Machine Learning in Computer Forensics (and the Lessons

Learned from Machine Learning in Computer Security)

∗
Davide Ariu Giorgio Giacinto Fabio Roli
Department of Electrical and Electronic Engineering
University of Cagliari
Piazza d’Armi, 09123, Cagliari, Italy
[davide.ariu, giacinto, roli]@diee.unica.it

ABSTRACT 1. INTRODUCTION
In this paper, we discuss the role that machine learning can Since the second half of the nineties, the world assisted
play in computer forensics. We begin our analysis by consid- to a digital revolution that indeed changed the lifestyle of
ering the role that machine learning has gained in computer billions of people. Internet, mobile phones and a plenty of
security applications, with the aim of aiding the computer different digital devices, became part of the everyday life of
forensics community in learning the lessons from the expe- all of us. In the beginning, all this stuff seemed just being
rience of the computer security community. Afterwards, we something to have fun with. Nowadays, computers (of any
propose a brief literature review, with the purpose of illus- kind), mobile phones and “the network” all represent essen-
trating the areas of computer forensics where machine learn- tial tools for the professional life of millions of people. This
ing techniques have been used until now. Then, we remark fact obviously means that an always increasing amount of
the technical requirements that should be meet by tools for valuable information is stored in digital form: digital photos,
computer security and computer forensics applications, with phone books and emails are probably just the most notable
the goal of illustrating in which way machine learning algo- examples of this phenomena.
rithms can be of any practical help. We intend this paper to In this information technology age, the needs of law en-
foster applications of machine learning in computer foren- forcement are changing as well. Some traditional crimes,
sics, and we hope that the ideas in this paper may represent especially those concerning finance and commerce, are con-
promising directions to pursue in the quest for more efficient tinuously upgraded according to the related technological
and effective computer forensics tools. advances. In a broader perspective, the analysis of comput-
ers and digital devices becomes more and more important
to assess the facts in a large number of investigative cases.
Categories and Subject Descriptors Computer forensic was created to address the specific and
D.4.6 [Security and Protection]; I.2 [Artificial Intelli- articulated needs of law enforcement to make the most of
gence]; I.5 [Pattern Recognition]; K.4.1 [Public Policy this new form of electronic evidence.
Issues]: Abuse and crime involving computers For the sake of clarity, let us point out what do we ex-
actly mean by the terms “computer forensics”. The term
“Digital forensics” is usually related to the disciplines of
General Terms analyzing digital devices for forensics purposes. Thus, it in-
Algorithms, Legal Aspects, Security volves not only general-purpose computers but also mobile
phones, game consoles or even devices such as iPods or mp3
players. In particular “mobile forensics” is the discipline
Keywords that analyzes mobile appliances such as smart phones, or
Computer Forensics, Computer Security, Machine Learning even GPS navigation systems. “Multimedia forensics”
is the branch of digital forensics that involves the analysis
∗This research was sponsored by the RAS (Autonomous Re-
of digital media (pictures, videos and audio traces). On the
gion of Sardinia) through a grant financed with the ”Sar- other side, “Computer forensics”, in a strict sense, applies
dinia PO FSE 2007-2013” funds and provided according to
the L.R. 7/2007. Any opinions, findings and conclusions ex- specifically to the analysis of general purpose computers, and
pressed in this material are those of the authors and do not data storage appliances or data processing devices.
necessarily reflect the views of the RAS. At present, research in computer forensics is still at an
early stage [5]: a community clearly focused on this topic
does not exist, and a clear research road-map is still miss-
ing. In particular, there is not yet a clear understanding
Permission to make digital or hard copies of all or part of this work for of how machine learning can help solving computer foren-
personal or classroom use is granted without fee provided that copies are sics problems [5]. In spite of this, we believe that there
not made or distributed for profit or commercial advantage and that copies is plenty of room to improve the existing techniques, espe-
bear this notice and the full citation on the first page. To copy otherwise, to cially with the help of machine learning algorithms. In this
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
sense, we also believe that the computer forensic commu-
AISec’11, October 21, 2011, Chicago, Illinois, USA. nity could take advantage of the experience of the computer
Copyright 2011 ACM 978-1-4503-1003-1/11/10 ...$10.00.

99
security community. The reason for this is that computer Nowadays, a lot of computer forensics problems are still
security and computer forensics are rooted in the same tech- unaddressed, and a concrete need exists of powerful tools for
nical background. forensics analysis of computers. In the next section, we will
In order to stimulate the research in this direction, in this consider some of the problems that have been addressed by
paper we investigate the role that machine learning could the research community, and we will provide a brief overview
play in computer forensics applications. Section 2 briefly of some recent works that proposed solutions based on ma-
provides an historical perspective, in order to let the reader chine learning. In particular, we will focus on those com-
understand the (long) way of machine learning research be- puter forensic problems that can be clearly formulated in
fore being successfully applied to computer security. In sec- terms of machine learning problems.
tion 3 we quickly review the most recent works that propose
machine learning techniques for computer forensics, in or-
der to provide a survey of the current research activities
3. LITERATURE REVIEW
in this field. In section 4 we highlight how different the In this section we review the recent literature on com-
requirements are in the case of computer security and com- puter forensics with the goal of highlighting the research
puter forensics tools, and also describe how computer foren- directions on which applications of machine learning have
sics peculiarities can be exploited in order to apply machine been proposed.
learning to this discipline. Finally, we conclude in section 5.
3.1 Textual documents and E-mail Forensics
2. HISTORICAL PERSPECTIVE Obviously, textual documents and e-mails represent a pri-
mary source of evidence during forensics analysis. According
Computer security as a discipline was first studied in the to a recent study1 , more than 3 billions of email accounts
early 1970s. In that period, the approach to the discipline exist worldwide, the 25% being corporate email accounts.
was quite rigorous and more oriented on the development of For each business account, a number of more than one hun-
theoretical models than on the deployment of practical ap- dred of emails is estimated to be sent and received every day.
plications [6, 7]. One of the cornerstones of machine learning These numbers clearly shows that email is a primary source
applications in computer security is certainly represented by of communication, and thus represents a potential source of
the work proposed by Denning [12]. Since then, a plenty of evidence that can not be neglected. While dealing with e-
different applications of machine learning to computer secu- mails, an important task is the authorship verification and
rity has been proposed. Doubts about the intrinsic security attribution. Several works have addressed this problem, by
of machine learning algorithms have been repeatedly raised analyzing both the structure of the e-mail document (e.g.
[4]. In spite of these doubts, and of the clear understand- e-mail headers, number of lines and sentences, etc.) and lin-
ing that the security of machine learning algorithms has to guistic patterns (e.g. character count, occurrences of punc-
be improved [3], both the scientific community and the de- tuation, vocabulary “richness”, etc) [11, 17]. SVM as well as
velopers of tools for enforcing computer security, now seem clustering algorithms were employed with promising results.
to be well aware of the role that can be played by machine For instance, in [11] a precision from 84% to 100% is achieved
learning techniques in the fight against cybercrime. Exam- while retrieving the e-mails of three different authors from
ples of successful applications of machine learning exist in a corpus of 156 emails.
several areas of computer security [2, 26]. In order to get Solutions have been also proposed for the analysis of any
to this point, about 25 years of efforts (and billion dollars) kind of textual document, not only e-mails. Iqbal et. al re-
have been spent worldwide since the first known internet- cently proposed a solution based on data mining techniques
wide attack in 1988 (the “Morris Worm”). for the analysis of the authorship of on-line documents [18].
At present, the computer forensics community lives in a Cheng et. al propose a solution for author gender identifi-
completely different scenario. The discipline is not much cation [9]. By experimenting with several classification al-
younger than computer security, since computer forensics is gorithms (SVM, AdaBoost and Bayesian logistic regression)
more than 25 years old. As early as 1984, the FBI Labo- this work achieved promising results (the maximum accu-
ratory and other law enforcement agencies began develop- racy is around 80%), even if the problem is far away to be
ing programs to examine computer evidence. In 1993, the definitely solved.
