Network forensics is an important sub-branch of network security analysis, which involves collecting, recording and analyzing network traffic and logs to identify attacks, their impact, and causes. In modern security operational environment, network forensics is an important procedure for analysts to investigate and resolve security incidents. Although traditional security appliances are still being heavily used in enterprise network environments, they become less effective when the security alerts generated contain too many false positives. For example, Security Information and Event Management (SIEM) systems provide a centralized interface for querying various logs and other security relevant data, but it remains a major challenge to automatically correlate the collected data and transform them into actionable information. In addition, various sources of security relevant data collected from a large number of devices on a network are so overwhelming that it is almost impossible to use in analytics for timely response. Apparently, more research is needed in designing systems and platforms that can resolve the challenges and facilitate network forensic procedures. There is also a growing need for techniques and tools to support efficient data collection and processing, real-time log searching, and smart evidence correlation. Network forensic investigation is both a labor intensive and an intelligence intensive task. Human knowledge and expertise is crucial, but currently the majority of analysts’ time is spent on data processing as opposed to real intelligent investigation. How to design technologies and tools to better support human analysts is a fertile area for multi-disciplinary research that involves social, economical and behavioral sciences. Moreover, how evidence is collected and processed from network has a major impact on whether they are admissible in court. Research is needed to provide technologies for producing evidence from network to support legal prosecution. The aim of this workshop is to provide a venue for research that closes the gap between network forensics research and practical security operational needs, for discussing experiences, challenges, and lessons learned, and to foster multi-disciplinary collaboration, as well as collaboration among academia, industry, and government.
 
Topics of interests include, but are not limited to:
 
1)    Data collection and processing for network forensics
2)    Evidential reasoning techniques
3)    Data fusion and aggregation
4)    Threat intelligence
5)    Big-data security analytics
6)    Operational incident response
7)    Automatic evidence correlation
8)    Live forensics
9)    Network forensics for CPS/IoT device
10) Network forensics for clouds
11) Human/organizational aspects in network forensics
12) Legal aspects in network forensics

Important dates: