annotation of data • Reason and inference of implicit facts 2015-05-17 ISACA Dagen 2013
Semantic Web Architecture • URI/IRI enables global data object identification • XML provides a machine readable, validatable data encoding scheme • RDF(S) is a metadata data model and knowledge representation language – Subject-Property-Object/Value statements – Class and Property hierarchies • OWL 2 is a more expressive KR language for specifying ontologies – Restrictions, Equivalence, Cardinality, Property Chains • Rule and RDF-query languages 2015-05-17 ISACA Dagen 2013
Method Overview 2015-05-17 ISACA Dagen 2013 Data Collection Semantic Representation Ontological Reasoning Rule-based Reasoning Integrated Query
Domain Ontologies • Introduced a set of lightweight domain-specific OWL ontologies – Storage Media – Network Traffic – Windows Firewall Log, WHOIS RIR DB – Malicious Networks Reputation List – Malware Detection 2015-05-17 ISACA Dagen 2013
Evidence Representation (Graph) 2015-05-17 ISACA Dagen 2013
Semantic Representation • Resource Unique Identification Scheme • Parsing tools able to process each source type with respect to the domain ontology 2015-05-17 ISACA Dagen 2013
Evidence Integration • Automated linking among (homo/hetero-)geneous evidence sources based on key properties & matching rules 2015-05-17 ISACA Dagen 2013
Evidence Correlation • Link instances of dissimilar type across a shared domain • Temporal Correlation – Rules for establishing time instant & interval relations among recovered artifacts • Mereological Correlation – “partOf” transitivity relations 2015-05-17 ISACA Dagen 2013
Semantic Integration & Correlation 2015-05-17 ISACA Dagen 2013
Integrated Query • Purpose-built triplestore (graph) database engine can store the final dataset – Up to billions of triples • SQL-like queries against the integrated/correlated evidence set • Graph pattern matching techniques 2015-05-17 ISACA Dagen 2013
A PoC Instantiation • Evidence Manager • Filtering / Pre-processing • Semantic Parser • Inference Engine • Classification, Inverse & Transitive Properties • Rule & Query Engines2015-05-17 ISACA Dagen 2013
Experiment A 2015-05-17 ISACA Dagen 2013
Experiment B 2015-05-17 ISACA Dagen 2013
Sample Query • “Is any file resident on the disk malicious and if yes where has it been downloaded from and which ISP did the IP belong to?” 2015-05-17 ISACA Dagen 2013
Sample Query SELECT DISTINCT ?pathName ?uri ?ipvalue ?asnumber ?link WHERE { ?file rdf:type digitalmedia:File . ?file digitalmedia:hasPathName ?pathName . ?file digitalmedia:hasMD5 ?md5 . ?httpbody integration:HTTPContentToMediaFile ?file . ?file integration:MediaFileToVTFile ?vtfile . ?vtfile virustotal:hasAVReport ?report . ?report virustotal:hasPermanentLink ?link . ?httpresp http:body ?httpbody . ?httpreq http:requestURI ?uri . ?httpreq http:resp ?httpresp . ?http packetcapture:hasHTTPRequest ?httpreq . ?http rdf:type packetcapture:HTTP . ?tcpflow packetcapture:hasApplicationLayerProtocol ?http . ?tcpflow packetcapture:hasDestinationIP ?destip . ?destip packetcapture:hasIPValue ?ipvalue . ?destip integration:PcapIPToWHOISIpAddr ?whoisip . ?whoisip whois:isContainedInRange ?range . ?range whois:hasRange ?rangeValue . ?range whois:isContainedInAS ?as . ?as whois:hasNetName ?netname . ?as whois:hasASNumber ?asnumber 2015-05-17 ISACA Dagen 2013
Example Hypothesies-Queries • Have there been any unsuccessful connection attempts from systems in the same network as the one that hosted the malicious file? • Which disk files have been created or accessed shortly after the malicious file was downloaded? • Has there been any successful connection between our system and a known malicious host? • Which files have been accessed shortly before the host communicated with any blacklisted network host? • Which websites have been visited by the user shortly before the download of the malicious file? 2015-05-17 ISACA Dagen 2013
Summary • Ability to represent and integrate heterogeneous data • Supports the formulation and execution of complex queries • Expandable (ontologies, rules, queries) • Computational complexity depends on the ontology, rules, amount of data • Reliance to online data sources may affect the accuracy of the results 2015-05-17 ISACA Dagen 2013
Future Work • Advanced reasoning capabilities (e.g. detect anti-forensic inconsistencies) • Extended analysis techniques (e.g. additional data sources, user activities) • Large scale performance evaluation, distributed architecture • User-friendly graphical interface for rule/query formulation and result navigation 2015-05-17 ISACA Dagen 2013
Thank you 2015-05-17 ISACA Dagen 2013