FBI hosted an International Law Enforcement Conference
on Computer Evidence that was attended by 70 representa- 3.2 Network Forensics
tives of various U.S. federal, state, and local law enforcement
The analysis of the network traffic can be useful in a num-
agencies and of international law enforcement agencies. Nev-
ber of computer forensics scenarios, among which a typical
ertheless, computer forensics received a noteworthy atten-
case can be that of a person suspected of being responsi-
tion by the computer science community only in the recent
ble for a cybercrime. Unfortunately, as Wang noticed [31],
years. In fact, when in the first 2000 the consequences of
there are at least two major technical challenges in this field:
cyber-attacks were reported by all the newspapers and TV
(1) Forensic analysts are overwhelmed by huge volumes of
channels (it was the period of “Slammer” and his friends),
low-quality evidence; (2) Cyber attacks are becoming in-
(almost) nobody talked yet about computer forensics. Nev-
creasingly sophisticated. Nevertheless, several works have
ertheless, almost in the same period laptops, mobile phones
recently addressed issues related to network forensics. Thon-
and GPS navigation systems began to pervade the everyday
nard et al. proposed a framework for finding similar patterns
life of people. Since people were becoming more and more
in network traces [29]. Liao et. al propose an approach
familiar with instant messaging platforms, emails and so-
based on fuzzy theory which is able to automatically make
cial networks, it was quite obvious that computers will have
quickly acquired relevance also in the context of forensics 1
Email Statistics Report 2011-2015 -
investigations. http://www.radicati.com

100
inference from the network traffic [22]. Unfortunately, even whereas in [10] the recall was between 90 and 100% for com-
if the achieved results look good (more than 91% of detec- mon file types such as Acrobat PDF or JPEG. In spite of
tion rate), some doubts are left on the effectiveness of the this, to the best of our knowledge, no one of the proposed
proposed approach, since the authors provide an evaluation approaches has found application in a real tool. In fact,
of their system on the DARPA dataset only [24]. Anaya et. as Roussev noticed [27], the promising results achieved can
al proposed a technique (based on fuzzy logic and on Ar- not be considered statistically relevant since they have been
tificial Neural Network) to classify network flows in normal obtained on datasets that were at maximum 500MB large.
and abnormal [1]. Wang and Daniels proposed a graph- Recently, Garfinkel et. al. released several forensics data
based approach [31]. An evidence graph is first constructed sets 2 that the scientific community can employ as a common
that highlights relationships among the hosts involved in an basis for the empirical evaluation of the algorithms devel-
attack. Then, with a “reasoning” step the analyst is driven oped [15]. The released datasets include file corpora, disk
in the identification of the machines that had a crucial role in images, cell phone dumps, and network traces.
the context of the attack. The authors illustrate the possible
applications of the algorithm by considering three different 4. COMPUTER SECURITY AND FOREN-
scenarios that clearly explain how the algorithm can support
the forensic analyst. SICS
Recently, solutions have been also proposed to natively The aim of this section is to highlight similarities and dif-
include support to network forensics and monitoring in the ferences among computer security and forensics. Our goal,
network infrastructure [16]. is to provide a clear understanding of the requirements that
a computer forensic tool should be able to meet. To do this,
3.3 Events and Data Analysis we compare computer security and forensics by considering
A critical issue in computer forensics analysis is repre- three different aspects: the goals pursued by the two disci-
sented by the large volume of the data to be analyzed. In plines (section 4.1); the requirements that should be meet
fact, according to recent FBI statistics, the average case size by computer security and computer forensics tools (section
is approximately 500 GB [13]. These data can belong to 4.2); the perspective according to which machine learn-
ing should be applied to the two disciplines (section 4.3).
different sources (e.g. network traces, memory dumps, disk
images) and they are typically analyzed by using tools that 4.1 Goals
operate on only a single type of digital evidence. Some re-
cent papers proposed solutions aimed at supporting the ac- As we already mentioned in the paper, computer secu-
tivity of the computer forensics expert in the analysis of the rity and computer forensics share the same technical back-
data. Fei et al. proposed an application of Self-Organizing ground. In fact, both disciplines require a clear and in-depth
Maps to detect anomalies in the Internet-behavior of com- understanding of how the computers’ world works. What it
puter users [14]. Khan et al. proposed a solution based on can be probably said, is that if computer security very often
neural networks for the construction of a time line of the involves topics related to the “network’ segment’, computer
relevant events [20]. The time line is created by using four forensics concerns are often related to issues such as disk
different sources of information: activities of the file system, and file analysis. This difference can be easily explained if
log files, registry entries (in the case of Windows machines) we see the different goals of the two disciplines. Com-
and also by analyzing the free blocks and the slack space. puter security aims to prevent something (a cyber-attack)
from happening. Since the network is still the main channel
3.4 File Fragment Classification for attack propagation (let’s think of drive-by-downloads at-
tacks), the analysis of the network traffic is fundamental for
File fragment classification has been probably one of the
attack prevention and detection. This is the reason why top-
most investigated problems in computer forensics. The goal
ics related to network monitoring (e.g. botnet/fast-flux net-
is that of establishing the type of the file from which a data
works detection or DNS security) receive a lot of attention
fragment originates without the help of the informations pro-
by the research community. On the contrary, the computer
vided by the file system. This can be necessary for instance
forensics analyst works with an opposite perspective. Since
in the case of recovered files for which the initial header is
he is typically asked to find evidences for a crime (that can
not available anymore. The most part of the works in this
also be a cyber-crime), he obviously works after the crime
area are based on the analysis of the statistical properties
has been committed. Thus, since the hard-drive is the place
(e.g. byte histograms) of the distribution of the file bytes
where the information managed by a computer “persists”,
[10, 19, 21, 23]. The underground idea is that the prop-
it results obvious that issues related to the analysis of the
erties of the bytes’ distribution for a certain file basically
disk (and of the information it contains) represent one of the
depends on the originating file type. A pioneering work was
main topics in the computer forensics research [23, 20].
