Automated Timeline-Based Forensic Report Generation with Anomaly Detection and LLM-Based CTI Mapping
Diverse vehicle forensics and in-vehicle intrusion detections researches are effectively adopted to the vehicle domain. However, known vehicle forensic researches rarely comprise outputs that are directly usable for investigators; outputs can ideally be auditable, mapped with Cyber Threat Intelligen...
Gespeichert in:
| Veröffentlicht in: | Proceedings (IEEE Pacific Rim International Symposium on Dependable Computing) S. 170 - 175 |
|---|---|
| Hauptverfasser: | , , , |
| Format: | Tagungsbericht |
| Sprache: | Englisch |
| Veröffentlicht: |
IEEE
03.11.2025
|
| Schlagworte: | |
| ISSN: | 2473-3105 |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| Abstract | Diverse vehicle forensics and in-vehicle intrusion detections researches are effectively adopted to the vehicle domain. However, known vehicle forensic researches rarely comprise outputs that are directly usable for investigators; outputs can ideally be auditable, mapped with Cyber Threat Intelligence (CTI), and presented as a timeline-driven incident report. This gap between research outputs and practical requirements creates tangible difficulties in real-world investigations. When forensic analysis fails to yield usable results, investigators must revert to manual spreadsheets and makeshift documents, increasing time and operational costs. Furthermore, even when connections between evidence are established, improper structuring of the attack, such as failing to build a coherent timeline, compromises traceability. To address these challenges of manual analysis and inadequate traceability, we propose a DataBase CAN (DBC)-independent vehicle forensics framework. First, the framework processes raw data by reconciling clocks, normalizing multi-source evidence, and segmenting attacks into episodes using Isolation Forest and change-point detection. Finally, it utilizes a small LLM integrated with the Threat Report ATT&CK Mapper (TRAM) and Automotive Information Sharing and Analysis Center (Auto- ISAC) Automotive Threat Matrix (ATM) to automatically generate CTI-mapped, evidence-linked timeline reports. To demonstrate the robustness and versatility of our framework, we validated it against three diverse public datasets: the VeReMi dataset, the HCRL Car-Hacking dataset, and the OTIDS dataset. Our evaluation focused on three key metrics: timeline fidelity, detection and segmentation quality, and CTI mapping accuracy. The results confirmed that the framework successfully generates systematic reports, organizing observed attacks into evidence-linked timelines with CTI mappings. This approach enhances auditability and traceability, reduces the time to report, and ultimately makes the findings directly actionable for investigators. |
|---|---|
| AbstractList | Diverse vehicle forensics and in-vehicle intrusion detections researches are effectively adopted to the vehicle domain. However, known vehicle forensic researches rarely comprise outputs that are directly usable for investigators; outputs can ideally be auditable, mapped with Cyber Threat Intelligence (CTI), and presented as a timeline-driven incident report. This gap between research outputs and practical requirements creates tangible difficulties in real-world investigations. When forensic analysis fails to yield usable results, investigators must revert to manual spreadsheets and makeshift documents, increasing time and operational costs. Furthermore, even when connections between evidence are established, improper structuring of the attack, such as failing to build a coherent timeline, compromises traceability. To address these challenges of manual analysis and inadequate traceability, we propose a DataBase CAN (DBC)-independent vehicle forensics framework. First, the framework processes raw data by reconciling clocks, normalizing multi-source evidence, and segmenting attacks into episodes using Isolation Forest and change-point detection. Finally, it utilizes a small LLM integrated with the Threat Report ATT&CK Mapper (TRAM) and Automotive Information Sharing and Analysis Center (Auto- ISAC) Automotive Threat Matrix (ATM) to automatically generate CTI-mapped, evidence-linked timeline reports. To demonstrate the robustness and versatility of our framework, we validated it against three diverse public datasets: the VeReMi dataset, the HCRL Car-Hacking dataset, and the OTIDS dataset. Our evaluation focused on three key metrics: timeline fidelity, detection and segmentation quality, and CTI mapping accuracy. The results confirmed that the framework successfully generates systematic reports, organizing observed attacks into evidence-linked timelines with CTI mappings. This approach enhances auditability and traceability, reduces the time to report, and ultimately makes the findings directly actionable for investigators. |