Empfohlen

Data curation and data archiving at different stages of the research process
Data curation and data archiving at different stages of the research processData curation and data archiving at different stages of the research process
Data curation and data archiving at different stages of the research processAndrea Scharnhorst
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
Security Analytics using ELK stack
Security Analytics using ELK stack Security Analytics using ELK stack
Security Analytics using ELK stack Cysinfo Cyber Security Community
 
II-SDV 2016 RightsDirect
II-SDV 2016 RightsDirectII-SDV 2016 RightsDirect
II-SDV 2016 RightsDirectDr. Haxel Consult
 
Seamless access to the world’s open access research papers via ResourceSync
Seamless access to the world’s open access research papers via ResourceSyncSeamless access to the world’s open access research papers via ResourceSync
Seamless access to the world’s open access research papers via ResourceSyncpetrknoth
 
Overview of policies for security and data sharing
Overview of policies for security and data sharingOverview of policies for security and data sharing
Overview of policies for security and data sharingbdemchak
 
2013 CrossRef Workshops Boot Camp CrossCheck Susan Collins
2013 CrossRef Workshops Boot Camp CrossCheck Susan Collins2013 CrossRef Workshops Boot Camp CrossCheck Susan Collins
2013 CrossRef Workshops Boot Camp CrossCheck Susan CollinsCrossref
 

Empfohlen

Data curation and data archiving at different stages of the research process
Data curation and data archiving at different stages of the research processData curation and data archiving at different stages of the research process
Data curation and data archiving at different stages of the research processAndrea Scharnhorst
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
Security Analytics using ELK stack
Security Analytics using ELK stack Security Analytics using ELK stack
Security Analytics using ELK stack Cysinfo Cyber Security Community
 
II-SDV 2016 RightsDirect
II-SDV 2016 RightsDirectII-SDV 2016 RightsDirect
II-SDV 2016 RightsDirectDr. Haxel Consult
 
Seamless access to the world’s open access research papers via ResourceSync
Seamless access to the world’s open access research papers via ResourceSyncSeamless access to the world’s open access research papers via ResourceSync
Seamless access to the world’s open access research papers via ResourceSyncpetrknoth
 
Overview of policies for security and data sharing
Overview of policies for security and data sharingOverview of policies for security and data sharing
Overview of policies for security and data sharingbdemchak
 
2013 CrossRef Workshops Boot Camp CrossCheck Susan Collins
2013 CrossRef Workshops Boot Camp CrossCheck Susan Collins2013 CrossRef Workshops Boot Camp CrossCheck Susan Collins
2013 CrossRef Workshops Boot Camp CrossCheck Susan CollinsCrossref
 
Dataset Descriptions in Open PHACTS and HCLS
Dataset Descriptions in Open PHACTS and HCLSDataset Descriptions in Open PHACTS and HCLS
Dataset Descriptions in Open PHACTS and HCLSAlasdair Gray
 
Linked Open Data and DANS
Linked Open Data and DANSLinked Open Data and DANS
Linked Open Data and DANSvty
 
DataverseNL as structured data hub
DataverseNL as structured data hubDataverseNL as structured data hub
DataverseNL as structured data hubvty
 
Fire kit ios (r-baldwin)
Fire kit ios (r-baldwin)Fire kit ios (r-baldwin)
Fire kit ios (r-baldwin)DevDays
 
The Rhizomer Semantic Content Management System
The Rhizomer Semantic Content Management SystemThe Rhizomer Semantic Content Management System
The Rhizomer Semantic Content Management SystemRoberto García
 
Distributed Tracing at UBER Scale: Creating a treasure map for your monitori...
Distributed Tracing at UBER Scale: Creating a treasure map for your monitori...Distributed Tracing at UBER Scale: Creating a treasure map for your monitori...
Distributed Tracing at UBER Scale: Creating a treasure map for your monitori...Yuri Shkuro
 
The Reality of Digital Transfer @ArchivesNZ
The Reality of Digital Transfer @ArchivesNZThe Reality of Digital Transfer @ArchivesNZ
The Reality of Digital Transfer @ArchivesNZRoss Spencer
 
Extending DSpace 7: DSpace-CRIS and DSpace-GLAM for empowered repositories an...
Extending DSpace 7: DSpace-CRIS and DSpace-GLAM for empowered repositories an...Extending DSpace 7: DSpace-CRIS and DSpace-GLAM for empowered repositories an...
Extending DSpace 7: DSpace-CRIS and DSpace-GLAM for empowered repositories an...4Science
 
Introduction of semantic technology for SAS programmers
Introduction of semantic technology for SAS programmersIntroduction of semantic technology for SAS programmers
Introduction of semantic technology for SAS programmersKevin Lee
 
