DATA-DRIVEN DECISION SUPPORT FOR OPTIMIZING CYBER FORENSIC

INVESTIGATIONS
 
ABSTRACT:
 
The venture known as “Data-Driven Decision Support for Optimizing Cyber Forensic Investigations” is
a web based application. This software provides facility for confirming criminal offenses, Problems,
losing individuals to DIG. This software provide facility for reporting online crimes, online complaints,
missing persons show criminal list and details on web page. Any number of public can complaint
through online. Each user first makes their login to server to share their availability. An effective way to
begin this task is to develop a mission statement that incorporates the core functions of the unit, whether
those functions include high-technology crime investigations, evidence collection, or forensic analysis.
However, Cyber forensic contains steps to investigate or collect the data It is defined as the processes
and tools used in investigations and gathering evidence. Some of the instruction will be provided as a
default such as category wise. By analysing the investigation report, process will be optimized to reduce
the investigation process.
 
 
INTRODUCTION:
 Modern science and technology has revolutionised the field of crime solving and has made the process much
faster and more reliable. The word Forensic refers to all the science and technology used in the solving of
crime. The aim of this Forensic Management System is to manage the large volumes of data that are produced
in the process of solving crimes by the application of scientific methods and modern technology. When
creating a new case file the system will be able to store specific information in categories. This system can be
used to easily collaborate on case files, temporary user profiles can be created if the other department does
not implement this system.
LITERATURE SURVEY:
 
Title: Cyber Threat Intelligence – Issue and Challenges
AUTHOR NAME: S. Siti Rahayu, Md Sahrom Abu, Dr Aswami Ariffin (DrAA);
Year: Mar 18, 2018
 
EXPLANATION: Today threat landscape evolving at the rapid rate with much organization
continuously face complex and malicious cyber threats. Cybercriminal equipped by better skill,
organized and well-funded than before. Cyber Threat Intelligence (CTI) has become a hot topic and
being under consideration for many organization to counter the rise of cyber-attacks. The aim of this
paper is to review the existing research related to CTI. Through the literature review process, the most
basic question of what CTI is examines by comparing existing definitions to find common ground or
disagreements. It is found that both organization and vendors lack a complete understanding of what
information is considered to be CTI, hence more research is needed in order to define CTI. This paper
also identified current CTI product and services that include threat intelligence data feeds, threat
intelligence standards and tools that being used in CTI.
There is an effort by specific industry to shared only relevance threat intelligence data feeds such as Financial
Services Information Sharing and Analysis Center (FS-ISAC) that collaborate on critical security threats
facing by global financial services sector only. While research and development center such as MITRE
working in developing a standards format (e.g.; STIX, TAXII, CybOX) for threat intelligence sharing to solve
interoperability issue between threat sharing peers. Based on the review for CTI definition, standards and
tools, this paper identifies four research challenges in cyber threat intelligence and analyses contemporary
work carried out in each. With an organization flooded with voluminous of threat data, the requirement for
qualified threat data analyst to fully utilize CTI and turn the data into actionable intelligence become more
important than ever. The data quality is not a new issue but with the growing adoption of CTI, further
research in this area is needed
Title: Unknown Attack Detection Based on Zero-Shot Learning
 
Author Name: ZHUN ZHANG, QIHE LIU.
 
Year: November 4, 2020.

EXPLANATION: In recent years, due to the frequent occurrence of network intrusions, more and more researchers
have begun to focus on network intrusion detection. However, it is still a challenge to detect unknown attacks.
Currently, there are two main methods of unknown attack detection: clustering and honeypot. But they still have
unsolved problems such as difficulty in collecting unknown attack samples and failure to detect on time. Zero-Shot
learning is proposed to deal with the problem in this article, which can recognize unknown attacks by learning the
mapping relations between feature space and semantic space (such as attribute space). When the semantic
descriptions of all attacks (including known and unknown attacks) are provided, the classifier built by Zero-Shot
learning can extract common semantic information among all attacks and construct connections between known and
unknown attacks.
 
The classifier then utilizes the connections to classify unknown attacks although there are no
samples for unknown attacks. In this article, we first propose to use Zero-Shot learning to
overcome the challenge of unknown attack detection and illustrate the feasibility of this method.
Secondly, we then propose a novel method of Zero-Shot learning based on sparse auto encoder for
unknown attack detection. This method maps the feature of known attacks to the semantic space,
and restores the semantic space to the feature space by constrains of reconstruction error, and
establishes the feature to semantic mapping, which is used to detect unknown attacks. Verification
tests have been carried out by using the public dataset NSL_KDD. From the experiments conducted
in this work, the results show that the average accuracy reaches 88.3%, which performs better than
other methods.
Title: Real-time Attack Scenario Reconstruction from COTS Audit Data_
 
Author Name: Sadegh M. Milajerdi2, Junao Wang1
 
Year: August 16–18, 2017
 
EXPLANATION:
We present an approach and system for real-time reconstruction of attack scenarios on an enterprise host. To
meet the scalability and real-time needs of the problem, we develop a platform-neutral, main-memory based,
dependency graph abstraction of audit-log data. We then present efficient, tag-based techniques for attack
detection and reconstruction, including source identification and impact analysis. We also develop methods to
reveal the big picture of attacks by construction of compact, visual graphs of attack steps. Our system
participated in ared team evaluation organized by DARPA and was able to successfully detect and reconstruct
the details of their team’s attacks on hosts running Windows, Free BSD and Linux.
Title: A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection.
 
