We expect an increase in the frequency and severity of cyber-attacks that comes along with the need for efficient security countermeasures. The process of attributing a cyber-attack helps to construct efficient and targeted mitigating and preventive security measures. In this work, we propose an argumentation-based reasoner (ABR) as a proof-of-concept tool that can help a forensics analyst during the analysis of forensic evidence and the attribution process. Given the evidence collected from a cyber-attack, our reasoner can assist the analyst during the investigation process, by helping him/her to analyze the evidence and identify who performed the attack. Furthermore, it suggests to the analyst where to focus further analyses by giving hints of the missing evidence or new investigation paths to follow. ABR is the first automatic reasoner that can combine both technical and social evidence in the analysis of a cyber-attack, and that can also cope with incomplete and conflicting information. To illustrate how ABR can assist in the analysis and attribution of cyber-attacks we have used examples of cyber-attacks and their analyses as reported in publicly available reports and online literature. We do not mean to either agree or disagree with the analyses presented therein or reach attribution conclusions.

中文翻译：

---

一种基于论证的推理器，用于协助网络攻击的数字调查和归因

我们预计，随着对有效安全对策的需求，网络攻击的频率和严重性会增加。归因网络攻击的过程有助于构建有效且有针对性的缓解和预防安全措施。在这项工作中，我们提出了一种基于论证的推理器 (ABR) 作为概念验证工具，可以在法医证据分析和归因过程中帮助法医分析师。鉴于从网络攻击中收集到的证据，我们的推理者可以在调查过程中协助分析师，帮助他/她分析证据并确定攻击者是谁。此外，它还通过提示丢失的证据或要遵循的新调查路径，向分析师建议进一步分析的重点。ABR 是第一个可以在网络攻击分析中结合技术和社会证据的自动推理器，还可以处理不完整和冲突的信息。为了说明 ABR 如何协助分析和归因网络攻击，我们使用了公开报告和在线文献中报告的网络攻击及其分析的示例。我们无意同意或不同意其中提出的分析或得出归因结论。为了说明 ABR 如何协助分析和归因网络攻击，我们使用了公开报告和在线文献中报告的网络攻击及其分析的示例。我们无意同意或不同意其中提出的分析或得出归因结论。为了说明 ABR 如何协助分析和归因网络攻击，我们使用了公开报告和在线文献中报告的网络攻击及其分析的示例。我们无意同意或不同意其中提出的分析或得出归因结论。