Psicquic tutorial
Psicquic tutorialPsicquic tutorial
Psicquic tutorialRafael C. Jimenez
 
DSpace-CRIS: new features and contribution to the DSpace mainstream
DSpace-CRIS: new features and contribution to the DSpace mainstreamDSpace-CRIS: new features and contribution to the DSpace mainstream
DSpace-CRIS: new features and contribution to the DSpace mainstreamAndrea Bollini
 
Binary Trees? Automatically identifying the links between born-digital records
Binary Trees? Automatically identifying the links between born-digital recordsBinary Trees? Automatically identifying the links between born-digital records
Binary Trees? Automatically identifying the links between born-digital recordsRoss Spencer
 
ICIC 2013 Conference Proceedings Andreas Pesenhofer max.recall
ICIC 2013 Conference Proceedings Andreas Pesenhofer max.recallICIC 2013 Conference Proceedings Andreas Pesenhofer max.recall
ICIC 2013 Conference Proceedings Andreas Pesenhofer max.recallDr. Haxel Consult
 
Duraspace Hot Topics Series 6: Metadata and Repository Services
Duraspace Hot Topics Series 6: Metadata and Repository ServicesDuraspace Hot Topics Series 6: Metadata and Repository Services
Duraspace Hot Topics Series 6: Metadata and Repository ServicesMatthew Critchlow
 
Checksum 101
Checksum 101Checksum 101
Checksum 101Ross Spencer
 
4Science presentes: ORCiD API Tutorial
4Science presentes: ORCiD API Tutorial4Science presentes: ORCiD API Tutorial
4Science presentes: ORCiD API Tutorial4Science
 
New Product Introductions - FIZ Karlsruhe
New Product Introductions - FIZ KarlsruheNew Product Introductions - FIZ Karlsruhe
New Product Introductions - FIZ KarlsruheDr. Haxel Consult
 
Whowas: History of resources at APNIC
Whowas: History of resources at APNICWhowas: History of resources at APNIC
Whowas: History of resources at APNICAPNIC
 
Interoperability is the key: repositories networks promoting the quality and ...
Interoperability is the key: repositories networks promoting the quality and ...Interoperability is the key: repositories networks promoting the quality and ...
Interoperability is the key: repositories networks promoting the quality and ...Pedro Príncipe
 
Ppt novel gue
Ppt novel guePpt novel gue
Ppt novel guelailyfary
 
Overcoming Continuous Delivery Impedance
Overcoming Continuous Delivery ImpedanceOvercoming Continuous Delivery Impedance
Overcoming Continuous Delivery ImpedanceMark Rendell
 
Continuous Delivery with a PaaS Application
Continuous Delivery with a PaaS ApplicationContinuous Delivery with a PaaS Application
Continuous Delivery with a PaaS ApplicationMark Rendell
 

Weitere ähnliche Inhalte

Was ist angesagt?

Dataset Descriptions in Open PHACTS and HCLS
Dataset Descriptions in Open PHACTS and HCLSDataset Descriptions in Open PHACTS and HCLS
Dataset Descriptions in Open PHACTS and HCLSAlasdair Gray
 
Linked Open Data and DANS
Linked Open Data and DANSLinked Open Data and DANS
Linked Open Data and DANSvty
 
DataverseNL as structured data hub
DataverseNL as structured data hubDataverseNL as structured data hub
DataverseNL as structured data hubvty
 
Fire kit ios (r-baldwin)
Fire kit ios (r-baldwin)Fire kit ios (r-baldwin)
Fire kit ios (r-baldwin)DevDays
 
The Rhizomer Semantic Content Management System
The Rhizomer Semantic Content Management SystemThe Rhizomer Semantic Content Management System
The Rhizomer Semantic Content Management SystemRoberto García
 
Distributed Tracing at UBER Scale: Creating a treasure map for your monitori...
Distributed Tracing at UBER Scale: Creating a treasure map for your monitori...Distributed Tracing at UBER Scale: Creating a treasure map for your monitori...
Distributed Tracing at UBER Scale: Creating a treasure map for your monitori...Yuri Shkuro
 
The Reality of Digital Transfer @ArchivesNZ
The Reality of Digital Transfer @ArchivesNZThe Reality of Digital Transfer @ArchivesNZ
The Reality of Digital Transfer @ArchivesNZRoss Spencer
 
Extending DSpace 7: DSpace-CRIS and DSpace-GLAM for empowered repositories an...
Extending DSpace 7: DSpace-CRIS and DSpace-GLAM for empowered repositories an...Extending DSpace 7: DSpace-CRIS and DSpace-GLAM for empowered repositories an...
Extending DSpace 7: DSpace-CRIS and DSpace-GLAM for empowered repositories an...4Science
 
Introduction of semantic technology for SAS programmers
Introduction of semantic technology for SAS programmersIntroduction of semantic technology for SAS programmers
Introduction of semantic technology for SAS programmersKevin Lee
 
DSpace-CRIS: new features and contribution to the DSpace mainstream
DSpace-CRIS: new features and contribution to the DSpace mainstreamDSpace-CRIS: new features and contribution to the DSpace mainstream
DSpace-CRIS: new features and contribution to the DSpace mainstreamAndrea Bollini
 
Binary Trees? Automatically identifying the links between born-digital records
Binary Trees? Automatically identifying the links between born-digital recordsBinary Trees? Automatically identifying the links between born-digital records
Binary Trees? Automatically identifying the links between born-digital recordsRoss Spencer
 
ICIC 2013 Conference Proceedings Andreas Pesenhofer max.recall
ICIC 2013 Conference Proceedings Andreas Pesenhofer max.recallICIC 2013 Conference Proceedings Andreas Pesenhofer max.recall
ICIC 2013 Conference Proceedings Andreas Pesenhofer max.recallDr. Haxel Consult
 
Duraspace Hot Topics Series 6: Metadata and Repository Services
Duraspace Hot Topics Series 6: Metadata and Repository ServicesDuraspace Hot Topics Series 6: Metadata and Repository Services
Duraspace Hot Topics Series 6: Metadata and Repository ServicesMatthew Critchlow
 
4Science presentes: ORCiD API Tutorial
4Science presentes: ORCiD API Tutorial4Science presentes: ORCiD API Tutorial
4Science presentes: ORCiD API Tutorial4Science
 
New Product Introductions - FIZ Karlsruhe
New Product Introductions - FIZ KarlsruheNew Product Introductions - FIZ Karlsruhe
New Product Introductions - FIZ KarlsruheDr. Haxel Consult
 
Whowas: History of resources at APNIC
Whowas: History of resources at APNICWhowas: History of resources at APNIC
Whowas: History of resources at APNICAPNIC
 
Interoperability is the key: repositories networks promoting the quality and ...
Interoperability is the key: repositories networks promoting the quality and ...Interoperability is the key: repositories networks promoting the quality and ...
Interoperability is the key: repositories networks promoting the quality and ...Pedro Príncipe
 

Was ist angesagt? (19)

Dataset Descriptions in Open PHACTS and HCLS
Dataset Descriptions in Open PHACTS and HCLSDataset Descriptions in Open PHACTS and HCLS
Dataset Descriptions in Open PHACTS and HCLS
 
Linked Open Data and DANS
Linked Open Data and DANSLinked Open Data and DANS
Linked Open Data and DANS
 
DataverseNL as structured data hub
DataverseNL as structured data hubDataverseNL as structured data hub
DataverseNL as structured data hub
 
Fire kit ios (r-baldwin)
Fire kit ios (r-baldwin)Fire kit ios (r-baldwin)
Fire kit ios (r-baldwin)
 
The Rhizomer Semantic Content Management System
The Rhizomer Semantic Content Management SystemThe Rhizomer Semantic Content Management System
The Rhizomer Semantic Content Management System
 
Distributed Tracing at UBER Scale: Creating a treasure map for your monitori...
Distributed Tracing at UBER Scale: Creating a treasure map for your monitori...Distributed Tracing at UBER Scale: Creating a treasure map for your monitori...
Distributed Tracing at UBER Scale: Creating a treasure map for your monitori...
 
The Reality of Digital Transfer @ArchivesNZ
The Reality of Digital Transfer @ArchivesNZThe Reality of Digital Transfer @ArchivesNZ
The Reality of Digital Transfer @ArchivesNZ
 
Extending DSpace 7: DSpace-CRIS and DSpace-GLAM for empowered repositories an...
Extending DSpace 7: DSpace-CRIS and DSpace-GLAM for empowered repositories an...Extending DSpace 7: DSpace-CRIS and DSpace-GLAM for empowered repositories an...
Extending DSpace 7: DSpace-CRIS and DSpace-GLAM for empowered repositories an...
 
Introduction of semantic technology for SAS programmers
Introduction of semantic technology for SAS programmersIntroduction of semantic technology for SAS programmers
Introduction of semantic technology for SAS programmers
 
Psicquic tutorial
Psicquic tutorialPsicquic tutorial
Psicquic tutorial
 
DSpace-CRIS: new features and contribution to the DSpace mainstream
DSpace-CRIS: new features and contribution to the DSpace mainstreamDSpace-CRIS: new features and contribution to the DSpace mainstream
DSpace-CRIS: new features and contribution to the DSpace mainstream
 
Binary Trees? Automatically identifying the links between born-digital records
Binary Trees? Automatically identifying the links between born-digital recordsBinary Trees? Automatically identifying the links between born-digital records
Binary Trees? Automatically identifying the links between born-digital records
 
ICIC 2013 Conference Proceedings Andreas Pesenhofer max.recall
ICIC 2013 Conference Proceedings Andreas Pesenhofer max.recallICIC 2013 Conference Proceedings Andreas Pesenhofer max.recall
ICIC 2013 Conference Proceedings Andreas Pesenhofer max.recall
 
Duraspace Hot Topics Series 6: Metadata and Repository Services
Duraspace Hot Topics Series 6: Metadata and Repository ServicesDuraspace Hot Topics Series 6: Metadata and Repository Services
Duraspace Hot Topics Series 6: Metadata and Repository Services
 
Checksum 101
Checksum 101Checksum 101
Checksum 101
 
4Science presentes: ORCiD API Tutorial
4Science presentes: ORCiD API Tutorial4Science presentes: ORCiD API Tutorial
4Science presentes: ORCiD API Tutorial
 
New Product Introductions - FIZ Karlsruhe
New Product Introductions - FIZ KarlsruheNew Product Introductions - FIZ Karlsruhe
New Product Introductions - FIZ Karlsruhe
 
Whowas: History of resources at APNIC
Whowas: History of resources at APNICWhowas: History of resources at APNIC
Whowas: History of resources at APNIC
 
Interoperability is the key: repositories networks promoting the quality and ...
Interoperability is the key: repositories networks promoting the quality and ...Interoperability is the key: repositories networks promoting the quality and ...
Interoperability is the key: repositories networks promoting the quality and ...
 

Andere mochten auch

Ppt novel gue
Ppt novel guePpt novel gue
Ppt novel guelailyfary
 
Overcoming Continuous Delivery Impedance
Overcoming Continuous Delivery ImpedanceOvercoming Continuous Delivery Impedance
Overcoming Continuous Delivery ImpedanceMark Rendell
 
Continuous Delivery with a PaaS Application
Continuous Delivery with a PaaS ApplicationContinuous Delivery with a PaaS Application
Continuous Delivery with a PaaS ApplicationMark Rendell
 
New microsoft office word document
New microsoft office word documentNew microsoft office word document
New microsoft office word documentbudiristanto
 
Semantically-Enabled Digital Investigations - Research Overview
Semantically-Enabled Digital Investigations - Research OverviewSemantically-Enabled Digital Investigations - Research Overview
Semantically-Enabled Digital Investigations - Research Overviewinbroker
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
Ignite: When You Need A DevOps Team
Ignite: When You Need A DevOps TeamIgnite: When You Need A DevOps Team
Ignite: When You Need A DevOps TeamMark Rendell
 
The dumb waiter
The dumb waiterThe dumb waiter
The dumb waiterlailyfary
 
Introducing Lubbock Entertainment and Performing Arts Center
Introducing Lubbock Entertainment and Performing Arts CenterIntroducing Lubbock Entertainment and Performing Arts Center
Introducing Lubbock Entertainment and Performing Arts CenterLEPAA
 
presentation on transfer of training
presentation on transfer of trainingpresentation on transfer of training
presentation on transfer of trainingpallavi313
 
Breaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an ApplicationBreaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an ApplicationMark Rendell
 
The Network Protocol Stack Revisited
The Network Protocol Stack RevisitedThe Network Protocol Stack Revisited
The Network Protocol Stack Revisitedinbroker
 
DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 

Andere mochten auch (16)

Ppt novel gue
Ppt novel guePpt novel gue
Ppt novel gue
 
Overcoming Continuous Delivery Impedance
Overcoming Continuous Delivery ImpedanceOvercoming Continuous Delivery Impedance
Overcoming Continuous Delivery Impedance
 
Continuous Delivery with a PaaS Application
Continuous Delivery with a PaaS ApplicationContinuous Delivery with a PaaS Application
Continuous Delivery with a PaaS Application
 
Diktat autocad
Diktat autocadDiktat autocad
Diktat autocad
 
New microsoft office word document
New microsoft office word documentNew microsoft office word document
New microsoft office word document
 
Photon Network Course 2014
Photon Network Course 2014Photon Network Course 2014
Photon Network Course 2014
 
Semantically-Enabled Digital Investigations - Research Overview
Semantically-Enabled Digital Investigations - Research OverviewSemantically-Enabled Digital Investigations - Research Overview
Semantically-Enabled Digital Investigations - Research Overview
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenes
 
Ignite: When You Need A DevOps Team
Ignite: When You Need A DevOps TeamIgnite: When You Need A DevOps Team
Ignite: When You Need A DevOps Team
 
The dumb waiter
The dumb waiterThe dumb waiter
The dumb waiter
 
Introducing Lubbock Entertainment and Performing Arts Center
Introducing Lubbock Entertainment and Performing Arts CenterIntroducing Lubbock Entertainment and Performing Arts Center
Introducing Lubbock Entertainment and Performing Arts Center
 
presentation on transfer of training
presentation on transfer of trainingpresentation on transfer of training
presentation on transfer of training
 
Breaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an ApplicationBreaking the 2 Pizza Paradox with your Platform as an Application
Breaking the 2 Pizza Paradox with your Platform as an Application
 
The Network Protocol Stack Revisited
The Network Protocol Stack RevisitedThe Network Protocol Stack Revisited
The Network Protocol Stack Revisited
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 

Ähnlich wie Semantically-Enabled Digital Investigations

FAIR Workflows and Research Objects get a Workout
FAIR Workflows and Research Objects get a Workout FAIR Workflows and Research Objects get a Workout
FAIR Workflows and Research Objects get a Workout Carole Goble
 
State of Florida Neo4j Graph Briefing - Cyber IAM
State of Florida Neo4j Graph Briefing - Cyber IAMState of Florida Neo4j Graph Briefing - Cyber IAM
State of Florida Neo4j Graph Briefing - Cyber IAMNeo4j
 
Pushing Chemical Biology Through the Pipes
Pushing Chemical Biology Through the PipesPushing Chemical Biology Through the Pipes
Pushing Chemical Biology Through the PipesRajarshi Guha
 
Scaling up Linked Data
Scaling up Linked DataScaling up Linked Data
Scaling up Linked DataMarin Dimitrov
 
Linked services: Connecting services to the Web of Data
Linked services: Connecting services to the Web of DataLinked services: Connecting services to the Web of Data
Linked services: Connecting services to the Web of DataJohn Domingue
 
Telco analytics at scale
Telco analytics at scaleTelco analytics at scale
Telco analytics at scaledatamantra
 
CLARIAH Toogdag 2018: A distributed network of digital heritage information
CLARIAH Toogdag 2018: A distributed network of digital heritage informationCLARIAH Toogdag 2018: A distributed network of digital heritage information
CLARIAH Toogdag 2018: A distributed network of digital heritage informationEnno Meijers
 
Data governance datalakes_multitenancy
Data governance datalakes_multitenancyData governance datalakes_multitenancy
Data governance datalakes_multitenancySathish K S
 
Crossing Analytics Systems: Case for Integrated Provenance in Data Lakes
Crossing Analytics Systems: Case for Integrated Provenance in Data LakesCrossing Analytics Systems: Case for Integrated Provenance in Data Lakes
Crossing Analytics Systems: Case for Integrated Provenance in Data LakesIsuru Suriarachchi
 
Southwickc lampert lodlam_training
Southwickc lampert lodlam_trainingSouthwickc lampert lodlam_training
Southwickc lampert lodlam_trainingssouthwick
 
FAIRDOM data management support for ERACoBioTech Proposals
FAIRDOM data management support for ERACoBioTech ProposalsFAIRDOM data management support for ERACoBioTech Proposals
FAIRDOM data management support for ERACoBioTech ProposalsFAIRDOM
 
WOTS2E: A Search Engine for a Semantic Web of Things
WOTS2E: A Search Engine for a Semantic Web of ThingsWOTS2E: A Search Engine for a Semantic Web of Things
WOTS2E: A Search Engine for a Semantic Web of ThingsAndreas Kamilaris
 
Hypermedia for Machine APIs
Hypermedia for Machine APIsHypermedia for Machine APIs
Hypermedia for Machine APIsMichael Koster
 
How e-infrastructure can contribute to Linked Germplasm Data
How e-infrastructure can contribute to Linked Germplasm DataHow e-infrastructure can contribute to Linked Germplasm Data
How e-infrastructure can contribute to Linked Germplasm DataStoitsis Giannis
 
A collaborative approach to "filling the digital preservation gap" for Resear...
A collaborative approach to "filling the digital preservation gap" for Resear...A collaborative approach to "filling the digital preservation gap" for Resear...
A collaborative approach to "filling the digital preservation gap" for Resear...Jenny Mitcham
 

Ähnlich wie Semantically-Enabled Digital Investigations (20)

FAIR Workflows and Research Objects get a Workout
FAIR Workflows and Research Objects get a Workout FAIR Workflows and Research Objects get a Workout
FAIR Workflows and Research Objects get a Workout
 
State of Florida Neo4j Graph Briefing - Cyber IAM
State of Florida Neo4j Graph Briefing - Cyber IAMState of Florida Neo4j Graph Briefing - Cyber IAM
State of Florida Neo4j Graph Briefing - Cyber IAM
 
Pushing Chemical Biology Through the Pipes
Pushing Chemical Biology Through the PipesPushing Chemical Biology Through the Pipes
Pushing Chemical Biology Through the Pipes
 
