Automated Timeline-Based Forensic Report Generation with Anomaly Detection and LLM-Based CTI Mapping

Diverse vehicle forensics and in-vehicle intrusion detections researches are effectively adopted to the vehicle domain. However, known vehicle forensic researches rarely comprise outputs that are directly usable for investigators; outputs can ideally be auditable, mapped with Cyber Threat Intelligen...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:Proceedings (IEEE Pacific Rim International Symposium on Dependable Computing) s. 170 - 175
Hlavní autoři: Kim, Yongsik, Jun, Saehee, Jang, Junho, Kang Kim, Huy
Médium: Konferenční příspěvek
Jazyk:angličtina
Vydáno: IEEE 03.11.2025
Témata:
Anomaly detection
Automotive engineering
Cyber threat intelligence
Forensics
Information sharing
Intrusion detection
Large language models
Large language models (LLMs)
Measurement
Robustness
Systematics
timeline-based forensic reporting
vehicle cyber forensics
ISSN:2473-3105
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:Diverse vehicle forensics and in-vehicle intrusion detections researches are effectively adopted to the vehicle domain. However, known vehicle forensic researches rarely comprise outputs that are directly usable for investigators; outputs can ideally be auditable, mapped with Cyber Threat Intelligence (CTI), and presented as a timeline-driven incident report. This gap between research outputs and practical requirements creates tangible difficulties in real-world investigations. When forensic analysis fails to yield usable results, investigators must revert to manual spreadsheets and makeshift documents, increasing time and operational costs. Furthermore, even when connections between evidence are established, improper structuring of the attack, such as failing to build a coherent timeline, compromises traceability. To address these challenges of manual analysis and inadequate traceability, we propose a DataBase CAN (DBC)-independent vehicle forensics framework. First, the framework processes raw data by reconciling clocks, normalizing multi-source evidence, and segmenting attacks into episodes using Isolation Forest and change-point detection. Finally, it utilizes a small LLM integrated with the Threat Report ATT&CK Mapper (TRAM) and Automotive Information Sharing and Analysis Center (Auto- ISAC) Automotive Threat Matrix (ATM) to automatically generate CTI-mapped, evidence-linked timeline reports. To demonstrate the robustness and versatility of our framework, we validated it against three diverse public datasets: the VeReMi dataset, the HCRL Car-Hacking dataset, and the OTIDS dataset. Our evaluation focused on three key metrics: timeline fidelity, detection and segmentation quality, and CTI mapping accuracy. The results confirmed that the framework successfully generates systematic reports, organizing observed attacks into evidence-linked timelines with CTI mappings. This approach enhances auditability and traceability, reduces the time to report, and ultimately makes the findings directly actionable for investigators.
ISSN:2473-3105
DOI:10.1109/PRDC67299.2025.00031