An empirical study of automatic event reconstruction systems

Authors:
Sundararaman Jeyaraman;Mikhail J. Atallah
Affiliations:
Department of Computer Sciences, Purdue University, 250 North University Street, West Lafayette, IN 47907-2066, USA;Department of Computer Sciences, Purdue University, 250 North University Street, West Lafayette, IN 47907-2066, USA
Venue:
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Year:
2006

Citing 10
Cited 2

Reasoning with Cause and Effect

IJCAI '99 Proceedings of the Sixteenth International Joint Conference on Artificial Intelligence
Precise dynamic slicing algorithms

Proceedings of the 25th International Conference on Software Engineering
Program slices: formal, psychological, and practical investigations of an automatic program abstraction method

Program slices: formal, psychological, and practical investigations of an automatic program abstraction method
A Large-Scale Empirical Study of Forward and Backward Static Slice Size and Context Sensitivity

ICSM '03 Proceedings of the International Conference on Software Maintenance
Backtracking intrusions

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Cost effective dynamic program slicing

Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation
RIFLE: An Architectural Framework for User-Centric Information-Flow Security

Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
Pin: building customized program analysis tools with dynamic instrumentation

Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Forensix: A Robust, High-Performance Reconstruction System

ICDCSW '05 Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05) - Volume 02
Cryptographic support for secure logs on untrusted machines

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7

Applying causal inference to understand emergent behavior

Proceedings of the 40th Conference on Winter Simulation
A framework for post-event timeline reconstruction using neural networks

Digital Investigation: The International Journal of Digital Forensics & Incident Response

Quantified Score

Hi-index	0.00

Visualization

Abstract

Reconstructing the sequence of computer events that led to a particular event is an essential part of the digital investigation process. The ability to quantify the accuracy of automatic event reconstruction systems is an essential step in standardizing the digital investigation process thereby making it resilient to tactics such as the Trojan horse defense. In this paper, we present findings from an empirical study to measure and compare the accuracy and effectiveness of a suite of such event reconstruction techniques. We quantify (as applicable) the rates of false positives and false negatives, and scalability in terms of both computational burden and memory-usage. Some of our findings are quite surprising in the sense of not matching a priori expectations, and whereas other findings qualitatively match the a priori expectations they were never before quantitatively put to the test to determine the boundaries of their applicability. For example, our results show that automatic event reconstruction systems proposed in literature have very high false-positive rates (up to 96%).