International Journal of Security and Its Applications Vol. 10, No. 5 (2016) pp.297-308 http://dx.doi.org/10.14257/ijsia.2016.10.5.28 ISSN: 2005-4262 IJGDC Copyright ⓒ 2016 SERSC Improving Analysis Phase in Network Forensics By Using Attack Intention Analysis Mohammad Rasmi 1,* , Khaled E. Al-Qawasmi 2 1 Department of Software Engineering, 2 Department of InternetTechnology Zarqa University, Zarqa, 13132, Jordan 1 mmousa@zu.edu.jo, 2 kqawasmi@zu.edu.jo Abstract The increasing amount of cyber crimes has motivated network forensics researchers to develop new techniques to analyze and investigate these crimes. Reconstructing useful evidence of a cybercrime is difficult due to the vagueness of the analysis phase processes. The analysis phase is challenging because it provides detailed information on the intention and strategy of the attack. This paper aims to show the importance of reconstructing attack intentions in order to improve the analysis phase in network forensics. Intentions are identified through an algorithm called Attack Intention Analysis, which predicts cyber crime intentions by combining mathematical evidence theory and a probabilistic technique. In this paper, the attack intention model will be improved to present the motivation behind cyber crimes. The results of the comparison of the attack intention analysis methods prove that the AIA algorithm is more accurate. Keywords: Cyber Crime, Attack Evidence, Network Forensics, Attack Analysis, Attack Intention. 1. Introduction Based on the McAfee Labs Threats Report in August 2015, the attacker types, and their resources are expanded which increase the sophisticated cybercrime as shown in Figure 1. Nowadays, most organizations develop their IT system based on new techniques, such as Cloud Computing, Internet of Things (IoT), and Big data. Accordingly, the cybercrime effects into different types of network and devices. [1] Analysis phase in network forensics involves determining the significance of the cybercrime data by drawing conclusions based on evidence of the cyber crime. Also, it supports the investigation phase to establish an accurate decision and minimize the time and cost of the investigation process by utilizing well-analyzed cyber crime evidence. However, the analysis phase should support the investigation phase to extract useful evidence to clearly understand the intentions and techniques of the cybercrime attackers [2, 5]. Pilli et al. reported, feedback of the analysis phase can be utilized to improve the security tools. However, according to Baryamureeba and Tushabe and Pilli et al., the analysis phase faces plenty of challenges and is improperly defined. The lack of network forensic standardization and expertise makes the analysis phase more difficult [3-7]. Furthermore, the amount of evidence collected from raw traffic has increased. Thus, complex processes are essential to analyze all evidences [8]. Most techniques, such as alert correlation and intrusion scenario that work within IDS, are also utilized in network forensics to understand and analyze cyber crime behavior. The drawback of most of these techniques is that they are created to prevent future attacks and minimize cybercrime damage. These techniques are not developed to specifically analyze evidence in network forensics to resolve cyber crimes [4, 9, 10]. Therefore, * Mohammad Rasmi is the Corresponding Author