a labeled logic for analyzing cyber-forensics …...a labeled logic for analyzing cyber-forensics...
TRANSCRIPT
![Page 1: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/1.jpg)
A Labeled Logic for Analyzing Cyber-Forensics Evidence
Luca Vigano
Erisa Karafili, Matteo Cristani, Luca Vigano
“AF-Cyber: Logic-based Attribution and Forensics in Cyber Security”Funded by the EU’s Horizon 2020 under the Marie Sk lodowska-Curie grant agreement No 746667.
![Page 2: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/2.jpg)
Agenda
1 Introduction
2 Evidence Logic EL
3 Rewriting System for EL
4 Conclusions and Future Work
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 2 / 55
![Page 3: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/3.jpg)
1 Introduction
2 Evidence Logic EL
3 Rewriting System for EL
4 Conclusions and Future Work
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 3 / 55
![Page 4: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/4.jpg)
The Future is Interconnected
In 2020 there is an expectation ofmore than 20 billions of IoT devicesconnected (McAfee labs)
The growing of connectivity increasesthe security challenges
“Every minute, we are seeing abouthalf a million attack attempts that arehappening in Cyber Space”(Fortinet)
The cost of Cyber Crime Damage by2021 will reach $6 Trillion(Cybersecurity Ventures)
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 4 / 55
![Page 5: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/5.jpg)
The Problem
Forensics investigations often produce an enormous amount ofevidence
Pieces of evidence are produced/collected by various sources:humans (e.g., another analyst) orforensic tools such as intrusion detection system (IDS),traceback systems, malware analysis tools, and so on.
The forensics investigator needs tocollect the evidencecheck the sources of the evidence for evaluating their reliabilitydeal with enormous amount of pieces of evidenceanalyse incomplete and/or conflicting evidence
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 5 / 55
![Page 6: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/6.jpg)
A first example
Erisa: which are the last two small teams to win the Serie A?
Matteo (born in Verona) and Luca (born in Genova) answer:
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 6 / 55
![Page 7: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/7.jpg)
A first example
Erisa: which are the last two small teams to win the Serie A?
Matteo (born in Verona) and Luca (born in Genova) answer:
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 6 / 55
![Page 8: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/8.jpg)
A first example
Erisa: which are the last two small teams to win the Serie A?
Matteo (born in Verona) and Luca (born in Genova) answer:
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 6 / 55
![Page 9: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/9.jpg)
A first example
Erisa: which are the last two small teams to win the Serie A?
Matteo (born in Verona) and Luca (born in Genova) answer:
When?
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 6 / 55
![Page 10: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/10.jpg)
A first example
Erisa: which are the last two small teams to win the Serie A?
Matteo (born in Verona) and Luca (born in Genova) answer:
When?
There is some confusion about the dates (1984-85 and1990-91), so what can Erisa conclude?
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 6 / 55
![Page 11: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/11.jpg)
Data Breach of Democratic National Committee (DNC)
In Nov 2016, Wikileaks published private emails from the DNC.
Crowdstrike (a cyber-security company):
Attack occurred in March-April 2016A successful spear phishing campaign using Bitly accounts toshorten malicious URLs
TheForensicator (an anonymous analyst):
Attack occurred the 5th of July 2016Analysing the released metadata: physical transfer, as thecreated data were transferred on the speed of 23MB/s and thedata were created the 5th of July 2016
FireEye (another cyber-security company):
It is possible to have a non physical speed transfer of 23MB/s.
What should an analyst conclude from these discording statementsand pieces of evidence?How can a decision be made?
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 7 / 55
![Page 12: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/12.jpg)
Data Breach of Democratic National Committee (DNC)
In Nov 2016, Wikileaks published private emails from the DNC.
Crowdstrike (a cyber-security company):
Attack occurred in March-April 2016A successful spear phishing campaign using Bitly accounts toshorten malicious URLs
TheForensicator (an anonymous analyst):
Attack occurred the 5th of July 2016Analysing the released metadata: physical transfer, as thecreated data were transferred on the speed of 23MB/s and thedata were created the 5th of July 2016
FireEye (another cyber-security company):
It is possible to have a non physical speed transfer of 23MB/s.
What should an analyst conclude from these discording statementsand pieces of evidence?How can a decision be made?
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 7 / 55
![Page 13: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/13.jpg)
Data Breach of Democratic National Committee (DNC)
In Nov 2016, Wikileaks published private emails from the DNC.
Crowdstrike (a cyber-security company):
Attack occurred in March-April 2016A successful spear phishing campaign using Bitly accounts toshorten malicious URLs
TheForensicator (an anonymous analyst):
Attack occurred the 5th of July 2016Analysing the released metadata: physical transfer, as thecreated data were transferred on the speed of 23MB/s and thedata were created the 5th of July 2016
FireEye (another cyber-security company):
It is possible to have a non physical speed transfer of 23MB/s.
What should an analyst conclude from these discording statementsand pieces of evidence?How can a decision be made?
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 7 / 55
![Page 14: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/14.jpg)
Data Breach of Democratic National Committee (DNC)
In Nov 2016, Wikileaks published private emails from the DNC.
Crowdstrike (a cyber-security company):
Attack occurred in March-April 2016A successful spear phishing campaign using Bitly accounts toshorten malicious URLs
TheForensicator (an anonymous analyst):
Attack occurred the 5th of July 2016Analysing the released metadata: physical transfer, as thecreated data were transferred on the speed of 23MB/s and thedata were created the 5th of July 2016
FireEye (another cyber-security company):
It is possible to have a non physical speed transfer of 23MB/s.
What should an analyst conclude from these discording statementsand pieces of evidence?How can a decision be made?
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 7 / 55
![Page 15: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/15.jpg)
Data Breach of Democratic National Committee (DNC)
In Nov 2016, Wikileaks published private emails from the DNC.
Crowdstrike (a cyber-security company):
Attack occurred in March-April 2016A successful spear phishing campaign using Bitly accounts toshorten malicious URLs
TheForensicator (an anonymous analyst):
Attack occurred the 5th of July 2016Analysing the released metadata: physical transfer, as thecreated data were transferred on the speed of 23MB/s and thedata were created the 5th of July 2016
FireEye (another cyber-security company):
It is possible to have a non physical speed transfer of 23MB/s.
What should an analyst conclude from these discording statementsand pieces of evidence?How can a decision be made?