Presentation 16 may keynote karin bredenberg
Presentation 16 may keynote karin bredenbergPresentation 16 may keynote karin bredenberg
Presentation 16 may keynote karin bredenberg
 
Scaling up Linked Data
Scaling up Linked DataScaling up Linked Data
Scaling up Linked Data
 
Design patternsforiot
Design patternsforiotDesign patternsforiot
Design patternsforiot
 
Linked services: Connecting services to the Web of Data
Linked services: Connecting services to the Web of DataLinked services: Connecting services to the Web of Data
Linked services: Connecting services to the Web of Data
 
Lawless-3-jun15
Lawless-3-jun15Lawless-3-jun15
Lawless-3-jun15
 
Telco analytics at scale
Telco analytics at scaleTelco analytics at scale
Telco analytics at scale
 
CLARIAH Toogdag 2018: A distributed network of digital heritage information
CLARIAH Toogdag 2018: A distributed network of digital heritage informationCLARIAH Toogdag 2018: A distributed network of digital heritage information
CLARIAH Toogdag 2018: A distributed network of digital heritage information
 
Data governance datalakes_multitenancy
Data governance datalakes_multitenancyData governance datalakes_multitenancy
Data governance datalakes_multitenancy
 
2015 05-07-mac
2015 05-07-mac2015 05-07-mac
2015 05-07-mac
 
Crossing Analytics Systems: Case for Integrated Provenance in Data Lakes
Crossing Analytics Systems: Case for Integrated Provenance in Data LakesCrossing Analytics Systems: Case for Integrated Provenance in Data Lakes
Crossing Analytics Systems: Case for Integrated Provenance in Data Lakes
 
Southwickc lampert lodlam_training
Southwickc lampert lodlam_trainingSouthwickc lampert lodlam_training
Southwickc lampert lodlam_training
 
FAIRDOM data management support for ERACoBioTech Proposals
FAIRDOM data management support for ERACoBioTech ProposalsFAIRDOM data management support for ERACoBioTech Proposals
FAIRDOM data management support for ERACoBioTech Proposals
 
WOTS2E: A Search Engine for a Semantic Web of Things
WOTS2E: A Search Engine for a Semantic Web of ThingsWOTS2E: A Search Engine for a Semantic Web of Things
WOTS2E: A Search Engine for a Semantic Web of Things
 
Hypermedia for Machine APIs
Hypermedia for Machine APIsHypermedia for Machine APIs
Hypermedia for Machine APIs
 
Caplan and York, 'What It Takes To Make It Last: E-Resources Preservation"
Caplan and York, 'What It Takes To Make It Last: E-Resources Preservation"Caplan and York, 'What It Takes To Make It Last: E-Resources Preservation"
Caplan and York, 'What It Takes To Make It Last: E-Resources Preservation"
 
How e-infrastructure can contribute to Linked Germplasm Data
How e-infrastructure can contribute to Linked Germplasm DataHow e-infrastructure can contribute to Linked Germplasm Data
How e-infrastructure can contribute to Linked Germplasm Data
 
A collaborative approach to "filling the digital preservation gap" for Resear...
A collaborative approach to "filling the digital preservation gap" for Resear...A collaborative approach to "filling the digital preservation gap" for Resear...
A collaborative approach to "filling the digital preservation gap" for Resear...
 

Kürzlich hochgeladen

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Kürzlich hochgeladen (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Semantically-Enabled Digital Investigations

