Content uploaded by Samuel Omaji

Author content

All content in this area was uploaded by Samuel Omaji on Oct 25, 2017

Content may be subject to copyright.

Procedia Computer Science 00 (2015) 1–14

Procedia

Computer

Science

www.elsevier.com/locate/procedia

Network Forensics: Application of Fuzzy TOPSIS Method for

Rating Network Intrusion Evidence to Prioritize Investigation.

Omaji Samuel, Abid Khan, Amir Hayat, Akogwu Blessing Omojoa

Comsats Institute of Information Technology Islamabad

aSheda Science and Technology, SHESTCO, Kwali, Abuja, Nigeria

Abstract

Network forensics have emerged as important procedures for collecting, analyzing, reporting, and documenting of

critical situations that requires real-time investigation of network attack and evidence acquisition for decision making

processes. Investigating network attack is a contemporary challenging issue. A vital number of several network attacks

have been identiﬁed against numerous security tools and techniques in recent time. Finding the best option among

feasible alternatives of network attacks, rating and prioritizing them for further investigation remains a fundamental

issues for network forensics investigators. The nature of prioritizing network attack and risk selection can be treated as

multiple criteria decision making (MCDM) problem. This paper proposes a technique for order preference by similarity

to ideal solution (TOPSIS) method under the fuzzy environment for network forensics to address the MCDM problem. A

set of predeﬁned parameterized fuzzy triangular linguistic terms are used to evaluate the weights of various criteria and

the ratings of individual alternative network attack. With this, the presented alternative network attacks can be prioritize

according to Decision Makers (DMs) preference. An experimental examples are presented to determine the computation

eﬃciency and feasibility of the proposed fuzzy TOPSIS method. To achieve the trustworthiness of the prioritize network

attacks, we combine attack alternatives through the degree of belief derived from independent elements of attack using

Dempster–Shafer theory.

c

2015 Published by Elsevier Ltd.

Keywords:

Network forensics, Multi-criteria decision making, Intrusion evidence, TOPSIS, Dempster–Shafer theory.

1. Introduction

Network security is becoming popular in modern societies with the emergent of internet as the major

means of communication, information sharing and online transactions. As a result of this huge success,

threats is increasing daily which required urgent responses using precocious security solution that is not

supported with traditional tools. Investigating such threats is an ambitious task [7], since attacker knowledge

of the network is increasingly crafty. To handle this, we need network forensics, thus network forensics is

aimed at introducing a capability that the investigator must have in the current network. It is also refers to

the investigative processes through which analyzing network data and events for the purpose of owning the

∗Corresponding Email Address:abidkhan@comsats.edu.pk

1Tel:

2/Procedia Computer Science 00 (2015) 1–14

attacker responsible for his/her actions[7]. Network forensics is vitally important to dig into attacks and

intrusion from in and out of the network to ascertain the existence of threat and ameliorate the system[2].

Capturing network traﬃc over a network is easy in theory, but relatively diﬃcult in normal situation. This

is because of the huge number of data that ﬂow through the network and the complex nature of the protocol

address. Archiving network traﬃc required a lot of resources, it is often tedious to archive every data that

ﬂow through the network. An investigator needs to backup these records to make space for recording media

and to preserve the data for further analysis [2].

Forensics investigators must locate and retrieve evidence across many distinct events and packets(traﬃc),

they urge to prioritize the evidence and establish those that cause the greatest risk. Otherwise, when there

is so many investigation, with each is being scores using diﬀerent scales. How can forensics investigator

convert this voluminous of evidence data into an aﬀordable grounds for legal actions. We need a common

framework to standardized evidence scores and to prioritize risk, which represent the actual risk [2].

Obviously, there are no known evidence scores that exist, since the severity of risk depends on human

judgment and with certain jurisdiction(what might seems to be a high depend on who is carrying out the

investigation). Microsoft provides a threat risk modeling techniques known as DREAD which is a classiﬁ-

cation schemes for comparing, determining the value and prioritizing the number of risk derived from each

computed threat risk. The setting behind risk rating is inﬂuenced by DREAD Modeling [4, 5], and also used

to sort directly the risks evaluated. To compute the risk value, the DREAD algorithm required the average,

Risk of all the ﬁve categories.

β=(DAM AGE +RE PRODUC T I VI T Y

+EX PLO IT AB ILI T Y

+AF FEC T EDU S ER

+DI S COV ER ABI LIT Y )

Risk =β

5·

The risk calculated falls between 0 to 10. The higher the value, the more critical the risk [3, 5].

Several automated tools exist for analyzing, reporting and discovering network attacks. However they

do not take into account the risk assessment preference and prioritizing the risks for further evaluation and

investigation. In this article, we extend the Technique for Order of Preference by Similarity to Ideal solution

(TOPSIS) method which can reduce the computational complexity in the decision making processes.

The remainder of this paper is structured as follows; Section 2 reviews of the related literature based

on network forensics and MCDM problems. Thereafter, in Section 3, preliminaries, over views of fuzzy

theorem and description of the problems. Section 4, presents the fuzzy TOPSIS method and we provides a

working example to clarify the application of fuzzy TOPSIS method in the problem of prioritizing network

attack risk. We Evaluate our method with the Dempster–Shafer theory in Section 5. In Section 6, We

presents the conclusion and discussion of the work with a concluding remarks.

2. Literature review

The literature has been review from the prospective of network forensics and the application of MCDM

method.

2.1. Literature review based on network forensics

Network forensics have emerged from a larger domain known as computer forensics. Computer foren-

sics is the legal procedure to catch and prosecute perpetrators of digital crimes and it can also be a well-

deﬁned investigative procedure for collection and preservation of evidence that must be strictly adhered to in

a consisted manner [7]. Furthermore, computer forensics is widely known to be a new area of study. Since

in the past, the intruders have little knowledge about the network environment. To inquire and explain the

cause of events that surface on a computer required the use of computer forensics techniques.

/Procedia Computer Science 00 (2015) 1–14 3

The name network forensics was early introduced by computer security expert Marcus Ranum in the early

90s. He described it in [8] as a forensics method to analyze packet traces and network connectivity graph.

Network forensics examination constitutes an innumerable challenges, from inconclusive evidence to

internal politics to the questions of evidence worthy of admission. To meet these challenges, investigators

must carefully assess each examination and develop an obtainable strategy that takes into account both the

examination goals and present resources [10].

Network forensics are classiﬁed into various types based on their characteristics, this classiﬁcation is

vital for identifying the requirement with the assumption that the context of data that are to be analyzed

for network forensics evidence. This classiﬁcation includes ﬁrstly: for what purpose analyzing the network

traﬃc is achieved to discover the intruder’s pattern that will be admissible in the court. Secondly, the

packet capture which entails catch-it as you can [9], which could also capture and store packets passing

through a particular node. Similarly, stop look and listen classiﬁcation mainly analyze packets in memory

as they pass and stored. This approach can only give scarce or limited information about the packets.

Thirdly, the platform for which network forensics system can handle hardware appliances and software

system installed on the victim device to analyze and store the capture packets. Fourthly, the timestamps of

network traﬃc analysis which involves real time network surveillance, mostly used by commercial network

forensics system and lastly, the network ﬂow based system collected through the data source for performing

statistical analysis of the network traﬃc as it passes through a capture platform.

Anatomy of collected data is the most crucial and time demanding task. Although there are numerous

automated analysis tools that an investigator can lay hands on for forensics intend, they are insuﬃcient

since there is no infallible way for actually diﬀerentiating between when intruders generate a bogus network

traﬃc and when a legitimate or genuine traﬃc is generated. Making human judgments is also indispensable

because with the real time traﬃc analysis tools, it always create room for false positive. An investigator

carried out network forensics to determine the kind of attacks over the network and to trace the culprits.

Proper procedures is followed so that evidence recorded during investigation can be used in a law court.

Network forensic can reveal the information of how an intruder get into the network, the route of intrusion,

the techniques used and also to trace the evidence. Network forensics cannot solve the case alone, it’s

required skills, tools, good human judgment and also the investigator cannot link a suspect to an attack, he

should be able to diﬀerential between false positive and false negative and must be infallible to justiﬁed his

claim that the intrusion was carried out by the said intruder. The phrase network forensics have been used

in a variety of ways without formal deﬁnition. However, it is globally refers to the investigation of data

collected from active network devices such as ﬁrewall logs, network traﬃc, intrusion detection systems IDS

logs which is essential for investigating a security breach such as a system compromise [6].

In literature, forensics of network isn’t a protection practice scheme or access control policy, and it isn’t

thought to be a substitute to ﬁrewalls and IDS. Hence, it is a process of aggregating evidence, exploring

tools, techniques and mans’ eﬀort for the sake of examination. Generally, network forensics is of great

interest and importance to the law enforcement agency because they need network forensics in investigating

network related crime[6]. In ordinary application, network forensics is necessary for investigating anoma-

lous activities and ensure service availability. For example, we use the set of ﬁlter rules of ﬁrewalls and

update intrusion signature in IDS systems.

2.2. Literature review on MCDM problems

Making decision is the process of deriving the most important scale of preference among the feasible

alternatives. Multiple attributes decision making (MADM) is usually used to handle several decision mak-

ing and problem of selection, since human judgment involving preference are ambiguous and cannot be

expressible with exact numeric values. The application of fuzzy concepts in decision making is deemed

necessary. We make use of TOPSIS for fuzzy set of variables and their value with the introduction of appro-

priate negation for deriving ideal solution. We also apply a new measurement of fuzzy distance value with

a lower bound of alternative. Then the similarity degree is used for ranking of alternatives.

A survey method has been presented by Hwang and Yoon[11] on multi criteria decision making (MCDM)

and the technique for order of preference by similarity to ideal solution (TOPSIS) one of the known clas-

sical MCDM method. It is based upon the notion of choosing an alternative which have the close distance

4/Procedia Computer Science 00 (2015) 1–14

from the Positive Ideal Solution (PIS), this implies that the solution will maximize the beneﬁt criteria and

minimise the cost criteria and also the farther away from the Negative Ideal Solution (NIS). In this, NIS

solution will maximize the cost criteria and invariably minimize the beneﬁt criteria.

In classical MCDM method, including TOPSIS, the rating and weighting of each criterion is precisely

known. There are numerous application of fuzzy topsis in literature. For examples, Chang et al[12] de-

veloped a fuzzy topsis model to choose the optimal initial training aircraft for Taiwan airforce academy.

Golam et al [19] exploits the MCDM approaches for evaluation of travel website service quality(TWSQ).

Others includes: evaluation of service quality [12], inter company comparison [13], the application in ag-

gregate production planning [14], facility location selection [15], and large scale non linear programming

[16], quality of service (QoS) selection for web services [20], evaluation of bunkering ports’ performance

with regular linear routes in order to chose optimal ones [21].

