About Us Our Work Employment News & Events
MITRE Remote Access for MITRE Staff and Partners Site Map
Our Work
Overview
Mission Areas
Systems Engineering
Information Technology
MITRE Research Program
MITRE Federal Employee Fellowship Program
Technology Transfer Office
Technical Papers

Follow Us:
Visit MITRE on Facebook
Visit MITRE on Twitter
Visit MITRE on Linkedin
Visit MITRE on YouTube
View MITRE's RSS Feeds
View MITRE's Mobile Apps
Home > Our Work > Technical Papers >

Automated Diagnosis for Computer Forensics

August 2001

Christopher Elsaesser, The MITRE Corporation
Michael C. Tanner, The MITRE Corporation

ABSTRACT

Upon discovery, security administrators must determine how computer system intrusions were accomplished to prevent their reoccurrence. This paper describes an automated diagnosis system designed to focus investigation on the evidence most likely to reveal a hacker’s method. The system takes as input victim configuration and vulnerability information and a description of the unauthorized access gained by the attacker. With this information and templates describing hacker exploits and computer actions the system generates possible attack sequences. Because it is impossible to know everything the attacker might be aware of or have done, attack hypotheses can include assumptions where there is no apparent action to accomplish part of an attack. The hypothetical attacks are next simulated on a model of the victim network. Successful simulation indicates a feasible means of accomplishing the unauthorized access. The simulation generates representative log entries that a pattern matching subsystem compares to system records. Close matches are indicators that the associated hypothesis was the means of attack.

View/Download Document

Additional Search Keywords

computer security, abduction, plan recognition, heuristic search

 

Page last updated: August 27, 2001   |   Top of page

Homeland Security Center Center for Enterprise Modernization Command, Control, Communications and Intelligence Center Center for Advanced Aviation System Development

 
 
 

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.
IDG's Computerworld Names MITRE a "Best Place to Work in IT" for Eighth Straight Year The Boston Globe Ranks MITRE Number 6 Top Place to Work Fast Company Names MITRE One of the "World's 50 Most Innovative Companies"
 

Privacy Policy | Contact Us