that of McDaniel et al. [23], where the statistical models of
files were created by the means of the byte histogram and 4.2 Requirements
the byte frequency cross correlation. In [19], the authors
use both the byte distribution and the “rate of change” (the Computer security and computer forensics exhibit differ-
ent sets of requirements. We analyze computer security re-
absolute value of the difference between the values of con-
secutive bytes). Li et al. propose an application of the quirements in 4.2.1 , whereas computer forensics require-
n − gram analysis to this problem [21]. They create a differ- ments are discussed in 4.2.2.
ent centroid for each file type and calculate the Mahalanobis
distance among the file and the centroids. All the considered
works achieved promising results. For instance, in [21] the
2
authors claimed a classification accuracy higher than 90%, http://digitalcorpora.org/

101
4.2.1 Computer Security Requirements certainly provide useful hints [30] to the computer forensics
With respect to a computer security tool, we identify three community.
key requirements: it should be able to work in real-time, it Finally, it must be considered that computer forensics
should not generate too many false alarms and should be analysis are not subject to real-time constraints. In fact,
as autonomous as possible. The first one descends from it is absolutely reasonable to have tools that require even
the fact that typically the tool should be able to prevent several days of computations if, at the end, the work of the
the attack before it occurs. Anti-virus softwares, Intrusion analyst will result facilitated. Actually, this opens the pos-
Prevention Systems, or even Web Application Firewalls cer- sibility to consider also complex and heavy algorithms.
tainly represent examples of tools that are required to detect
the malicious patterns in real time. This represents a par- 4.3 A formal comparison
ticularly severe constraint, especially when large volumes of In this section, we propose a different (and more formal )
data must be analyzed (such as for instance in the case of a way of comparing computer security and computer foren-
network-based Intrusion Prevention System). A second fun- sics based on the analysis of Mitchell about the place of
damental requirement is related to the false alarms rate, machine learning in computer science [25]. As Mitchell no-
that indeed must be low. This always represent a crucial ticed, “machine learning methods are the best methods in
point in the case of anomaly-based systems since this re- applications that are too complex for people to manually de-
quirement has to be meet without affecting the generaliza- sign the algorithm”. In our opinion, both computer security
tion capability of the system. Finally, it is also desirable and computer forensics fall into this category. In fact, mod-
for the tool to be as autonomous as possible, requiring ern computers (and computer networks) are indeed complex
(possibly) no intervention by the user (at least if no attack and they will become certainly more as computer science will
occur). continue to evolve. It is certainly true that is complex for
people to manually design the algorithm in many computer
security and forensics applications. In addition, situations
4.2.2 Computer Forensics Requirements also exist where even if it would be theoretically possible,
The requirements in the case of a computer forensics tool it actually is not because for instance too many variants of
are totally different. In fact, it must be considered that the the patterns to be modeled exist (e.g. malware detection).
forensic analysis is driven by the computer forensics analyst, We think that whereas the computer security community is
and then requires a considerable human intervention. De- completely aware of this, the computer forensics community
pending on the scenario of the investigation, the computer actually is not.