Satar at el [22], propose assess to risk associated with human health in order to manage control mea-

sures and support decision making which could provide the right balance between diﬀerent concerns such

as safety and costs, Dewangan et al [23] evaluate the study and sensitivity analysis of surface integrity and

dimensional accuracy in electrical discharge machinining(EDM),Ksenija et al[24] evaluate and facilitate the

assessment of the ﬁnancial performance of Sebia banks, Devika et al [25] evaluate the selection of green

suppliers based on GSCM practices for a Brazilian electronic company , Roszkowska et al [26] analyze the

application of fuzzy TOPSIS method to support the process of building the scoring system for negotiation

oﬀers in ill-structured negations, Yeonjoo et al [27] develop a new framework that prioritized the best sites

for treated wastewater(TWW), Gyumin et al [28] aim to improve general ﬂood vulnerability using fuzzy

TOPSIS based on α-cut level sets which can reduce the uncertainty in every fuzzy MCDM processes, Chun-

guang et al [29] evaluate the performance or organization which include both strategic and performance as

well as ﬁnancial and other loses, Sengail et al [30] aim at developing a MCDM support framework for rank-

ing renewable energy supply system in Turkey, Osman et al [31] evaluates the construction projects and their

over all risks under incomplete and uncertain situations, Tabassam et al [32] propose a method to aggregate

the opinion of several decision in Robot selection using generalized interval-valued fuzzy numbers with

TOPSIS, Xiaolu and Zeshui [33] develops a soft computing techniques based on maximizing consensus and

fuzzy TOPSIS in order to solve interval intuitionistic fuzzy MAGDM from such two aspect of decision data.

Finally, Xiuzhi et al [34] develop an analytical solution to fuzzy TOPSIS and its application in personnel

selection for knowledge-intensive enterprise .

2.3. Research gap

Based on the literature review, all these applications exist in other domain, but no known application

of fuzzy TOPSIS method exist in network forensics for evaluating and prioritizing the risk assessment in

network attack. In this research, we employ the fuzzy TOPSIS method proposed by Hwang and Yoong [11]

to evaluate forensics investigation for the network attack risk selection. Since a single method is not suﬃ-

cient in providing the accurate decision, we solve this problem by introducing the Dempster–Shafer theory

to combine the attack alternatives through the degree of belief gotten from independent items of attacks.

3. Preliminaries

Investigating and evaluating intrusion evidence, selection process requires that the forensics examiner

should ﬁnd the right judgment and at the right time. Owning to the impreciseness of the decision data, crisps

data are insuﬃcient for real life situations. Since human judgment involving preferences are often unclear

and cannot be evaluated with exact numerical values. The application of fuzzy concepts in decision making

is feasible. On the other hand, it is a hard problem since decision of prioritizing the risk of network attacks

and determining the best preference is imprecise.

3.1. The overview Fuzzy Theorem

A comprehensive introduction and application of fuzzy set theory is found in [35, 36]. The deﬁnition

of fuzzy concepts that provide clearer understanding of TOPSIS have been chosen from these sources. We

presents these deﬁnition as follows:

/Procedia Computer Science 00 (2015) 1–14 5

Deﬁnition 1. A fuzzy set is in a universe of discourse X is characterized by a membership function µ˜a(x)

that maps each element x in X to a real number in the interval[0,1]. The function value µ˜a(x)is termed the

grade of membership of x in ˜a. The nearer the value of ˜a to unity, the higher the grade of member of x in ˜a

[35].

Deﬁnition 2. The triangular fuzzy number is presented as a triplet ˜a=(a1,a2,a3). The membership func-

tion µ˜a(x)of triangular fuzzy number ˜a is given as[35]:

µ˜a(x)=

x−a1

a2−a1,if a1≤x≤a2;

a3−x

a3−a2,if a2≤x≤a3;

0,otherwise.

(1)

where a1,a2,a3are real numbers and a1|a2|a3. The value of xat a2gives the maximum grade of µ˜a(x).

For example µ˜a(x)=1, it is the most probable value of the evaluation data. The value of xat a1gives the

minimal grade of µ˜a(x). For example µ˜a(x)=0, It is the smallest probable value of the evaluation data.

The constants a1and a3are the boundary of the present area for the evaluation data. These constant agree

with the fuzziness of the evaluation data. The narrower the interval [a1,a3] the lower of the fuzziness of the

evaluation [36].

A. The distance between fuzzy triangular numbers.

Let ˙a=(a1,a2,a3) and ˙

b=(b1,b2,b3) be two triangular fuzzy numbers, the distance between them can be

calculated as:

d(˙a,˙

b)=r1

3[(a1−b1)2+(a2−b2)2+(a3−b3)2] (2)

B. Linguistic variables.

Linguistic variable is a variable that is expressed in a linguistic terms whose fuzzy number are represented

in a triangular form.

In fuzzy set theory, conversion scales are applied to transform the linguistic terms into fuzzy number.

In this article, we will apply a scale of 0-10 for rating the criteria and the alternatives. Following are the

linguistic variable ratings for the criteria and the alternatives.

The triangular fuzzy number values that we have selected for the linguistic variables take into account the

fuzziness and from the above Equation 2, deﬁnes the distance among the variables. The interval are selected

so as to have a uniform representation from 0 to 10 for the fuzzy triangular numbers used for ﬁve linguistic

ratings. For instance, we can use (0.0-3.9) to represents Low, (4.0-6.9) Medium and (7.0-10.0)High. It must

not necessarily be that the rating will begin from 0, it might probably start from 5. Normalization step take

care of such shifting of the rating scale. The accepted practice in literature is to begin the rating scales from

1.