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 7 / 55
![Page 16: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/16.jpg)
Our Solution
Solution
Evidence Logic EL and its Rewriting Procedure represent thepieces of evidence, analyse and filter them by using the relations oftrust between sources and reasonings
Our solution filters the enormous amount of evidence
Solves temporal and factual discordancies
EL and the Rewriting Procedure are sound
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 8 / 55
![Page 17: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/17.jpg)
1 Introduction
2 Evidence Logic EL
3 Rewriting System for EL
4 Conclusions and Future Work
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 9 / 55
![Page 18: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/18.jpg)
Evidence Logic EL
Evidence Logic EL is based on Linear Temporal Logic andpermits to represent:
the different pieces of evidencethe evidence source and sources relations of trustthe reasoning behind the derived pieces of evidence and theirrelations of trust
In a nutshell:
Evidence represents information related to the attack, where agiven (piece of) evidence usually represents an event, itsoccurrence and the source of the information of the occurrenceof the event (another analyst, a cyber-forensics tool, etc.)Evidence interpretation represents what the analyst thinksabout the occurrence of an event e and about the occurrencesof the events causing e
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 10 / 55
![Page 19: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/19.jpg)
Evidence Logic Layers
The given pieces of evidence
The evidence interpretations
The reasoning behind the derivedpieces of evidence
Evidence Layer ELE
Interpretation Layer ELI
Reasoning Layer ELR
Evidence Logic EL
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 11 / 55
![Page 20: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/20.jpg)
ELE : Evidence
Definition
Given t, t1, . . . tn ∈ T , a, a1, . . . an ∈ Ag , r1, r2 ∈ R, p ∈ VarsS andφ, φ1, . . . , φn ∈ Lit, the set ρ of formulas of ELE is
ρ ::= a : (t : φ) |a : (t : φ) [a1 : (t1 : φ1) | . . . | an : (tn : φn)]r |a1 /p a2 | r1 ≺ r2
Alice : (t : SourceAttack(A, IP1 )) Bob : (t : ¬SourceAttack(A, IP1 ))Bob /SourceAttack Alice
Charlie : (t : AttackOrigin(A,Area1 )) [Alice : (t : SourceAttack(A, IP1 )) |Geoloc : (t : Geo(IP1 ,Area1 ))]r1
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 12 / 55
![Page 21: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/21.jpg)
Simple Evidence and Derived Evidence
The simple evidence expresses that the agent represented bythe source label a thinks that the literal φ is true at theinstant of time represented by the temporal label t
a : (t : φ)
The derived evidence expresses that a thinks that φ is true atinstant of time t because of reasoning r , where a1 thinks thatφ1 is true at t1, . . . and an thinks that φn is true at tn
a : (t : φ) [a1 : (t1 : φ1) | a2 : (t2 : φ2) | . . . | an : (tn : φn)]r
In other words, based on r , a thinks that φ is caused byφ1, · · · , φn (with their respective time instants and agents).The reasoning r of the derived evidence a : (t : φ) is composedof simple and/or derived pieces of evidence.We forbid cycles between derived pieces of evidence: ifai : (ti : φi ) [· · · | aj : (tj : φj) | . . .] r , thenaj : (tj : φj) [· · · | ai : (ti : φi ) | . . .] r ′ is not a wff.
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 13 / 55
![Page 22: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/22.jpg)
Evidence
FireEye (FE ): it is possible to have a non physical speedtransfer of 23MB/s.
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 14 / 55
![Page 23: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/23.jpg)
Evidence
FireEye (FE ): it is possible to have a non physical speedtransfer of 23MB/s.
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 14 / 55
![Page 24: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/24.jpg)
Evidence
FireEye (FE ): it is possible to have a non physical speedtransfer of 23MB/s.
Source︷︸︸︷FE : (
Time︷︸︸︷t2 :
Event︷ ︸︸ ︷NonPhysicalSpeedTrans(23MB/s))
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 14 / 55
![Page 25: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/25.jpg)
Evidence
FireEye (FE ): it is possible to have a non physical speedtransfer of 23MB/s.
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
}→ Simple Evidence
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 14 / 55
![Page 26: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/26.jpg)
Evidence
FireEye (FE ): it is possible to have a non physical speedtransfer of 23MB/s.
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
Crowdstrike (CS): the attack occurred in March-April 2016, asuccessful spear phishing campaign using Bitly accounts toshorten malicious URLs.
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 14 / 55
![Page 27: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/27.jpg)
Evidence
FireEye (FE ): it is possible to have a non physical speedtransfer of 23MB/s.
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
Crowdstrike (CS): the attack occurred in March-April 2016, asuccessful spear phishing campaign using Bitly accounts toshorten malicious URLs.
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 14 / 55
![Page 28: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/28.jpg)
Evidence
FireEye (FE ): it is possible to have a non physical speedtransfer of 23MB/s.
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
Crowdstrike (CS): the attack occurred in March-April 2016, asuccessful spear phishing campaign using Bitly accounts toshorten malicious URLs.
Source︷︸︸︷CS : (
Time︷︸︸︷t1 :
Event︷ ︸︸ ︷Attack)
Simple/Derived Evidence used by r1︷ ︸︸ ︷[CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 14 / 55
![Page 29: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/29.jpg)
Evidence
FireEye (FE ): it is possible to have a non physical speedtransfer of 23MB/s.
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
}→ Simple Evidence
Crowdstrike (CS): the attack occurred in March-April 2016, asuccessful spear phishing campaign using Bitly accounts toshorten malicious URLs.
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1
}→ Derived
Evidence
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 14 / 55
![Page 30: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/30.jpg)
Other Pieces of Evidence
TheForensicator (TF ): the attack occurred the 5th of July 2016.Analysing the released metadata: physical transfer, as the createddata were transferred on the speed of 23MB/s and the data werecreated the 5th of July 2016.
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 15 / 55
![Page 31: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/31.jpg)
Other Pieces of Evidence
TheForensicator (TF ): the attack occurred the 5th of July 2016.Analysing the released metadata: physical transfer, as the createddata were transferred on the speed of 23MB/s and the data werecreated the 5th of July 2016.
TF : (t2 : Attack) [TF : (t2 : MetaC ) | TF : (t2 : PhysA)]r2
TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 15 / 55
![Page 32: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/32.jpg)
Other Pieces of Evidence
TheForensicator (TF ): the attack occurred the 5th of July 2016.Analysing the released metadata: physical transfer, as the createddata were transferred on the speed of 23MB/s and the data werecreated the 5th of July 2016.
TF : (t2 : Attack) [TF : (t2 : MetaC ) | TF : (t2 : PhysA)]r2
TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
The analyst trusts more FireEye than TheForensicator for the speedof non physical data transfer
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 15 / 55
![Page 33: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/33.jpg)
Other Pieces of Evidence
TheForensicator (TF ): the attack occurred the 5th of July 2016.Analysing the released metadata: physical transfer, as the createddata were transferred on the speed of 23MB/s and the data werecreated the 5th of July 2016.