Author Name: Anna L. Buczak, Erhan Guven
Year: 26 October 2015
EXPLANATION:
This survey paper describes a focused literature survey of machine learning (ML) and data mining (DM)
methods for cyber analytics in support of intrusion detection. Short tutorial descriptions of each ML/DM method
are provided. Based on the number of citations or the relevance of an emerging method, papers representing
each method were identified, read, and summarized. Because data are so important in ML/DM approaches, some
well-known cyber data sets used in ML/DM are described. The complexity of ML/DM algorithms is addressed,
discussion of challenges for using ML/DM for cyber security is presented, and some recommendations on when
to use a given method are provided.
Title: A survey on Intrusion Detection System (IDS) and Internal Intrusion Detection and protection
system (IIDPS)
 
Author Name: Amol Borkar, Akshay Donode, Anjali Kumari
Year:  23-24 Nov. 2017

EXPLANATION:
Around the world, billions of people access the internet today. Intrusion detection technology is a new
generation of security technology that monitor system to avoid malicious activities. The paper consists of the
literature survey of Internal Intrusion Detection System (IIDS) and Intrusion Detection System (IDS) that uses
various data mining and forensic techniques algorithms for the system to work in real time. Data mining
methods are proposed for cyber analytics in support of intrusion detection
EXISTING SYSTEM PROPOSED SYSTEM

Concept: Concept:
Benefits from a repository of known adversarial tactics, techniques, and Data will be analyzed to optimize the process.
procedures, for each of which it harvests threat intelligence information to From the report, analysis process provide the decision making solution.
calculate its probabilistic relations with the rest.

Technique: Technique:
Disclose framework AES Algorithm

Disadvantage: Advantage:
It has limited functionalities to derive the optimized result. It will be efficient to data driven process.
METHODOLOGY:
Methodologies is the process of analysing the principles or procedure of a Progressive Anonymous Database management system.
 

MODULES:
 

 REGISTER
 LOGIN
 CID
 ADD CRIMINAL DATA
 VIEW LAWER REQUEST
 DIG
 MAINTAIN CRIMINAL DATA
 RESPONSE TO LAWER
 STATE POLICE
 APPROVE REGISTERATION
 VIEW PUBLIC COMPLAINT
 MOVE LOCAL STATION
 LOCAL POLICE
 ADD CRIMINAL DATA
 VIEW STATE POLICE FILES
 MAKE REPORT
 PUBLIC ADD COMPLIANT
 LAWYER
 VIEW THE LOCAL POLICE DATA
 REQUEST CRIMINAL DATA
 DOWNLOAD CRIMINAL DATA
MODULE DESCRIPTION:
 

REGISTER:
The register module provides a conceptual framework for entering data on those department in a way
that: eases data entry & accuracy by matching the department entry to the data source (usually paper
files created at point of care) such as local police and lawyer, ties easily back to individual department
records to connect registers to department data, and collects data elements to enable better supervision
of tender programs.
 

LOGIN:
In this module in our project, here symbolizes a unit of work performed within a database management
system (or similar system) against a database, and treated in a coherent and reliable way independent of
other transactions. A transaction generally represents any change in database each module login to
show their own pages.
CID:
In this module in our project, here describe the CID work and techniques,

ADD CRIMINAL DATA:

In this module in our project, CID can add the data about past criminal data such as kidnaping, chain
snatching, murder, and other cases Acquist details to the database.

VIEW LAWYER REQUEST:

In this module in our project, CID view the lawyer request such as lawyer need to know the criminal
details for his investigations. If the lawyer is authorised person for view the criminal details the CID
send to the DIG.

 
DIG:
In this module in our project, here describe the DIG work and techniques,

MAINTAIN CRIMINAL DATA:

In this module our project, DIG have to maintain the all criminal details in his data base, such as CID
added data and local police added data.

RESPONSE TO LAWYER
In this module in our project, DIG have to response to maintain the data. Here the DIG view the
request from the lawyer. If the lawyer is authorised user then the DIG response the request to the
lawyer the name of secret key.
STATE POLICE:
In this module in our project, here describe the State police work and techniques,
 

APPROVE REGISTERATION:

In this module in our project, state police need to approve the local police registration for his
references. Here the registration is not accept by the state police the local police cannot be login.
So state police need to accept the registration.