3.2. Description of the Problem

Given Poptions (Alternatives) Aieach of which depends on mcriteria. Xjvalues are expressed with

positive real numbers xi j. The best option should be selected.

x1x2. . . xj+1

criteria cr1cr2. . . crm+1

weights w1w2. . . wj+1

A1x11 x12 . . . x1j+1

A2x21 x22 . . . x2j+1

. . . . . . . . . . . . . . .

Ai+1xj1xj2. . . xj+1i+1

6/Procedia Computer Science 00 (2015) 1–14

4. Proposed Fuzzy TOPSIS Method for Network Forensics

1. Five panelist of Decision Makers(DMs) were created to identify the evaluation criteria.

2. Every DMs point out the important level (weights) of each criteria using linguistic variables.

3. We evaluate the ratings of alternatives with respect to each criterion linguistic rating variables.

4. We construct a fuzzy multi-criteria group decision making matrix which consists of crips values of

alternatives and criteria. The crips value Cval is computed as:

Cval =z+(4 ×x)+y

6(3)

where the triangular fuzzy elements are x, y and z.

5. We construct the normalization decision matrix. the normalization value Nval is computed as:

Nval =fj

qPn

j=1f2

(4)

6. We construct weighted normalized decision matrix. The weighted normalize Vjis computed as:

Vj=wj×Nval (5)

7. We determine Positive Ideal Solution (maximum value on each criterion) and the Negative Ideal

Solution(Minimum value on each criterion)from the weighted normalized decision matrix. In the

below equation, f1is the beneﬁt set of criteria and f2is the cost set of criteria.

P∗+=max1≤j≤n(fj∈F1)

min1≤j≤n(fj∈F2)(6)

P∗− =max1≤j≤n(fj∈F1)

min1≤j≤n(fj∈F2)(7)

Calculate the Euclidean distance between the positive ideal solution and negative ideal solution for

each alternatives.

α+(xj)=v

tm

X

j=1

(Pj−P∗+)2(8)

α−(xj)=v

tm

X

j=1

(Pj−P∗−)2(9)

8. The closeness coeﬃcient of each alternatives is computed as:

RCCR(xj)=α−(xj)

α+(xj)+α−(xj)(10)

/Procedia Computer Science 00 (2015) 1–14 7

4.1. Working example

Fig. 1. Methodology of the working example

In recent time, the Advanced Security Engineering Group (ASERG) lab of the COMSATS Institute of

Information Technology, Islamabad conducted forensics investigation of certain network attacks.

There are three attacks as alternatives to be assessed here, namely, the Distributed Computing Envi-

ronment Remote Procedural Call (DCERPC) attack, Microsoft Structural Query language (MSSQL) attack

and the Server Side (Local ﬁle inclusion (LFI) and Remote ﬁle inclusion(RFI) ) attacks. For convenience,

let A={A1,A2,A3}be the set of the three alternatives, in which A1represents DCERPC attack, A2and

A3represents MSSQL attack and Local and remote ﬁle inclusion attack respectively. Four experts team

were formed and we call them DMs and they are responsible for rating or grading the attacks, namely:

DM ={d1,d2,d3,d4}. Suppose a network forensics examiner wants to select the best member from the three

alternatives A, the network forensics examiner decision is based on ﬁve main attributes criteria includes the

potential damage, reproducibility, expliotability, aﬀected users, and discoverability are used in this process

of rating the attacks. The DM can evaluate their alternatives group by using a self-designed questionnaire

survey on which only one of the linguistic variable, L, M, H can be marked on each evaluation index. Most

especially, 0.0-3.9-Low(L), 4.0-6.9-Meduim (M) and 7.0-10.0-High (H). Table 1 shows the descriptions of

the rating.

A. Description of alternative A1(DCERPC Vulnerability MS08-67, Buﬀer Overﬂow)

This vulnerability could permit remote code execution if an aﬀected victim received a directly design RPC

request. On Microsoft Windows Server systems, an attacker without authentication can exploit this vulner-

ability by running arbitrary code. The possibility of the vulnerability can be use in a wormable exploit[38].

B. Description of alternative A2(MSSQL Vulnerability OSQL-32)

In our forensics investigation, the attacker sends along the payload a script with a new OSQL job ”cook.exe”.

Cook.exe is a trojan, it attack any kind of window and it can spread rapidly over the Internet, it can also

encrypt some ﬁle on the aﬀected ﬁle. It can deceived the victim through scams and it has the ability to

change the victim settings and provide remote access to the attacker.

C. Description of alternative A3(RFI and LFI Vulnerability)

Remote File Inclusion (RFI) is an attack that is targeted on the computer servers that run web sites and their

applications. It has functions that is used to include a ﬁle and uses the HTTP GET variable to take input

from user by navigating the user to a malicious site. In local ﬁle inclusion vulnerability, the executed code

by attacker is not on the remote server but on the victim server itself.

D. Description of the Attribute criteria.

The details for these criteria are listed in as follows [5]:

8/Procedia Computer Science 00 (2015) 1–14

D1.Potential Damage(C1): If the threat occur, how much damage will be cause.

C1contains the following: C11 -Nothing was done, C12-Individual user data is compromise or aﬀected and

C13-Complete system or data destruction.