TF : (t2 : Attack) [TF : (t2 : MetaC ) | TF : (t2 : PhysA)]r2
TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
The analyst trusts more FireEye than TheForensicator for the speedof non physical data transfer
TF /NonPhysicalSpeedTrans(23MB/s) FE
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 15 / 55
![Page 34: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/34.jpg)
Other Pieces of Evidence
TheForensicator (TF ): the attack occurred the 5th of July 2016.Analysing the released metadata: physical transfer, as the createddata were transferred on the speed of 23MB/s and the data werecreated the 5th of July 2016.
TF : (t2 : Attack) [TF : (t2 : MetaC ) | TF : (t2 : PhysA)]r2
TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
The analyst trusts more FireEye than TheForensicator for the speedof non physical data transfer
TF
Trust Relation︷ ︸︸ ︷/NonPhysicalSpeedTrans(23MB/s) FE
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 15 / 55
![Page 35: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/35.jpg)
Other Pieces of Evidence
TheForensicator (TF ): the attack occurred the 5th of July 2016.Analysing the released metadata: physical transfer, as the createddata were transferred on the speed of 23MB/s and the data werecreated the 5th of July 2016.
TF : (t2 : Attack) [TF : (t2 : MetaC ) | TF : (t2 : PhysA)]r2
TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
The analyst trusts more FireEye than TheForensicator for the speedof non physical data transfer
TF /NonPhysicalSpeedTrans(23MB/s) FE
}→ Relational Formula
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 15 / 55
![Page 36: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/36.jpg)
Evidence Representation with ELE
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1
TF : (t2 : Attack) [TF : (t2 : MetaC ) | TF : (t2 : PhysA)]r2
TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))TF /NonPhysicalSpeedTrans(23MB/s) FE
Evidence Layer ELE
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 16 / 55
![Page 37: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/37.jpg)
Evidence Logic Layers
The given pieces of evidence
The evidence interpretations
The reasoning behind the derivedpieces of evidence
Evidence Layer ELE
Interpretation Layer ELI
Reasoning Layer ELR
Evidence Logic EL
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 17 / 55
![Page 38: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/38.jpg)
ELI : Evidence Interpretation
Evidence interpretation: what analyst thinks is plausibly true.
Second level ELI of EL employs a simplified variant of LTL.
ELI inherits from ELE : temporal labels T , reasonings R andpropositional variables Vars (and thus also literals Lit).
Definition
Given t, t1, . . . tn ∈ T , φ, φ1, . . . , φn ∈ Lit, r ∈ R and φ′ ∈ LitD ,the set ϕ of formulas of ELI , called interpretations, is
ϕ ::= t : φ | t1 : φ1 ∧ t2 : φ2 ∧ . . . ∧ tn : φn →r t : φ′
t1 : φ1 ∧ . . . ∧ tn : φn →r t : φ′ means analyst thinks that φ′
is true at t, based on r , if φi is true at ti for all i ∈ {1, . . . , n}.Interpretation expresses a positive event t : p (occurrence ofevent) or a negative event t : ¬p (non occurrence of event).
Interpretations that express positive events represent plausiblepieces of evidence and help analyst perform a correct analysis.
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 18 / 55
![Page 39: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/39.jpg)
ELI : Evidence Interpretation
Definition
Given t, t1, . . . tn ∈ T , φ, φ1, . . . , φn ∈ Lit, r ∈ R and φ′ ∈ LitD ,the set ϕ of formulas of ELI , called interpretations, is
ϕ ::= t : φ | t1 : φ1 ∧ t2 : φ2 ∧ . . . ∧ tn : φn →r t : φ′
t : SourceAttack(A, IP1 )t : ¬SourceAttack(A, IP1 )t : SourceAttack(A, IP1 ) ∧ t : Geo(IP1 ,Area1 )→r1 t : AttackOrigin(A,Area1 )
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 19 / 55
![Page 40: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/40.jpg)
Evidence Interpretation
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))⇓
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 20 / 55
![Page 41: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/41.jpg)
Evidence Interpretation
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))⇓
t2 : NonPhysicalSpeedTrans(23MB/s)
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 20 / 55
![Page 42: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/42.jpg)
Evidence Interpretation
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))⇓
t2 : NonPhysicalSpeedTrans(23MB/s)
}→ Evidence Interpretation
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 20 / 55
![Page 43: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/43.jpg)
Evidence Interpretation
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))⇓
t2 : NonPhysicalSpeedTrans(23MB/s)
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 20 / 55
![Page 44: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/44.jpg)
Evidence Interpretation
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))⇓
t2 : NonPhysicalSpeedTrans(23MB/s)
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1
⇓t1 : SpPhish ∧ t1 : SucPhish→r1 t1 : Attack
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 20 / 55
![Page 45: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/45.jpg)
Evidence Interpretation
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))⇓
t2 : NonPhysicalSpeedTrans(23MB/s)
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1
⇓
t1 : SpPhish ∧ t1 : SucPhish→r1 t1 : Attack
}→ Evidence Interpretation
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 20 / 55
![Page 46: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/46.jpg)
Evidence Interpretation with ELI
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
t1 : SpPhish ∧ t1 : SucPhish→r1 t1 : Attackt2 : NonPhysicalSpeedTrans(23MB/s)
Evidence Layer ELE
Interpretation Layer ELI⇓
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 21 / 55
![Page 47: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/47.jpg)
Evidence Logic Layers
The given pieces of evidence
The evidence interpretations
The reasoning behind the derivedpieces of evidence
Evidence Layer ELE
Interpretation Layer ELI
Reasoning Layer ELR
Evidence Logic EL
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 22 / 55
![Page 48: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/48.jpg)
Evidence Reasoning
The third layer ELR of EL is the reasoning layer and dealswith the reasoning behind the derived evidence.
Also ELR uses LTL and inherits from ELE temporal labels T ,reasonings R and propositional variables Vars.
Definition
Given t ∈ T , φ ∈ LitD and r , rk , . . . , rl ∈ R, the set ψ of formulasof ELR is
ψ ::= (t : φ)r | (t : φ)r ,rk ,...,rl .
The reasoning involves only derived pieces of evidence, whichwe can divide in two types (first special case of second).
(t : φ)r ,rk ,··· ,rl composed of simple/derived pieces of evidence.The reasoning involves the one of agent stating the derivedevidence, a : (t : φ) [a1 : (t1 : φ1) | . . . | aj : (tj : φj)]r , as wellas all the reasonings involved in the derived pieces of evidenceφi ∈ Lit for i ∈ {1, . . . , j} that are part of reasoning r .