forensics expert has to decide where the evidence has to be With regard to the Mitchell’s considerations, a point on
searched and what is the best way to find it. For instance, it which computer security and forensics are probably differ-
can be searched within textual files or spreadsheets if the in- ent, is the need “that the software customize to its opera-
vestigation concerns financial crimes, while the search should tional environment after it is fielded ”. This requirement also
focus on images or on the web browser history in the case exists in computer security (let us think to anomaly based
of a suspect of pedophilia, or even in the system log files if IDS) but we are persuaded that it is definitely stronger in
the investigation concerns some cybercrime. the case of computer forensics applications. In fact, in com-
Once the analysis strategy has been planned, one of the puter forensics the analysis can not be approached in the
biggest challenges the forensics analyst is called to face is same way whatever the case is, since it must be tailored to
represented by the large volume of data that typically must each specific investigation scenario. In this sense, the hu-
be analyzed. This can easily happen if the investigation re- man intervention can certainly represent the value added
quires the analysis of the activity of a network, of a server, on which computer forensics can rely with respect to com-
or of the emails exchanged by the inquired person during puter security, if the learning algorithm is able to incorporate
several years. In a similar scenario, machine learning algo- the feedback provided by the analyst.
rithms certainly represent a resource that can be exploited
to facilitate the activity of the forensics analyst. In partic- 5. CONCLUSIONS
ular, we think that the research should be pushed in the In this paper we proposed some useful guidelines for the
direction of developing algorithms for automatic clustering application of machine learning to computer forensics. We
or categorization of documents. For instance, we think that first provided an historical perspective for both computer
algorithms of text categorization can be certainly adapted security and forensics. Then, we briefly reviewed the litera-
to forensics purposes [28]. ture in order to illustrate in which areas of computer foren-
A second point that can be considered is that computer sics machine learning has been recently applied. After, we
forensics experts typically employ several similar tools to discussed differences and similarities among computer secu-
perform the same analysis. This basically happens because rity and forensics, in order to make clear what should be
not always different tools produce the same results. Thus, expected from applications of machine learning in computer
using several tools can help to find the evidence that one forensics. Finally, we provided for a more formal comparison
tool could have not found, or even to have confirmation if of the two disciplines, in order to illustrate the perspective
all the tools produce the same result. Nevertheless, this according to which machine learning should be applied in
raises the problem of correlating informations from dif- computer forensics.
ferent sources. Solutions have been proposed that address
this issue [8] but, at the best of our knowledge, nothing yet
has been done with the support of machine learning algo- 6. REFERENCES
rithms. In this sense, the vast literature on “alert correla- [1] E. Anaya, M. Nakano-Miyatake, and H. Perez Meana.
tion” frameworks based on machine learning algorithms can Network forensics with neurofuzzy techniques. In

102
 Circuits and Systems, 2009. MWSCAS ’09. 52nd [17] F. Iqbal, H. Binsalleeh, B. C. Fung, and M. Debbabi.
IEEE International Midwest Symposium on, pages 848 Mining writeprints from anonymous e-mails for
–852, August 2009. forensic investigation. Digital Investigation, 7(1-2):56 –
[2] D. Ariu, R. Tronci, and G. Giacinto. HMMpayl: An 64, 2010.
Intrusion Detection System Based On Hidden Markov [18] F. Iqbal, H. Binsalleeh, B. C. Fung, and M. Debbabi.
Models. Computers & Security, 30(4):221 – 241, 2011. A unified data mining solution for authorship analysis
[3] M. Barreno, P. L. Bartlett, F. J. Chi, A. D. Joseph, in anonymous textual communications. Information
B. Nelson, B. I. P. Rubinstein, U. Saini, and J. D. Sciences, In Press, Corrected Proof:–, 2011.
Tygar. Open problems in the security of learning. In [19] M. Karresand and N. Shahmehri. File type
D. Balfanz and J. Staddon, editors, AISec, pages identification of data fragments by their binary
19–26. ACM, 2008. structure. In Information Assurance Workshop, 2006
[4] M. Barreno, B. Nelson, R. Sears, A. D. Joseph, and IEEE, pages 140 –147, June 2006.
J. D. Tygar. Can machine learning be secure? In F.-C. [20] M. Khan, C. Chatwin, and R. Young. A framework for
Lin, D.-T. Lee, B.-S. P. Lin, S. Shieh, and S. Jajodia, post-event timeline reconstruction using neural
editors, ASIACCS, pages 16–25. ACM, 2006. networks. Digital Investigation, 4(3-4):146 – 157, 2007.
[5] N. Beebe. Digital forensic research: The good, the bad [21] W.-J. Li, K. Wang, S. Stolfo, and B. Herzog.
and the unaddressed. In G. Peterson and S. Shenoi, Fileprints: identifying file types by n-gram analysis. In
editors, Advances in Digital Forensics V, volume 306 Information Assurance Workshop, 2005. IAW ’05.
of IFIP Advances in Information and Communication Proceedings from the 6th Annual IEEE SMC, pages 64
Technology, pages 17–36. Springer Boston, 2009. – 71, June 2005.
[6] D. E. Bell and L. J. LaPadula. Secure computer [22] N. Liao, S. Tian, and T. Wang. Network forensics
systems: Mathematical foundations and model. based on fuzzy logic and expert system. Computer
Technical Report M74244 1, MITRE Corporation Communications, 32(17):1881 – 1892, 2009.
Bedford MA, May 1973. [23] M. McDaniel and M. Heydari. Content based file type
[7] K. J. Biba. Integrity considerations for secure detection algorithms. In System Sciences, 2003.
computer systems. Technical report a423930, MITRE Proceedings of the 36th Annual Hawaii International
Corporation Bedford MA, April 1977. Conference on, January 2003.
[8] A. Case, A. Cristina, L. Marziale, G. G. Richard, and [24] J. McHugh. Testing Intrusion detection systems: a
V. Roussev. Face: Automated digital evidence critique of the 1998 and 1999 DARPA intrusion
discovery and correlation. Digital Investigation, detection system evaluations as performed by Lincoln
5(Supplement 1):S65 – S75, 2008. The Proceedings of Laboratory. ACM Transactions on Information and
the Eighth Annual DFRWS Conference. System Security, 3:262–294, November 2000.
[9] N. Cheng, R. Chandramouli, and K. Subbalakshmi. [25] T. M. Mitchell. The discipline of machine learning.
Author gender identification from text. Digital Technical Report CMU-ML-06-108, Machine Learning
Investigation, 8(1):78 – 88, 2011. Department, School of Computer Science, Carnegie
[10] O. de Vel. File classification using byte sub-stream Mellon University, 2006.
kernels. Digital Investigation, 1(2):150 – 157, 2004. [26] R. Perdisci, W. Lee, and N. Feamster. Behavioral
[11] O. de Vel, A. Anderson, M. Corney, and G. Mohay. Clustering of HTTP-Based Malware and Signature
Mining e-mail content for author identification Generation Using Malicious Network Traces. In NSDI,
forensics. ACM SIGMOD Record, 30:55–64, December pages 391–404. USENIX Association, 2010.
2001. [27] V. Roussev and S. Garfinkel. File fragment
[12] D. Denning. An intrusion-detection model. Software classification-the case for specialized approaches. In
Engineering, IEEE Transactions on, SE-13(2):222 – Systematic Approaches to Digital Forensic
232, February 1987. Engineering, 2009. SADFE ’09. 4th International
[13] FBI. RCFL Program Annual Report for Fiscal Year IEEE Workshop on, pages 3 –14, May 2009.
2010. [28] F. Sebastiani. Machine learning in automated text
[14] B. Fei, J. Eloff, H. Venter, and M. Olivier. Exploring categorization. ACM Computing Surveys, 34:1–47,
forensic data with self-organizing maps. In M. Pollitt 2002.
and S. Shenoi, editors, Advances in Digital Forensics, [29] O. Thonnard and M. Dacier. A framework for attack
volume 194 of IFIP International Federation for patterns’ discovery in honeynet data. Digital
Information Processing, pages 113–123. Springer Investigation, 5(Supplement 1):S128 – S139, 2008. The
Boston, 2005. Proceedings of the Eighth Annual DFRWS
[15] S. Garfinkel, P. Farrell, V. Roussev, and G. Dinolt. Conference.
Bringing science to digital forensics with standardized [30] A. Valdes and K. Skinner. Probabilistic alert
forensic corpora. Digital Investigation, 6:S2 – S11, correlation. In W. Lee, L. Mé, and A. Wespi, editors,
2009. Recent Advances in Intrusion Detection, volume 2212
[16] P. Giura and N. Memon. Netstore: An efficient of Lecture Notes in Computer Science, pages 54–68.
storage infrastructure for network forensics and Springer, 2001.
monitoring. In S. Jha, R. Sommer, and C. Kreibich, [31] W. Wang and T. E. Daniels. A graph based approach
editors, RAID, volume 6307 of Lecture Notes in toward network forensics analysis. ACM Transactions
Computer Science, pages 277–296. Springer, 2010. on Information and System Security, 12:4:1–4:33,
October 2008.

103