  • 2. Outline • Problem • Background • Developed Method • Demonstration • Conclusions 2015-05-17 ISACA Dagen 2013
  • 3. Problem Area • Complex attacks against networked systems • Multiple data sources of possible evidentiary value – Volume & Variety – ”looking for a needle in a stack of needles” – Paul Pillar, CIA CoA • Analysis of the collected digital data – Least formalized process step – Rely on investigators’ expertise and experience 2015-05-17 ISACA Dagen 2013
  • 4. Digital Evidence / Investigations • Reliable digital data that support hypothesizing about a security incident • Sound methods for collecting and interpreting digital data • Reconstruct events found to be criminal (DF) • Investigate and learn from information security breaches (IR)2015-05-17 ISACA Dagen 2013
  • 5. Forensic Tools • Interpreters between data abstraction layers – e.g. Reconstruct raw disk data into filesystem hierarchy and objects (files, directories) • Evidence- but not investigation- centric design • Limited tool interoperability – Manual integration of tool findings – Multiple (proprietary, undocumented) data formats/models 2015-05-17 ISACA Dagen 2013
  • 6. A Digital Investigation Example ISACA Dagen 20132015-05-17
  • 7. Semantic Web & Linked Data Technologies • ”… information is given well-defined meaning, better enabling computers and people to work in cooperation” – (Tim Berners Lee, 2001) • Ontology – ”explicit and formal specification of a conceptualization” – Entities, attributes, relationships • Metadata - Context-based or domain- specific annotation of data • Reason and inference of implicit facts 2015-05-17 ISACA Dagen 2013
  • 8. Semantic Web Architecture • URI/IRI enables global data object identification • XML provides a machine readable, validatable data encoding scheme • RDF(S) is a metadata data model and knowledge representation language – Subject-Property-Object/Value statements – Class and Property hierarchies • OWL 2 is a more expressive KR language for specifying ontologies – Restrictions, Equivalence, Cardinality, Property Chains • Rule and RDF-query languages 2015-05-17 ISACA Dagen 2013
  • 9. Method Overview 2015-05-17 ISACA Dagen 2013 Data Collection Semantic Representation Ontological Reasoning Rule-based Reasoning Integrated Query
  • 10. Domain Ontologies • Introduced a set of lightweight domain-specific OWL ontologies – Storage Media – Network Traffic – Windows Firewall Log, WHOIS RIR DB – Malicious Networks Reputation List – Malware Detection 2015-05-17 ISACA Dagen 2013
  • 12. Semantic Representation • Resource Unique Identification Scheme • Parsing tools able to process each source type with respect to the domain ontology 2015-05-17 ISACA Dagen 2013
  • 13. Evidence Integration • Automated linking among (homo/hetero-)geneous evidence sources based on key properties & matching rules 2015-05-17 ISACA Dagen 2013
  • 14. Evidence Correlation • Link instances of dissimilar type across a shared domain • Temporal Correlation – Rules for establishing time instant & interval relations among recovered artifacts • Mereological Correlation – “partOf” transitivity relations 2015-05-17 ISACA Dagen 2013
  • 15. Semantic Integration & Correlation 2015-05-17 ISACA Dagen 2013
  • 16. Integrated Query • Purpose-built triplestore (graph) database engine can store the final dataset – Up to billions of triples • SQL-like queries against the integrated/correlated evidence set • Graph pattern matching techniques 2015-05-17 ISACA Dagen 2013
  • 17. A PoC Instantiation • Evidence Manager • Filtering / Pre-processing • Semantic Parser • Inference Engine • Classification, Inverse & Transitive Properties • Rule & Query Engines2015-05-17 ISACA Dagen 2013
  • 20. Sample Query • “Is any file resident on the disk malicious and if yes where has it been downloaded from and which ISP did the IP belong to?” 2015-05-17 ISACA Dagen 2013
  • 21. Sample Query SELECT DISTINCT ?pathName ?uri ?ipvalue ?asnumber ?link WHERE { ?file rdf:type digitalmedia:File . ?file digitalmedia:hasPathName ?pathName . ?file digitalmedia:hasMD5 ?md5 . ?httpbody integration:HTTPContentToMediaFile ?file . ?file integration:MediaFileToVTFile ?vtfile . ?vtfile virustotal:hasAVReport ?report . ?report virustotal:hasPermanentLink ?link . ?httpresp http:body ?httpbody . ?httpreq http:requestURI ?uri . ?httpreq http:resp ?httpresp . ?http packetcapture:hasHTTPRequest ?httpreq . ?http rdf:type packetcapture:HTTP . ?tcpflow packetcapture:hasApplicationLayerProtocol ?http . ?tcpflow packetcapture:hasDestinationIP ?destip . ?destip packetcapture:hasIPValue ?ipvalue . ?destip integration:PcapIPToWHOISIpAddr ?whoisip . ?whoisip whois:isContainedInRange ?range . ?range whois:hasRange ?rangeValue . ?range whois:isContainedInAS ?as . ?as whois:hasNetName ?netname . ?as whois:hasASNumber ?asnumber 2015-05-17 ISACA Dagen 2013
  • 22. Example Hypothesies-Queries • Have there been any unsuccessful connection attempts from systems in the same network as the one that hosted the malicious file? • Which disk files have been created or accessed shortly after the malicious file was downloaded? • Has there been any successful connection between our system and a known malicious host? • Which files have been accessed shortly before the host communicated with any blacklisted network host? • Which websites have been visited by the user shortly before the download of the malicious file? 2015-05-17 ISACA Dagen 2013
  • 23. Summary • Ability to represent and integrate heterogeneous data • Supports the formulation and execution of complex queries • Expandable (ontologies, rules, queries) • Computational complexity depends on the ontology, rules, amount of data • Reliance to online data sources may affect the accuracy of the results 2015-05-17 ISACA Dagen 2013
  • 24. Future Work • Advanced reasoning capabilities (e.g. detect anti-forensic inconsistencies) • Extended analysis techniques (e.g. additional data sources, user activities) • Large scale performance evaluation, distributed architecture • User-friendly graphical interface for rule/query formulation and result navigation 2015-05-17 ISACA Dagen 2013