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 23 / 55
![Page 49: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/49.jpg)
ELR : Evidence Reasoning
Definition
Given t ∈ T , φ ∈ LitD and r , rk , . . . , rl ∈ R, the set ψ of formulasof ELR is
ψ ::= (t : φ)r | (t : φ)r ,rk ,...,rl .
t : AttackOrigin(A,Area1 )r1
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 24 / 55
![Page 50: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/50.jpg)
Evidence Reasoning
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 25 / 55
![Page 51: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/51.jpg)
Evidence Reasoning
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1⇓
(t1 : Attack)r1
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 25 / 55
![Page 52: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/52.jpg)
Evidence Reasoning
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1⇓
(t1 : Attack)r1
}→ Evidence Reasoning
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 25 / 55
![Page 53: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/53.jpg)
Evidence Reasoning
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1⇓
t1 : SpPhish ∧ t1 : SucPhish →r1 t1 : Attack
}→ Evidence Interpretation
⇓(t1 : Attack)r1
}→ Evidence Reasoning
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 25 / 55
![Page 54: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/54.jpg)
Evidence Reasoning with ELR
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
(t1 : Attack)r1
Evidence Layer ELE
Reasoning Layer ELR⇓
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 26 / 55
![Page 55: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/55.jpg)
Evidence Reasoning with ELR
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
t1 : SpPhish ∧ t1 : SucPhish→r1 t1 : Attackt2 : NonPhysicalSpeedTrans(23MB/s)
(t1 : Attack)r1
Evidence Layer ELE
Interpretation Layer ELI
Reasoning Layer ELR
⇓
⇓
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 26 / 55
![Page 56: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/56.jpg)
Semantics of EL
Definition
The plausible pieces of evidence are a finite stream of temporalinstants in which at every instant of time we may associate a finitenumber of occurrences or not occurrences of an event.
Definition
A model of the evidence language EL is a tuple
M = {AgI,FI,POI, T RI,VarsI,RI, I}
In order to avoid having clear contradictions in the models, weconstrain the functions AgI and RI as follows:
(COND1): If aI(t, p) = True, then aI(t ′, p) = False for all t ′ 6= t.
(COND2): If (t, p)rI = True, then (t ′, p)rI = False for all t ′ 6= t.
(COND3): Every /pI is an irreflexive and antisymmetric relation.
(COND4): Every ≺I is an irreflexive and antisymmetric relation.
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 27 / 55
![Page 57: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/57.jpg)
1 Introduction
2 Evidence Logic EL
3 Rewriting System for EL
4 Conclusions and Future Work
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 28 / 55
![Page 58: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/58.jpg)
Rewriting System
The rewriting system gets as input the given pieces of evidenceand gives as output a consistent set of pieces of evidence by
rewriting pieces of evidence into interpretations and reasonings
analysing the pieces of evidence
resolving their discordances by eliminating the less trustedones
capturing the temporal and factual discordancies by using thetrust relations
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 29 / 55
![Page 59: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/59.jpg)
Types of Rules
Insertion rules
a1 : (t1 : φ) a2 : (t2 : φ)
E ∪ {a1 : (t2 : ¬φ), a2 : (t1 : ¬φ)} D1
Elimination rules
a2 /p a1 a1 : (t : φ) a2 : (t : ¬φ)
E \ {a2 : (t : ¬φ)} D2
Closure rulesa : (t1 : φ) a : (t2 : φ)
⊥ CC
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 30 / 55
![Page 60: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/60.jpg)
Rewriting Rules
Transformation rules
a : (t : φ)
E ∪ {t : φ}L1
(t : φ)r ,··· ,rnE ∪ {t : φ}
L′1
a : (t : φ) [a1 : (t1 : φ1) | · · · | an : (tn : φn)]r
E ∪ {ai : (ti : φi )}∀i∈{1,··· ,n} φi∈LitS ∪ {t1 : φ1 ∧ · · · ∧ tn : φn →r t : φ}L2
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 31 / 55
![Page 61: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/61.jpg)
Rewriting Rules
Discordance resolutions rules
a1 : (t1 : φ) a2 : (t2 : φ)
E ∪ {a1 : (t2 : ¬φ), a2 : (t1 : ¬φ)}D1
(t1 : φ)r1 (t2 : φ)r2
E ∪ {(t2 : ¬φ)r1 , (t1 : ¬φ)r2}D′1
a2 /p a1 a1 : (t : φ) a2 : (t : ¬φ)
E \ {a2 : (t : ¬φ)}D2
r2 ≺ r1 (t : φ)r1 (t : ¬φ)r2
E \ {(t : ¬φ)r2}D′2
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 31 / 55
![Page 62: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/62.jpg)
Rewriting Rules
Transformation rules
a : (t : φ)
E ∪ {t : φ}L1
(t : φ)r ,··· ,rnE ∪ {t : φ}
L′1
a : (t : φ) [a1 : (t1 : φ1) | · · · | an : (tn : φn)]r
E ∪ {ai : (ti : φi )}∀i∈{1,··· ,n} φi∈LitS ∪ {t1 : φ1 ∧ · · · ∧ tn : φn →r t : φ}L2
Discordance resolutions rules
a1 : (t1 : φ) a2 : (t2 : φ)
E ∪ {a1 : (t2 : ¬φ), a2 : (t1 : ¬φ)}D1
(t1 : φ)r1 (t2 : φ)r2
E ∪ {(t2 : ¬φ)r1 , (t1 : ¬φ)r2}D′1
a2 /p a1 a1 : (t : φ) a2 : (t : ¬φ)
E \ {a2 : (t : ¬φ)}D2
r2 ≺ r1 (t : φ)r1 (t : ¬φ)r2
E \ {(t : ¬φ)r2}D′2
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 31 / 55
![Page 63: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/63.jpg)
Algorithm
Algorithm 1 Algorithm for the Rewriting Procedure1: while We can apply Trans/,Trans ≺ rules do Apply Trans/, Trans ≺ rules end while
2: while We can apply Trans/, Trans ≺ rules do
3: Apply Trans/ and Trans ≺ rules
4: end while5: Apply CT and C′T ; if we have ⊥, then We do not have a model. Exit! endif
6: while We can apply L2 rule do Apply L2 rule end while
7: while We can apply D1, D2 rules do Apply D1, D2 rules end while
8: Apply CC ; if we have ⊥, then We do not have a model. Exit! endif
9: while We can apply L1 rule do Apply L1 rule end while
10: while We can apply (→) rule do Apply (→) rule end while
11: while We can apply D′1, D′
2 rules do Apply D′1, D′
2 rules end while
12: while We can apply (→′) rule do Apply (→′) rule end while
13: while We can apply D′′1 , D′′
2 rules do Apply D′′1 , D′′
2 rules end while