D2.Reproducibility(C2): Reproducibility(C2): How easy is it to reproduce this threat.

C2contains the following: C21 -Very hard or impossible even if for administrative of the application, C22-

One or two steps require may need to be authorized user and C23-Just a web browser and the address bar is

suﬃcient with authentication.

D3.Exploitability(C3): What is needed to exploit this threat.

C3contains the following: C31-Advanced programming and networking knowledge with custom or ad-

vanced attack tools, C32-Malware exists on the internet or an exploit is easily performed using available

attack tools and C33-Just a web browser.

D4.Aﬀected Users(C4): How many user will be aﬀected.

C4contains the following: C41-None , C42-Some users but not all and C43-All users.

D5.Discovery(C5): How easy is it to discover this threat.

C5contains the following: C51-Very hard to impossible, requires source code or administrative access , C52-

Can ﬁgure it out by guessing or by monitoring network traces, C53-Details of fault like this are already in

public domain and can be easily discovered using search engine and C54-The information is visible in web

browser address bar or in a form.

The attributes C1,C3and C4are the beneﬁt type attributes, while C2and C5are the cost type attributes.

Linguistic Variables Deﬁnition

High Vulnerability will be labelled ”High” severity if they have a CVSS base score of 7.0-10.0.

Medium Vulnerability will be labelled ”Medium” severity if they have a CVSS base of 4.0-6.9.

Low Vulnerability will be labelled ”Low” severity if they have a CVSS base of 0.0-3.9

Table 1. Vulnerability Rating System of NVD[37]

Linguistic Expression Fuzzy Numbers

Low (L) (0.0, 1.8, 3.9)

Medium (M) (4.0, 5.5, 6.9)

High (H) (7.0, 8.5, 10.0)

Table 2. Linguistic Variable Ratings.

Linguistic Expression Fuzzy Numbers

Low (L) (0.0, 0.18, 0.39)

Medium (M) (0.40, 0.55, 0.69)

High (H) (0.70, 0.85, 1.0)

Table 3. Linguistic Variables for Importance Weights of each Criteria.

Then fuzzy TOPSIS method is then applied using the steps described in subsection 4.

Step 1. The DMs use the linguistic variable to evaluate the important of each criterion. The weights of each

criterion are w1=0.5 ,w2=0.1 , w3=0.2, w4=0.1 and w5=0.1. Hence Pn

j=1wj=1 , for j=1. . . n

/Procedia Computer Science 00 (2015) 1–14 9

Step 2. For each network attack, the DMs use the linguistic variables as shown in the table to produce fuzzy

or crips performance rating against each criterion.

Criteria Attributes Decision Makers DMs

D1D2D3D4

C1

A1HHHL

A2HHHH

A3HHHM

C2

A1L M M M

A2M H H H

A3M M H L

C3

A1L M H H

A2L H H H

A3HHHH

C4

A1H M M M

A2HHHH

A3MMMM

C5

A1HHHH

A2HHHH

A3HHHM

Table 4. Ratings by DMs with Respect to Criteria.

Step 3. By applying equation 2, the aggregate ratings of the network attacks with respect to the ﬁve criteria

can be computed and shown as:

Criteria

C1C2C3C4C5

A1(0.39,0.33, 0.28) (0.95, 0.00 ,0.05) (0.11, 0.35, 0.54) (0.91, 0.08 ,0.01) (0.36, 0.16, 0.48)

A2(0.54, 0.34,0.12) (0.70, 0.10, 0.20) (0.47, 0.02, 0.51) (0.22, 0.27, 0.51) (0.19, 0.02, 0.79)

A3(0.13, 0.58,0.29) (0.27, 0.49, 0.24) (0.31, 0.68, 0.01) (0.04, 0.72, 0.24) (0.08, 0.46, 0.46)

Table 5. Aggregate Decision Matrix.

Step 4. Using equation 3 to calculate the fuzzy MCDM group matrix which consists of the crips values of

criteria and alternatives .

Criteria

C1C2C3C4C5

A10.36 0.64 0.22 0.62 0.35

A20.44 0.52 0.40 0.28 0.27

A30.23 0.30 0.32 0.19 0.21

Table 6. CRIPS Values of the Criteria and Alternatives.

Step 5. Construct the normalized decision matrix. The normalized Decision matrix as shown below can be

calculated using the formula in equation 4.

10 /Procedia Computer Science 00 (2015) 1–14

Criteria

C1C2C3C4C5

A10.5869 0.7293 0.3946 0.8778 0.7153

A20.7174 0.5926 0.7175 0.3964 0.5518

A30.3750 0.3419 0.5739 0.2690 0.4292

Table 7. Normalized Decision Matrix.

Step 6. Construct the weighted normalized decision matrix, which is calculated from equation 5 as shown:

Criteria

C1C2C3C4C5

A10.29345 0.07293 0.07892 0.08778 0.07153

A20.35870 0.05926 0.14350 0.03964 0.05518

A30.18750 0.03419 0.11478 0.02690 0.04292

Table 8. Weighted Normalized Decision Matrix.

Step 7. Using the equations 6 and 7, we obtain the PIS maximum values of each criteria and NIS minimum

values of each criteria as shown:

max

1≤j≤5

=(0.35870,0.07293,0.14350,0.08778,0.07153)

min

1≤j≤5

=(0.18750,0.03419,0.07892,0.02690,0.04292)

we also calculate the Euclidean distance between the PIS and NIS for each alternatives using the

equations 8 and 9 to be:

Alternatives α+(xj)α−(xj)

A1 0.092 0.131

A2 0.053 0.185

A3 0.190 0.036

Table 9. Determining the Euclidean Distance of PIS and NIS Solutions Respectively.