| Author | Jang, Junho Kim, Yongsik Kang Kim, Huy Jun, Saehee |
| Author_xml | – sequence: 1 givenname: Yongsik surname: Kim fullname: Kim, Yongsik email: a272714@korea.ac.kr organization: School of Cybersecurity, Korea University,Seoul,Korea – sequence: 2 givenname: Saehee surname: Jun fullname: Jun, Saehee email: junsaehee@korea.ac.kr organization: School of Cybersecurity, Korea University,Seoul,Korea – sequence: 3 givenname: Junho surname: Jang fullname: Jang, Junho email: hkonly@korea.ac.kr organization: School of Cybersecurity, Korea University,Seoul,Korea – sequence: 4 givenname: Huy surname: Kang Kim fullname: Kang Kim, Huy email: cenda@korea.ac.kr organization: School of Cybersecurity, Korea University,Seoul,Korea |
| BookMark | eNqFjsFKAzEURaMo2Gr_oIv8wIzvJY3TLOvUqtCClNmX0HlqZOZlSCLSv3eQ7l1d7j0cuFNxxYFJiDlCiQj2_m2_rh8qZW2pQJkSADReiJmt7FJrNAuDGi7FRC0qXWgEcyOmKX0BGI1LmIh29Z1D7zK1svE9dZ6peHRprJsQiZM_yj0NIWb5TEzRZR9Y_vj8KVc8et1JrinT8W923Mrtdnf26-ZV7twweP64E9fvrks0O-etmG-emvql8ER0GKLvXTwdENX4FlH_g38B0EtJYw |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1109/PRDC67299.2025.00031 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Xplore POP ALL IEEE Xplore All Conference Proceedings IEEE/IET Electronic Library (IEL) (UW System Shared) IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE/IET Electronic Library (IEL) (UW System Shared) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9798331545130 |
| EISSN | 2473-3105 |
| EndPage | 175 |
| ExternalDocumentID | 11245111 |
| Genre | orig-research |
| GroupedDBID | 29O 6IE 6IF 6IK 6IL 6IN AAJGR AAWTH ABLEC ADZIZ ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK OCL RIE RIL |
| ID | FETCH-ieee_primary_112451113 |
| IEDL.DBID | RIE |
| IngestDate | Wed Dec 10 09:50:21 EST 2025 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-ieee_primary_112451113 |
| ParticipantIDs | ieee_primary_11245111 |
| PublicationCentury | 2000 |
| PublicationDate | 2025-Nov.-3 |
| PublicationDateYYYYMMDD | 2025-11-03 |
| PublicationDate_xml | – month: 11 year: 2025 text: 2025-Nov.-3 day: 03 |
| PublicationDecade | 2020 |
| PublicationTitle | Proceedings (IEEE Pacific Rim International Symposium on Dependable Computing) |
| PublicationTitleAbbrev | PRDC |
| PublicationYear | 2025 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0053180 |
| Score | 4.6282086 |
| Snippet | Diverse vehicle forensics and in-vehicle intrusion detections researches are effectively adopted to the vehicle domain. However, known vehicle forensic... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 170 |
| SubjectTerms | Anomaly detection Automotive engineering Cyber threat intelligence Forensics Information sharing Intrusion detection Large language models Large language models (LLMs) Measurement Robustness Systematics timeline-based forensic reporting vehicle cyber forensics |
| Title | Automated Timeline-Based Forensic Report Generation with Anomaly Detection and LLM-Based CTI Mapping |
| URI | https://ieeexplore.ieee.org/document/11245111 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV09T8MwED1BxcBUPoL4KOgG1tCkaeJkLCkVSG0VoQ7dqmBfEBJyUJsg8e_xOSkwwMAWWXJs5WLfu7PfPYBr8mUQDIVwoyT0OHUj3ZjC2FV5-JSYrdIsQM-KTYj5PF4uk6wlq1suDBHZy2d0w4_2LF-VsuZUWd9gAy6nZYKdXSGihqy13XbNvxR7LTfO95J-9jhOI4McmYwy4LyJxzpyPxRUrAOZdP859AE431Q8zL6czCHskD6C7laLAduleQxqVFelQZ-kkFkdDB7dW-OhFLL4pja2wAZrY1Nomu2BnITFkTb9Xj9wTJW9lqUx1wqn01nbP1084CznMg7PDvQmd4v03uWZr96aQhWr7aSDE-joUtMpYOHLOJGiGPikTGQc5RQIDnFk4ZEJfYZn4Pz6ivM_2i9gn7-vZecFPehU65ouYU--Vy-b9ZW10CfFG5VM |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV07T8MwED6hggRTeRTxKHADa6jTNK-xtFStSKoKZehWBfuKkJCLSoLEv8fnpMAAA1tkybGVi33fnf3dB3BNrvS8Xhg6QewLTt1IJyI_clTuP8ZmqzQLUFixiXA6jebzeFaT1S0Xhojs5TO64Ud7lq9WsuRUWcdgAy6nZYKdbZ8PsCq61mbjNX9TJGp2nCvizuxhOAgMdmQ6SpczJ4KV5H5oqFgXMmr-c_B9aH2T8XD25WYOYIv0ITQ3agxYL84jUP2yWBn8SQqZ18Hw0bk1Pkohy29qYw2s0DZWpabZIshpWOxr0-_lA4dU2ItZGnOtMEnSuv8gm2CacyGHpxa0R3fZYOzwzBevVamKxWbS3jE09ErTCeDSlVEsw2XXJWVi4yAnL-QgRy4FmeCndwqtX19x9kf7FeyOszRZJJPp_Tns8be2XD2vDY1iXdIF7Mj34vltfWmt9QnBspia |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=Proceedings+%28IEEE+Pacific+Rim+International+Symposium+on+Dependable+Computing%29&rft.atitle=Automated+Timeline-Based+Forensic+Report+Generation+with+Anomaly+Detection+and+LLM-Based+CTI+Mapping&rft.au=Kim%2C+Yongsik&rft.au=Jun%2C+Saehee&rft.au=Jang%2C+Junho&rft.au=Kang+Kim%2C+Huy&rft.date=2025-11-03&rft.pub=IEEE&rft.eissn=2473-3105&rft.spage=170&rft.epage=175&rft_id=info:doi/10.1109%2FPRDC67299.2025.00031&rft.externalDocID=11245111 |