14: Apply C′C ; if we have ⊥, then We do not have a model. Exit! endif
15: while We can apply L′1 rule do Apply L′
1 rule end while
16: Apply CP ; if we have ⊥, then We do not have a model. Exit! endif
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 32 / 55
![Page 64: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/64.jpg)
Rewriting Procedure
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1
TF : (t2 : Attack) [TF : (t2 : MetaC ) | TF : (t2 : PhysA)]r2
TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))TF /NonPhysicalSpeedTrans(23MB/s) FE
Evidence Layer ELE
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 33 / 55
![Page 65: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/65.jpg)
Rewriting Procedure
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1
TF : (t2 : Attack) [TF : (t2 : MetaC ) | TF : (t2 : PhysA)]r2
TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))TF /NonPhysicalSpeedTrans(23MB/s) FE
Evidence Layer ELE
Apply rule L2
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 33 / 55
![Page 66: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/66.jpg)
Transformation Rule Application
CS : (t1 : Attack) [CS : (t1 : SPhish) | CS : (t1 : SucPhish)]r1
E ∪ {CS : (t1 : SPhish),CS : (t1 : SucPhish)} ∪ {t1 : SPhish ∧ t1 : SucPhish→r1 t1 : Attack}L2
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 34 / 55
![Page 67: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/67.jpg)
Transformation Rule Application
TF : (t2 : Attack) [(TF : (t2 : MetaC ) | TF : (t2 : PhysA)]r2
E ∪ {TF : (t2 : MetaC )} ∪ {t2 : MetaC ∧ t2 : PhysA→r2 t2 : Attack} L2
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 34 / 55
![Page 68: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/68.jpg)
Transformation Rule Application
TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
E ∪ {TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))} ∪ {t2 : ¬NonPhysicalSpeedTrans(23MB/s)→r3t2 : PhysA}
L2
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 34 / 55
![Page 69: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/69.jpg)
Result of rule L2 application
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1TF : (t2 : Attack) [TF : (t2 : MetaC) | TF : (t2 : PhysA)]r2TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3FE : (t2 : NonPhysicalSpeedTrans(23MB/s))CS : (t1 : SPhish), CS : (t1 : SucPhish), TF : (t2 : MetaC),TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))TF /NonPhysicalSpeedTrans(23MB/s) FE
t1 : SPhish ∧ t1 : SucPhish →r1 t1 : Attack,t2 : MetaC ∧ t2 : PhysA →r2 t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s) →r3 t2 : PhysA
Evidence Layer ELE
Interpretation Layer ELI⇓
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 35 / 55
![Page 70: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/70.jpg)
Result of rule L2 application and next step
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1TF : (t2 : Attack) [TF : (t2 : MetaC) | TF : (t2 : PhysA)]r2TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3FE : (t2 : NonPhysicalSpeedTrans(23MB/s))CS : (t1 : SPhish), CS : (t1 : SucPhish), TF : (t2 : MetaC),TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))TF /NonPhysicalSpeedTrans(23MB/s) FE
t1 : SPhish ∧ t1 : SucPhish →r1 t1 : Attack,t2 : MetaC ∧ t2 : PhysA →r2 t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s) →r3 t2 : PhysA
Evidence Layer ELE
Interpretation Layer ELI⇓
Apply rule D2
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 35 / 55
![Page 71: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/71.jpg)
Elimination Rule D2
TF /NonPhysicalSpeedTrans(23MB/s) FEFE : (t2 : NonPhysicalSpeedTrans(23MB/s)) TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))
E \ {TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))}D2
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 36 / 55
![Page 72: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/72.jpg)
Result of rule D2 application
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1TF : (t2 : Attack) [TF : (t2 : MetaC) | TF : (t2 : PhysA)]r2TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3FE : (t2 : NonPhysicalSpeedTrans(23MB/s))CS : (t1 : SPhish), CS : (t1 : SucPhish), TF : (t2 : MetaC),TF /NonPhysicalSpeedTrans(23MB/s) FE
t1 : SPhish ∧ t1 : SucPhish →r1 t1 : Attack,t2 : MetaC ∧ t2 : PhysA →r2 t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s) →r3 t2 : PhysA}
Evidence Layer ELE
Interpretation Layer ELI⇓
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 37 / 55
![Page 73: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/73.jpg)
Result of rule D2 application and next step
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1TF : (t2 : Attack) [TF : (t2 : MetaC) | TF : (t2 : PhysA)]r2TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3FE : (t2 : NonPhysicalSpeedTrans(23MB/s))CS : (t1 : SPhish), CS : (t1 : SucPhish), TF : (t2 : MetaC),TF /NonPhysicalSpeedTrans(23MB/s) FE
t1 : SPhish ∧ t1 : SucPhish →r1 t1 : Attack,t2 : MetaC ∧ t2 : PhysA →r2 t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s) →r3 t2 : PhysA}
Evidence Layer ELE
Interpretation Layer ELI⇓
Apply rule L1
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 37 / 55
![Page 74: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/74.jpg)
Transformation Rules
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
E ∪ {t2 : NonPhysicalSpeedTrans(23MB/s)} L1
CS : (t1 : SPhish)
E ∪ {t1 : SPhish} L1CS : (t1 : SucPhish)
E ∪ {t1 : SucPhish} L1
TF : (t2 : MetaC )
E ∪ {t2 : MetaC} L1
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 38 / 55
![Page 75: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/75.jpg)
Transformation Rules
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
E ∪ {t2 : NonPhysicalSpeedTrans(23MB/s)} L1
CS : (t1 : SPhish)
E ∪ {t1 : SPhish} L1CS : (t1 : SucPhish)
E ∪ {t1 : SucPhish} L1
TF : (t2 : MetaC )
E ∪ {t2 : MetaC} L1
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 38 / 55
![Page 76: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/76.jpg)
Result of rule L1 application
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1TF : (t2 : Attack) [TF : (t2 : MetaC) | TF : (t2 : PhysA)]r2TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3TF /NonPhysicalSpeedTrans(23MB/s) FE