Step 8. Obtain the relative closeness coeﬃcient RCCRjusing equation 10 to rank the order of network

attack intrusion.

RCCR1=0.5874 , RCCR2=0.7773 and RCCR3=0.1593.

5. Evaluation

5.1. Prioritizing Network Attacks using Dempster Shafer Theory

Our second objectives after implementing the fuzzy TOPSIS method, is to use relative belief values

to prioritize network attacks from the Dempster–Shafer theory. Dempster Shafer theory is an approach

for combining evidence through the degree of belief derived from independent elements of evidence[39].

Related works of DS can be found in [40, 41, 42, 43, 44, 45, 46, 47].

/Procedia Computer Science 00 (2015) 1–14 11

Fig. 2. Experimental results of Dempster Shafer Theory

Mass function m[A] is the proportion of all evidence that supports this element of the power set: The

interpretation of m[a,b] means there is evidence for AvB that cannot be divided among more speciﬁc beliefs

for A or B. Each m[A] is between 0 and 1 and all m[A] sum to 1. if m[A] is empty, atleast one must be

true.

The belief in an element A of the Power set is the sum of the masses of elements which are subsets of

A (including A itself). The plausability of an element A, pl(A), is the sum of all the masses of the sets that

intersect with the set A. The ”frame of discernment” (or ”Power set”) of θis the set of all possible subsets

of θ

Fig. 3. Graph of the prioritize Alternatives

12 /Procedia Computer Science 00 (2015) 1–14

Fig. 4. Prioritizing eﬀect in Network Attacks.

In Fig. 4, the highest belief value for the Alternatives bc =0.5 representing the A2and A3Alternatives

respectively followed by the abc =0.3 representing the three Alternatives. When one start with threats with

high belief value, the precision is high meaning more of the eﬀort is devoted on that threats.

Results of various TOPSIS calculation steps as shown in table ( 5- 9). Closeness coeﬃcients, RCCR jof

the three alternative A1,A2and A3comes out to be 0.5874, 0.7773 and 0.1593 as shown in Fig. 3 respec-

tively. Thus this ranking order for the alternatives is A2>A1>A3. That is A2is the best choice considering

the given criteria to prioritize further investigation. The closeness coeﬃcient scores for alternatives are nu-

meric values and can be further utilized to indicate the degree of priority of alternative to facilitate further

investigation and to make certain human judgement about who was the perpetrator of the attacks and what

potential damages and loses incurred by the organization and what level of security measures need to be in

place to avoid future reoccurrence.

6. Conclusion and Discussion

The aim of the computation is to obtain a similarity computation measures of the alternatives. Comput-

ing the similarity measures and constructing the aggregate matrix would be done in O(m2) [20]. The criteria

values also denote the crips values can be obtained from graded mean integration representation method.

So there is a signiﬁcant decrease in the crips values compare to that of the fuzzy’s values which can be

completed in O(m.n) [20]. Thus considering the decision makers’ diﬀerent risk preferences in the proposed

TOPSIS model would be an interesting point to be investigated in the future.

In order to solve the imprecise and incomplete information in MCDM problem, In this research fuzzy

TOPSIS method is employ to deal with the network attack risk selection problem when a network forensics

examiners have several opinion on evaluation. Several application of fuzzy TOPSIS method exists in liter-

ature for other domain. However the existing fuzzy TOPSIS method did not consider the decision making

risk under the network attack platform. In this research we proposed a fuzzy TOPSIS method for network

forensics investigation.

The linguistic terms represented by triangular fuzzy numbers are used for evaluating the weights of

criteria and rating or ranking of each alternatives of the network attacks with respect to the various criteria.

We converted the decision matrix into a fuzzy decision matrix and constructed a weighted fuzzy decision

once the decision makers’ fuzzy rating have been pooled. The fuzzy distance value was applied for obtaining

the PIS and NIS as the crips values. Using the fuzzy TOPSIS approach, we computed the similarity of each

alternative from the PIS and NIS respectively.

/Procedia Computer Science 00 (2015) 1–14 13

Finally, the closeness coeﬃcient for each alternative was deﬁned to determine the priority of all the

alternatives. The higher value of the closeness coeﬃcient indicates that an alternative is close to the positive

ideal solution and is distanced from the negative ideal solution concurrently. A numerical experimental

illustration was used to examine the applicability of the proposed approach. The results of the evaluation

signiﬁcantly indicate that the high belief value provided by Dempster–Shafer gives honest prioritization on

the network attack Alternatives, and in the future, we shall compare our method with other existing MCDM

techniques for more evaulation.

References

[1] Al-mousa, Z. A.” Honeypots Aiding Network Forensics : Challenges and Notions, Journal. Communication., vol. 8, no. 11, pp.

700707,(2013).

[2] Omaji Samuel, Amir Hayat, Sidra Malik, Ali Hur, Masoom Alam ,”Correlating Evidence from Honeypot and NIDS for Improved

Network Forensics”, Unpublished Article, (2015).

[3] http://www.owasp.org/index.php/ThreatRiskModeling.Accessedonline,(2015).

[4] Bruni Romero, Marianella Villegas, Marina Meza, ”Simon’s Intelligence phase for security risk assessment in web application”,

IEEE ﬁfth Internation Comference on Information Technology, New Generations, (2008).