VIEW PUBLIC COMPLAINT:

In this module in our project, here the state police view the public complaint.

MOVE TO LOCAL STATION:

In this module in our project, here the state police is going to move the people complaint to the
local police station is located in same zone area from people complaint.
LOCAL POLICE:
In this module in our project, here describe the Local police work and techniques,

ADD CRIMINAL DATA:

In this module in our project, here the local police also need to add criminal record in database. It will
be view by DIG.
VIEW STATE POLICE FILE:

In this module in our project, here the local police view the state police forwarded file for the new
investigation.

MAKE REPORT:

In this module in our project, here local police make the report for every investigation.
PUBLIC ADD COMPLAINT:

In this module in our project, common people make complaint through online. The complaint directly view by the state
police.

 LAWYER:

1. VIEW THE LOCAL POLICE DATA:

In this module in our project, here the Lawyer view some records from the local police station. But cannot be view the
all record. Some confidential file will secretly maintain by the DIG office.

2. REQUEST CRIMINAL DATA:

In this module in our project, particular lawyer need some criminal data for his investigation. So lawyer request the
criminal data to the DIG.

3. DOWNLOAD:
In this module in our project, After DIG response the request with the secret key. Then enter the key to download the
records.
 MODULE DIAGRAM:

•REGISTER:

USER SIGN UP
DATA BASE

•LOGIN:

USER LOGIN DATA BASE MAINPAGE

•CID:
ADD CRIMINAL DATA:

CID ADD DATA DATA BASE VIEW

VIEW LAWYER REQUEST:

CID VIEW REQUEST DATA BASE

•DIG:
1.MAINTAIN CRIMINAL DATA:

DIG MAINPAGE
DATA BASE

1.RESPONSE LAWYER REQUEST:

DIG RESPONSE DATA BASE LAWYER

•STATE POLICE:
APPROVE REGISTRATION:

LOCAL POLICE DATA BASE REGISTER APPROVE

VIEW PUBLIC COMPLAINT:

MAKE
PEOPLE DATA BASE STATE POLICE
COMPLAINT

MOVE TO LOCAL POLICE:

COMPLAINT
STATE POLICE DATA BASE LOCAL POLICE
MOVE
LOCAL POLICE:
ADD CRIMINAL DATA:

LOCAL POLICE ADD DATA DATA BASE DIG

VIEW STATE ADDED DATA:

VIEW
LOCAL POLICE DATA BASE MAINPAGE
COMPLAINT

MAKE REPORT:

LOCAL POLICE MAKE REPORT DATA BASE DIG/CID

•LAWYER:
VIEW:

LAWYER VIEW LOCAL

DATA BASE CRMINAL DATA

REQUEST:

LAWYER REQUEST DATA BASE CID

DOWNLOAD:

LAWYER DOWNLOAD
DATA BASE
 

REQUIREMENTS ENGINEERING
 
GENERAL

These are the requirements for doing the project. Without using these tools and software’s we can’t do the project. So
we have two requirements to do the project. They are
1. Hardware Requirements.
2. Software Requirements.  
HARDWARE REQUIREMENTS

The hardware requirements may serve as the basis for a contract for the implementation of the system and should
therefore be a complete and consistent specification of the whole system. They are used by software engineers as the
starting point for the system design. It shows what the system does and not how it should be implemented.
 PROCESSOR : PENTIUM IV 2.6 GHz, Intel Core 2 Duo.
RAM : 4GB DD RAM
MONITOR : 15” COLOR
HARD DISK : 40 GB
 
 SOFTWARE REQUIREMENTS
The software requirements document is the specification of the system. It should include both a definition and a
specification of requirements. It is a set of what the system should do rather than how it should do it. The software
requirements provide a basis for creating the software requirements specification. It is useful in estimating cost, planning
team activities, performing tasks and tracking the team’s and tracking the team’s progress throughout the development
activity.
Front End : J2EE (JSP, SERVLETS) JAVASCRIPT

Back End : MY SQL 5.5

Operating System : Windows 07

IDE : Eclipse
 

DESIGN ENGINEERING
GENERAL
Design Engineering deals with the various UML [Unified Modelling language] diagrams for the
implementation of project. Design is a meaningful engineering representation of a thing that is to be built.
Software design is a process through which the requirements are translated into representation of the
software. Design is the place where quality is rendered in software engineering. Design is the means to
accurately translate customer requirements into finished product.
 