t1 : SPhish ∧ t1 : SucPhish →r1 t1 : Attack,t2 : MetaC ∧ t2 : PhysA →r2 t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s) →r3 t2 : PhysAt2 : NonPhysicalSpeedTrans(23MB/s)t1 : SPhish, t1 : SucPhish, t2 : MetaC
Evidence Layer ELE
Interpretation Layer ELI⇓
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 39 / 55
![Page 77: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/77.jpg)
Result of rule L1 application and next step
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1TF : (t2 : Attack) [TF : (t2 : MetaC) | TF : (t2 : PhysA)]r2TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3TF /NonPhysicalSpeedTrans(23MB/s) FE
t1 : SPhish ∧ t1 : SucPhish →r1 t1 : Attack,t2 : MetaC ∧ t2 : PhysA →r2 t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s) →r3 t2 : PhysAt2 : NonPhysicalSpeedTrans(23MB/s),t1 : SPhish, t1 : SucPhish, t2 : MetaC
Evidence Layer ELE
Interpretation Layer ELI⇓
Apply rule (→)
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 39 / 55
![Page 78: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/78.jpg)
Derivation of Derived Evidence
t1 : SPhish ∧ t1 : SucPhish →r1 t1 : Attack t1 : SPhish t1 : SucPhish
E ∪ {(t1 : Attack)r1}(→)
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 40 / 55
![Page 79: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/79.jpg)
Result of rule (→) application
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1TF : (t2 : Attack) [TF : (t2 : MetaC) | TF : (t2 : PhysA)]r2TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3TF /NonPhysicalSpeedTrans(23MB/s) FE
t1 : SPhish ∧ t1 : SucPhish →r1 t1 : Attack,t2 : MetaC ∧ t2 : PhysA →r2 t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s) →r3 t2 : PhysAt2 : NonPhysicalSpeedTrans(23MB/s),t1 : SPhish, t1 : SucPhish, t2 : MetaC
(t1 : Attack)r1
Evidence Layer ELE
Interpretation Layer ELI
Reasoning Layer ELR
⇓
⇓
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 41 / 55
![Page 80: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/80.jpg)
Result of rule (→) application and next step
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1TF : (t2 : Attack) [TF : (t2 : MetaC) | TF : (t2 : PhysA)]r2TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3TF /NonPhysicalSpeedTrans(23MB/s) FE
t1 : SPhish ∧ t1 : SucPhish →r1 t1 : Attack,t2 : MetaC ∧ t2 : PhysA →r2 t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s) →r3 t2 : PhysAt2 : NonPhysicalSpeedTrans(23MB/s),t1 : SPhish, t1 : SucPhish, t2 : MetaC
(t1 : Attack)r1
Evidence Layer ELE
Interpretation Layer ELI
Reasoning Layer ELR
⇓
⇓
Apply rule (L′1)Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 41 / 55
![Page 81: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/81.jpg)
Application of rule L′1
(t1 : Attack)r1
E ∪ {(t1 : Attack)}L′1
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 42 / 55
![Page 82: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/82.jpg)
Result of the rewriting procedure
CS : (t1 : Attack) [CS : (t1 : SpPhish) | CS : (t1 : SucPhish)]r1TF : (t2 : Attack) [TF : (t2 : MetaC) | TF : (t2 : PhysA)]r2TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3TF /NonPhysicalSpeedTrans(23MB/s) FE
t1 : SPhish ∧ t1 : SucPhish →r1 t1 : Attack,t2 : MetaC ∧ t2 : PhysA →r2 t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s) →r3 t2 : PhysAt2 : NonPhysicalSpeedTrans(23MB/s),t1 : SPhish, t1 : SucPhish, t2 : MetaCt1 : Attack
(t1 : Attack)r1
Evidence Layer ELE
Interpretation Layer ELI
Reasoning Layer ELR
⇓
⇓ ⇑
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 43 / 55
![Page 83: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/83.jpg)
Result of the rewriting procedure
The forensics analyst has as result the following consistent setof pieces of evidence:
t1 : SPhish ∧ t1 : SucPhish →r1 t1 : Attack,t2 : MetaC ∧ t2 : PhysA →r2 t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s) →r3 t2 : PhysAt2 : NonPhysicalSpeedTrans(23MB/s),t1 : SPhish, t1 : SucPhish, t2 : MetaCt1 : Attack
Interpretation Layer ELI
EL Logic allows us to conclude that the Attack occurred atthe instant of time t1 (March-April 2016)
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 43 / 55
![Page 84: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/84.jpg)
1 Introduction
2 Evidence Logic EL
3 Rewriting System for EL
4 Conclusions and Future Work
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 44 / 55
![Page 85: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/85.jpg)
Conclusions
We presented a formal representation for the pieces ofevidence
Our EL Logic captures the evidence source, reasoning andtheir level of trust
We introduced a rewriting procedure that given the pieces ofevidence:
Captures and solves factual and temporal discordanciesGives a consistent set of pieces of evidence filtered using therelations of trust
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 45 / 55
![Page 86: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/86.jpg)
Future Work
Implementation and testing of the framework
Enrichment with a reputation/belief revision process
Integration of the framework with a trust reinforcementsystem
Use Bayesian belief networks
Work with probabilities for the pieces of evidence
Incorporate within an Attribution Process
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 46 / 55
![Page 87: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/87.jpg)
5 Algorithm Application
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 47 / 55
![Page 88: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/88.jpg)
Algorithm Application
Algorithm 1 Algorithm for theRewriting Procedure
1: while We can apply Trans/,Trans ≺ rules do Ap-ply Trans/, Trans ≺ rules end while
2: while We can apply Trans/, Trans ≺ rules do
3: Apply Trans/ and Trans ≺ rules
4: end while5: Apply CT and C′
T; if we have ⊥, then We do not
have a model. Exit! endif6: while We can apply L2 rule do Apply L2 rule end
while7: while We can applyD1, D2 rules do ApplyD1, D2
rules end while8: Apply CC ; if we have ⊥, then We do not have a
model. Exit! endif9: while We can apply L1 rule do Apply L1 rule end
while10: while We can apply (→) rule do Apply (→) rule
end while11: while We can apply D′
1, D′2 rules do Apply D′
1,