[5] Ram Mohan R.K, Durgest Pant, ”A Threat Risk Modelling Framework for Geospatial Weather Information System (GWIS): A

DREAD Based Study”, (IJACSA) International Journal of advnaced Computer Science and Application, 3,(2010).

[6] Almulhem, Ahmad , ”Network forensics: Notions and challenges”, Signal Processing and Information Technology (ISSPIT),

2009 IEEE International Symposium on, pp.463–466, (2009).

[7] Nasir, Qassim and Al-Mousa, Zahraa A,”Honeypots Aiding Network Forensics: Challenges and Notions”,Journal of Communi-

cations, Vol.8,pp.11,(2013).

[8] Marcus Ranan ,” Network Forensic: Network Traﬃc Monitoring Technical Report ” , Network Flight Recorder Inc, (1998).

[9] Simson Garﬁnke,”Web Security, Privacy and Commerce 2nd Edition”, http://www.oreillynet.com/pub/a/network/

2002/04/26/nettap.html,AccessedOnline(2015).

[10] Davidoﬀ, Sherri and Ham, Jonathan, ”Network forensics: tracking hackers through cyberspace”,Prentice hall,(2012).

[11] Hwang C.L, Yoon,K. ”Multiple Attributes Decision Making Method and Application”,Springer, Berlin Heideberg,(1981).

[12] Tsuar, S.H, Chang, T.Y, Yen, C.H. ”The Evaluation of Airline Service Quantity by Fuzzy MCDM”,Tourism Management, 23,

pp.107-115.(2002).

[13] Deng,H, yeh, C.H, Willis, R.J. ”Inter Company Comparison using Modiﬁed TOPSIS with Objective Weights”,Computer and

Operation Research, 22, pp. 963-973, (2000).

[14] Wang, R.C, Liang, T.F, ”Application of Fuzzy Multi-Objective Linear Programming to Aggregate production Plan-

ning”,Computer and Industrial Engineering, 46, pp. 17-41, (2004).

[15] Chu, T.C, ”Facility Location Selection using Fuzzy TOPSIS under Group Decisions”,Journal of Uncertainty Fuzziness and

Knowledge-Based systems, 10(6), pp. 687-701, (2002).

[16] Abo-Sina, M.A , Amer , A.H ”Extension of TOPSIS for Multi-Objective Large Scale Nonlinear Programming Problems”, Applied

Mathematics and Computation, (2004).

[17] Soroush Saghatian, S. Reza Hejazi ”Multi-Criteria Group Decision Making using A Modiﬁed Fuzzy TOPSIS Procedure”, pro-

ceedings of 2005, International Comference on Computational Intelligence for Modellings, Controls and Automation,(2005).

[18] Deepa Joshi, Sanjay Kumar, ”Intuitionistic Fuzzy Entropy and distance Measure Based TOPSIS Method for Multi-Criteria De-

cision Making”,Egyptian Informatic Journal,(2014).

[19] Golam Kabir, Ahsan Akhtar Hasin, M, ”Comparative Analysis of TOPSIS and Fuzzy TOPSIS for the Evaluation of Travel

Website Service Quality”,International Journal for Quality Research,(2012).

[20] Chi-Chun, L, Ding-Yuan C, Chen-Fang, T, Kuo-Ming C ”Service selection based on fuzzy TOPSIS method”,24th International

comference on Advanced Information Networking and Applications Workshop,(2010).

[21] Yin Wang, Gi-Tae Yeo, Adolf, K.Y, ”Choosing optimal bunkering ports for linear shipping companies: A hybrid Fuzzy-Dephi-

TOPSIS approach.”Elsevier Journal of Transport Policy , pp. 358-365, (2014).

[22] Satar M, Kourosh S, Akbar E. ”Human health and safety risk management in underground coal mines using fuzzy TOPSIS”,

Elsevier Journal of Science of the Total Envriornment, pp. 85-99, (2014).

[23] Dewangan S, Gangopadhyay S, Biswas , C.K ”Study of surface integrity and dimensional accuracy in EDM using fuzzy TOPSIS

and sensitivity analysis”, Elsevier Journal of measurement, pp. 364-376, (2015).

[24] Ksenija Mandic, Boris Delibasic, Snezana Knezevic and Sladjana Benkovic,””Analysis of ﬁnancial parameters of Serbia banks

through the application of fuzzy AHP and TOPSIS method”, Elsevier Journal of Economic Modelling, pp. 30-37,(2014).

[25] Devika Kannan, Ana Beatriz Lopes de Sousa Jabbour, Charbel Jose Chiappetha, Jabbourb ”Selecting green suppliers based on

GSCM practices:using fuzzy TOPSIS applied to a Brazilian electronic company”,ELsevier European Journal of Operational

Research, 233, pp. 432-447, (2014).

[26] Ewa Roszkowska, Tomasz Wachowicz, ”Application of fuzzy TOPSIS to scoring the negotiation oﬀers in ill-structured negation

problems”ELsevier European Journal of Operational Research 242, pp. 920-932, (2015).

[27] Yeonjoo Kim, Eun-Sung Chung, Sung-mook Jun and Sang Ug Kim, ”Prioritizing the best sites for treated wastewater instream

use in an urban watershed using fuzzy TOPSIS”,Elsevier Journal of Resources Construction and Recyclic, 73, pp. 23-32, (2013).