USE-CASE DIAGRAM:

EXPLANATION:
The use case diagram is the main building block of object oriented
 modeling. It is used both for general conceptual modeling of the systematic of the
application, and for detailed modeling translating the models into 
programming code.
For this in our component diagram first propose a data in this proposed method we
are using Hash-Solomon Code Algorithm to encrypt the data.
STATE DIAGRAM:

EXPLANATION:
State diagrams require that the system described is composed of a finite number of states;
sometimes, this is indeed the case, while at other times this is a reasonable abstraction. Many
forms of state diagrams exist, which differ slightly and have different semantics. In our state
diagram first propose for this in our component diagram first propose a data in this proposed
method we are using Hash-Solomon Code Algorithm to encrypt the data.
ACTIVITY DIAGRAM:

EXPLANATION:
Activity diagram are a loosely defined diagram to show
workflows of stepwise activities and actions, with support for
choice, iteration and concurrency. UML, activity diagrams can be
used to describe the business and operational step-by-step
workflows of components in a system. UML activity diagrams
could potentially model the internal logic of a complex operation.
In many ways UML activity diagrams are the object-oriented
equivalent of flow charts and data flow diagrams (DFDs) from
structural development.
CLASSDIAGRAM:

EXPLANATION:
Class diagram is a type of static structure diagram that describes the
structure of a system by showing the system's classes, their attributes, and
the relationships between the classes. The classes in a class diagram
represent both the main objects and or interactions in the application and
the objects.
E-R DIAGRAM:

EXPLANATION:

An entity is represented as rectangle in an ER

diagram. For example: In the following ER diagram we
have two entities Student and College and these two
entities have many to one relationship as many students
study in a single college. We will read more about
relationships later, for now focus on entities.
SYSTEM ARCHITECTURE:

EXPLANATION:
The systems architect establishes the basic structure of
the system, we propose a Hash code Solomon algorithm. We can
put a small part of data in local machine and fog server in order
to protect the privacy. Moreover, based on computational
intelligence, this algorithm can compute the distribution
proportion stored in cloud, fog, and local machine, respectively.
Through the theoretical safety analysis and experimental
evaluation, the feasibility of our scheme has been validated,
which is really a powerful supplement to existing cloud storage
scheme.
FUTURE ENHANCEMENTS:

Upcoming project have designed the model with double expert or administrator
to check and give the suggestion to the public with the authorization services.
One phase will be implemented under various complaint sectors such as murder
and kidnap, robbery etc. Another phase cybercrime report will be added.

 
CONCLUSION:

Digital forensics involves the process of identifying, collecting, acquiring, and preserving. Analysing, and
presenting of digital evidence. Digital evidence must be authenticated to ensure its admissibility in a court
of law. Ultimately, the forensic artefacts and forensic methods used to static or live acquisition depend on
the cases and its section. Real evidence must be competent (authenticated), relevant, and material. This
software is developed with modular approach. All module in this system have been tested with valid data
and everything worked successfully.
 

 
REFERENCE:
 
 
[1] K. Finnerty, S. Fullick, H. Motha, J. N. Shah, M. Button, and V. Wang, “Cyber security breaches survey 2019,” Dept.
Digit., Culture, Media Sport, London, U.K., Tech. Rep., Apr. 2019.
 
[2] Cost of a Data Breach Report 2019, IBMSecurity, New York, NY, USA, 2019.
 
[3] A. Brinson, A. Robinson, and M. Rogers, “A cyber forensics ontology: Creating a new approach to studying cyber
forensics,” Digit. Invest., vol. 3, pp. 37–43, Sep. 2006.
 
[4] L. Martin. (2014). Cyber Kill Chain. [Online]. Available: http://cyber.
lockheedmartin.com/hubfs/GainingAdvantageCyberKillChain.pdf
 
[5] V. Diaz, D. Emm, and C. Raiu, “Kaspersky security bulletin 2019: Advanced threat predictions for 2020,” Kaspersky
Lab., Moscow, Russia, Tech. Rep., 2019.
 
[6] K. Kent, S. Chevalier, T. Grance, and H. Dang, “Guide to integrating forensic techniques into incident response,”
NIST Special Publication, vol. 10, no. 14, pp. 800–886, 2006.
 
[7] J. Williams, “Acpo good practice guide for digital evidence,” Metrop. Police Service, Assoc. Chief Police Officers,
GB, London, U.K., Tech. Rep., Mar. 2012.
 
[8] V. S. Harichandran, F. Breitinger, I. Baggili, and A. Marrington, “A cyber forensics needs analysis survey:
Revisiting the domain’s needs a decade later,” Comput. Secur., vol. 57, pp. 1–13, Mar. 2016
.
[9] S. Barnum, “Standardizing cyber threat intelligence information with the structured threat information expression
(STIX),” Mitre Corp., vol. 11, pp. 1–22, Jan. 2012.
 
[10] J. Navarro, A. Deruyver, and P. Parrend, “A systematic survey on multistep attack detection,” Comput. Secur.,
vol. 76, pp. 214–249, Jul. 2018.