D′2 rules end while
12: while We can apply (→′) rule do Apply (→′) ruleend while
13: while We can apply D′′1 , D′′
2 rules do Apply D′′1 ,
D′′2 rules end while
14: Apply C′C
; if we have ⊥, then We do not have amodel. Exit! endif
15: while We can apply L′1 rule do Apply L′
1 rule endwhile
16: Apply CP ; if we have ⊥, then We do not have amodel. Exit! endif
Pieces of Evidence
CS : (t1 : Attack)[CS : (t1 : SpPhish) |CS : (t1 : (SucPhish)]r1
TF : (t2 : Attack)[TF : (t2 : MetaC) |TF : (t2 : PhysA)]r2
TF : (t2 : PhysA)[TF :(t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
TF /NonPhysicalSpeedTrans(23MB/s) FE
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 48 / 55
![Page 89: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/89.jpg)
Algorithm Application
Algorithm 1 Algorithm for theRewriting Procedure
1: while We can apply Trans/,Trans ≺ rules do Ap-ply Trans/, Trans ≺ rules end while
2: while We can apply Trans/, Trans ≺ rules do
3: Apply Trans/ and Trans ≺ rules
4: end while5: Apply CT and C′
T; if we have ⊥, then We do not
have a model. Exit! endif6: while We can apply L2 rule do Apply L2 rule end
while7: while We can applyD1, D2 rules do ApplyD1, D2
rules end while8: Apply CC ; if we have ⊥, then We do not have a
model. Exit! endif9: while We can apply L1 rule do Apply L1 rule end
while10: while We can apply (→) rule do Apply (→) rule
end while11: while We can apply D′
1, D′2 rules do Apply D′
1,
D′2 rules end while
12: while We can apply (→′) rule do Apply (→′) ruleend while
13: while We can apply D′′1 , D′′
2 rules do Apply D′′1 ,
D′′2 rules end while
14: Apply C′C
; if we have ⊥, then We do not have amodel. Exit! endif
15: while We can apply L′1 rule do Apply L′
1 rule endwhile
16: Apply CP ; if we have ⊥, then We do not have amodel. Exit! endif
Pieces of Evidence
CS : (t1 : Attack)[CS : (t1 : SpPhish) |CS : (t1 : (SucPhish)]r1
TF : (t2 : Attack)[TF : (t2 : MetaC) |TF : (t2 : PhysA)]r2
TF : (t2 : PhysA)[TF :(t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
TF /NonPhysicalSpeedTrans(23MB/s) FE
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 48 / 55
![Page 90: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/90.jpg)
Transformation Rule Application
CS : (t1 : Attack) [CS : (t1 : SPhish) | CS : (t1 : SucPhish)]r1
E ∪ {CS : (t1 : SPhish),CS : (t1 : SucPhish)} ∪ {t1 : SPhish ∧ t1 : SucPhish→r1 t1 : Attack}L2
TF : (t2 : Attack) [(TF : (t2 : MetaC) | TF : (t2 : PhysA)]r2
E ∪ {TF : (t2 : MetaC)} ∪ {t2 : MetaC ∧ t2 : PhysA→r2 t2 : Attack}L2
TF : (t2 : PhysA) [TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
E ∪ {TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))} ∪ {t2 : ¬NonPhysicalSpeedTrans(23MB/s)→r3t2 : PhysA}
L2
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 49 / 55
![Page 91: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/91.jpg)
Algorithm Application II
Algorithm 1 Algorithm for theRewriting Procedure
1: while We can apply Trans/,Trans ≺ rules do Ap-ply Trans/, Trans ≺ rules end while
2: while We can apply Trans/, Trans ≺ rules do
3: Apply Trans/ and Trans ≺ rules
4: end while5: Apply CT and C′
T; if we have ⊥, then We do not
have a model. Exit! endif6: while We can apply L2 rule do Apply L2 rule end
while7: while We can apply D1, D2 rules do Apply D1,D2 rules end while
8: Apply CC ; if we have ⊥, then We do not have amodel. Exit! endif
9: while We can apply L1 rule do Apply L1 rule endwhile
10: while We can apply (→) rule do Apply (→) ruleend while
11: while We can apply D′1, D′
2 rules do Apply D′1,
D′2 rules end while
12: while We can apply (→′) rule do Apply (→′) ruleend while
13: while We can apply D′′1 , D′′
2 rules do Apply D′′1 ,
D′′2 rules end while
14: Apply C′C
; if we have ⊥, then We do not have amodel. Exit! endif
15: while We can apply L′1 rule do Apply L′
1 rule endwhile
16: Apply CP ; if we have ⊥, then We do not have amodel. Exit! endif
Pieces of Evidence
E ∪ {CS : (t1 : SPhish), CS : (t1 : SucPhish),TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s)),TF : (t2 : MetaC)}∪{t1 : SPhish ∧ t1 : SucPhis →r1
t1 : Attack,t2 : MetaC ∧ t2 : PhysA→r2
t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s)→r3
t2 : PhysA}
CS : (t1 : Attack)[CS : (t1 : SpPhish) |CS : (t1 : (SucPhish)]r1
TF : (t2 : Attack)[TF : (t2 : MetaC) |TF : (t2 : PhysA)]r2
TF : (t2 : PhysA)[TF :(t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
TF /NonPhysicalSpeedTrans(23MB/s) FE
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 50 / 55
![Page 92: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/92.jpg)
Algorithm Application II
Algorithm 1 Algorithm for theRewriting Procedure
1: while We can apply Trans/,Trans ≺ rules do Ap-ply Trans/, Trans ≺ rules end while
2: while We can apply Trans/, Trans ≺ rules do
3: Apply Trans/ and Trans ≺ rules
4: end while5: Apply CT and C′
T; if we have ⊥, then We do not
have a model. Exit! endif6: while We can apply L2 rule do Apply L2 rule end
while7: while We can apply D1, D2 rules do Apply D1,D2 rules end while
8: Apply CC ; if we have ⊥, then We do not have amodel. Exit! endif
9: while We can apply L1 rule do Apply L1 rule endwhile
10: while We can apply (→) rule do Apply (→) ruleend while
11: while We can apply D′1, D′
2 rules do Apply D′1,
D′2 rules end while
12: while We can apply (→′) rule do Apply (→′) ruleend while
13: while We can apply D′′1 , D′′
2 rules do Apply D′′1 ,
D′′2 rules end while
14: Apply C′C
; if we have ⊥, then We do not have amodel. Exit! endif
15: while We can apply L′1 rule do Apply L′
1 rule endwhile
16: Apply CP ; if we have ⊥, then We do not have amodel. Exit! endif
Pieces of Evidence
E ∪ {CS : (t1 : SPhish), CS : (t1 : SucPhish),TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s)),TF : (t2 : MetaC)}∪{t1 : SPhish ∧ t1 : SucPhis →r1
t1 : Attack,t2 : MetaC ∧ t2 : PhysA→r2
t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s)→r3
t2 : PhysA}
CS : (t1 : Attack)[CS : (t1 : SpPhish) |CS : (t1 : (SucPhish)]r1
TF : (t2 : Attack)[TF : (t2 : MetaC) |TF : (t2 : PhysA)]r2
TF : (t2 : PhysA)[TF :(t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
TF /NonPhysicalSpeedTrans(23MB/s) FE
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 50 / 55
![Page 93: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/93.jpg)
Elimination Rule D2
TF /NonPhysicalSpeedTrans(23MB/s) FEFE : (t2 : NonPhysicalSpeedTrans(23MB/s)) TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))
E \ {TF : (t2 : ¬NonPhysicalSpeedTrans(23MB/s))}D2
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 51 / 55
![Page 94: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/94.jpg)
Algorithm Application III
Algorithm 1 Algorithm for theRewriting Procedure
1: while We can apply Trans/,Trans ≺ rules do Ap-ply Trans/, Trans ≺ rules end while
2: while We can apply Trans/, Trans ≺ rules do
3: Apply Trans/ and Trans ≺ rules
4: end while5: Apply CT and C′
T; if we have ⊥, then We do not
have a model. Exit! endif6: while We can apply L2 rule do Apply L2 rule end
while7: while We can applyD1, D2 rules do ApplyD1, D2
rules end while8: Apply CC ; if we have ⊥, then We do not have a
model. Exit! endif9: while We can apply L1 rule do Apply L1 rule end
while10: while We can apply (→) rule do Apply (→) rule
end while11: while We can apply D′
1, D′2 rules do Apply D′
1,
D′2 rules end while
12: while We can apply (→′) rule do Apply (→′) ruleend while
13: while We can apply D′′1 , D′′
2 rules do Apply D′′1 ,
D′′2 rules end while
14: Apply C′C
; if we have ⊥, then We do not have amodel. Exit! endif
15: while We can apply L′1 rule do Apply L′
1 rule endwhile
16: Apply CP ; if we have ⊥, then We do not have amodel. Exit! endif
Pieces of Evidence
E ∪ {CS : (t1 : SPhish), CS : (t1 : SucPhish),TF : (t2 : MetaC)}∪{t1 : SPhish ∧ t1 : SucPhish →r1
t1 : Attack,t2 : MetaC ∧ t2 : PhysA→r2
t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s)→r3
t2 : PhysA}
CS : (t1 : Attack)[CS : (t1 : SpPhish) |CS : (t1 : (SucPhish)]r1
TF : (t2 : Attack)[TF : (t2 : MetaC) |TF : (t2 : PhysA)]r2
TF : (t2 : PhysA)[TF :(t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
TF /NonPhysicalSpeedTrans(23MB/s) FE
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 52 / 55
![Page 95: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/95.jpg)
Transformation Rule
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
E ∪ {t2 : NonPhysicalSpeedTrans(23MB/s)} L1
CS : (t1 : SPhish)
E ∪ {t1 : SPhish} L1CS : (t1 : SucPhish)
E ∪ {t1 : SucPhish} L1
TF : (t2 : MetaC )
E ∪ {t2 : MetaC} L1
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 53 / 55
![Page 96: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/96.jpg)
Algorithm Application IV
Algorithm 1 Algorithm for theRewriting Procedure
1: while We can apply Trans/,Trans ≺ rules do Ap-ply Trans/, Trans ≺ rules end while
2: while We can apply Trans/, Trans ≺ rules do
3: Apply Trans/ and Trans ≺ rules
4: end while5: Apply CT and C′
T; if we have ⊥, then We do not
have a model. Exit! endif6: while We can apply L2 rule do Apply L2 rule end
while7: while We can applyD1, D2 rules do ApplyD1, D2
rules end while8: Apply CC ; if we have ⊥, then We do not have a
model. Exit! endif9: while We can apply L1 rule do Apply L1 rule end
while10: while We can apply (→) rule do Apply (→) rule
end while11: while We can apply D′
1, D′2 rules do Apply D′
1,
D′2 rules end while
12: while We can apply (→′) rule do Apply (→′) ruleend while
13: while We can apply D′′1 , D′′
2 rules do Apply D′′1 ,
D′′2 rules end while
14: Apply C′C
; if we have ⊥, then We do not have amodel. Exit! endif
15: while We can apply L′1 rule do Apply L′
1 rule endwhile
16: Apply CP ; if we have ⊥, then We do not have amodel. Exit! endif
Pieces of Evidence
E ∪ {t1 : SPhish, t1 : SucPhish, t2 : MetaC ,t2 : NonPhysicalSpeedTrans(23MB/s)}∪{t1 : SPhish ∧ t1 : SucPhish →r1
t1 : Attack,t2 : MetaC ∧ t2 : PhysA→r2
t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s)→r3
t2 : PhysA}
CS : (t1 : Attack)[CS : (t1 : SpPhish) |CS : (t1 : (SucPhish)]r1
TF : (t2 : Attack)[TF : (t2 : MetaC) |TF : (t2 : PhysA)]r2
TF : (t2 : PhysA)[TF :(t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
TF /NonPhysicalSpeedTrans(23MB/s) FE
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 54 / 55
![Page 97: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/97.jpg)
Algorithm Application IV
Algorithm 1 Algorithm for theRewriting Procedure
1: while We can apply Trans/,Trans ≺ rules do Ap-ply Trans/, Trans ≺ rules end while
2: while We can apply Trans/, Trans ≺ rules do
3: Apply Trans/ and Trans ≺ rules
4: end while5: Apply CT and C′
T; if we have ⊥, then We do not
have a model. Exit! endif6: while We can apply L2 rule do Apply L2 rule end
while7: while We can applyD1, D2 rules do ApplyD1, D2
rules end while8: Apply CC ; if we have ⊥, then We do not have a
model. Exit! endif9: while We can apply L1 rule do Apply L1 rule end
while10: while We can apply (→) rule do Apply (→) rule
end while11: while We can apply D′
1, D′2 rules do Apply D′
1,
D′2 rules end while
12: while We can apply (→′) rule do Apply (→′) ruleend while
13: while We can apply D′′1 , D′′
2 rules do Apply D′′1 ,
D′′2 rules end while
14: Apply C′C
; if we have ⊥, then We do not have amodel. Exit! endif
15: while We can apply L′1 rule do Apply L′
1 rule endwhile
16: Apply CP ; if we have ⊥, then We do not have amodel. Exit! endif
Pieces of Evidence
E ∪ {t1 : SPhish, t1 : SucPhish, t2 : MetaC ,t2 : NonPhysicalSpeedTrans(23MB/s)}∪{t1 : SPhish ∧ t1 : SucPhish →r1
t1 : Attack,t2 : MetaC ∧ t2 : PhysA→r2
t2 : Attack,t2 : ¬NonPhysicalSpeedTrans(23MB/s)→r3
t2 : PhysA}
CS : (t1 : Attack)[CS : (t1 : SpPhish) |CS : (t1 : (SucPhish)]r1
TF : (t2 : Attack)[TF : (t2 : MetaC) |TF : (t2 : PhysA)]r2
TF : (t2 : PhysA)[TF :(t2 : ¬NonPhysicalSpeedTrans(23MB/s))]r3
FE : (t2 : NonPhysicalSpeedTrans(23MB/s))
TF /NonPhysicalSpeedTrans(23MB/s) FE
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 54 / 55
![Page 98: A Labeled Logic for Analyzing Cyber-Forensics …...A Labeled Logic for Analyzing Cyber-Forensics Evidence Luca Vigan o Erisa Kara li, Matteo Cristani, Luca Vigan o \AF-Cyber: Logic-based](https://reader034.vdocuments.net/reader034/viewer/2022042804/5f4f9dc04db20444b013dd45/html5/thumbnails/98.jpg)
Derivation of Derived Evidence
t1 : SPhish ∧ t1 : SucPhish →r1 t1 : Attack t1 : SPhish t1 : SucPhish
E ∪ {(t1 : Attack)r1}(→)
⇓
(t1 : Attack)r1E ∪ {(t1 : Attack)} L′1
Karafili, Cristani, Vigano Analyzing Cyber-Forensics Evidence November 11, 2018 55 / 55