[28] Gyumin Lee, Kyung Soo Jun and Eun-Sung Chung , ”Robust Spatial ﬂood vulnerability assessment for Han river using fuzzy

TOPSIS with α-cut level sets”, Elsevier Journal of Expert System with Applications, 41, pp.644-654,(2014).

14 /Procedia Computer Science 00 (2015) 1–14

[29] Chunguang Bai, Dileep Dhovale and Joseph Sarkis,”Integrating C-means and TOPSIS for performance evaluation: An application

and comparative analysis”, ELsevier Journal of Expert System with Applications, 41, pp. 4186-4196, (2014).

[30] Umran Sengail, Mirac Eren, Seyed Hadi, Eslamsan Shiraz, Volkan Gezder and Ahmet Bilal Sengail, ”Fuzzy TOPSIS method for

ranking renewable energy supply system in Turkey”, Elsevier Journal of Renewable Energy, 75, pp. 617-625, (2015).

[31] Osman Taylan, Abdallah O.B, Reda ,M.S.A, Mohammed, R. K, ”Construction projects selection and risk assessment by fuzzy

AHP and fuzzy TOPSIS methodologies”, ELsevier Journal of Applied Soft Computing, 17, pp. 105-116,(2014).

[32] Tabassam Pashid, Ismat Beg, Syed, M. H, ”Robot selection by using generalized interval-value fuzzy numbers with TOPSIS”,

ELsevier Journal of Applied Soft Computing, 21,pp. 462-468, (2014).

[33] Xiaolu Zhang, Zeshui Xu, ”Soft computing based on maximizing consensus and fuzzy TOPSIS approach to interval-valued

intuitionistic fuzzy group decision”, Elsevier Journal of Applied Soft Computing, 26, pp. 42-56, (2015).

[34] Xiuzhi Sans, Xin Wang Liu, Jindong Qin, ”An analystical solution to fuzzy TOPSIS and its application in personnel selection for

knowledge-intensive enterprise”, ELsevier Journal of Applied Computing, 30, pp. 190-204, (2015).

[35] Fei Ye, Yina Li,”An Extended TOPSIS model-based on the possibility theory under fuzzy environment”, Elsevier Journal of

Knowledge-Based System, 67, pp.263-269, (2014).

[36] Iraj Mahdavi, Nazam Mahdavi-Amiri, Armaghan Heidarzade , Rahele Nourifar, ”Designing a model of fuzzy TOPSIS in multiple

criteria decision making”, Elsevier Journal of Applied Mathematics and Computation, 206, pp. 607-617, (2008).

[37] Qixu Liu, Yuqing Zhang ,”VRSS: A new system for rating and scoring vulnerabilties”, Elsevier Journal of Computer Communi-

cations,34, pp.264-273, (2011).

[38] MS-RPCE: Remote Procedure Call Protocol Extensions https://msdn.microsoft.com/en-us/library/cc243560.aspx Accessed on-

line, (2015).

[39] Yager, Ronald R ,”On the Dempster-Shafer framework and new combination rules”, Elsevier journal Information sciences,Vol.41,

No.,pp.93–137,(1987).

[40] Zomlot, Loai and Sundaramurthy, Sathya Chandran and Luo, Kui and Ou, Xinming and Rajagopalan, S Raj, ”Prioritizing in-

trusion analysis using Dempster-Shafer theory”, Proceedings of the 4th ACM workshop on Security and artiﬁcial intelligence,

pp.59–70, (2011).

[41] Tang, Hongxiang,”A novel fuzzy soft set approach in decision making based on grey relational analysis and Dempster–Shafer

theory of evidence”,Applied Soft Computing, Elsevier, Vol.31, pp.317–325,(2015).

[42] Yue, Feng and Zhang, Guofu and Su, Zhaopin and Lu, Yang and Zhang, Ting, ”Multi-software reliability allocation in multimedia

system with budget constraints using Dempster-Shafer theory and improved diﬀerential evolution”, Neurocomputing, Elsevier,

(2015).

[43] Mond´

ejar-Guerra, VM and Mu˜

noz-Salinas, R and Mar´

ın-Jim´

enez, MJ and Carmona-Poyato, A and Medina-Carnicer, R, ”Key-

point descriptor fusion with Dempster–Shafer theory”, International Journal of Approximate Reasoning, Elsevier,Vol.60, pp.57–

70, (2015).

[44] Dutta, Palash, ”Uncertainty Modeling in Risk Assessment Based on Dempster–Shafer Theory of Evidence with Generalized

Fuzzy Focal Elements”, Fuzzy Information and Engineering, Elsevier, Vol. 7, No.1,pp. 15–30, (2015).

[45] Li, Zhaowen and Wen, Guoqiu and Xie, Ningxin, ”An approach to fuzzy soft sets in decision making based ongrey relational

analysis and Dempster-Shafer theory of evidence: An application in medical diagnosis”, Artiﬁcial Intelligence in Medicine,

Elsevier,(2015).

[46] Sevastjanov, Pavel and Dymova, Ludmila, ”Generalised operations on hesitant fuzzy values in the framework of Dempster–Shafer

theory”,Information Sciences, Elsevier,Vol. 311, pp.39–58, (2015),

[47] Coppolino, Luigi and DAntonio, Salvatore and Formicola, Valerio and Massei, Carmine and Romano, Luigi, ”Use of the

Dempster-Shafer Theory for Fraud Detection: The Mobile Money Transfer Case Study”,Intelligent Distributed Computing VIII,

Springer, pp. 465–474, (2015).