Lecture 5 - The University of Texas at Dallas
Download
Report
Transcript Lecture 5 - The University of Texas at Dallas
Digital Forensics
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Lecture #5
Forensics Systems
September 5, 2007
Outline
Some developments
Review of Lectures 3 and 4
Lectures 5
- Types of Computer Forensics Systems
- Objective: Identify issues in corporate planning for
computer forensics
Tools for Digital Forensics
Assignment #1
Lab Tour
Some Developments
Internships positions available in commuter forensics with
DFW area FBI and Law Enforcement
Guest lectures are being arranged to be given by DFW FBI
and Law Enforcement
Dates to be given
Mid-term exam: week of October 9 or October 16
-
Review of Lectures 3 and 4
Lecture 3
- Forensics Technology
Military,
Law Enforcement, Business Forensics
Forensics Techniques
Finding Hidden Data, Spyware, Encryption, Data
Protection, Tracing, Data Mining
- Security Technologies
Wireless, Firewalls, Biometrics
APPENDIX: Data Mining
Lecture 4: Data Mining for Malicious Code Detection
-
-
Types of Computer Forensics Systems
Internet Security Systems
Intrusion Detection Systems
Firewall Security Systems
Storage Area Network Security Systems
Network disaster recovery systems
Public key infrastructure systems
Wireless network security systems
Satellite encryption security systems
Instant Messaging Security Systems
Net privacy systems
Identity management security systems
Identify theft prevention systems
Biometric security systems
Homeland security systems
Internet Security Systems
Security hierarchy
- Public, Private and Mission Critical data
- Unclassified, Confidential, Secret and TopSecret data
Security Policy
- Who gets access to what data
- Bell LaPadula Security Policy, Noninterference Policy
Access Control
- Role-based access control, Usage control
Encryption
- Public/private keys
- Secret payment systems
Directions
- Smart cards
Intrusion Detection Systems
An intrusion can be defined as “any set of actions that attempt to
compromise the integrity, confidentiality, or availability of a resource”.
Attacks are:
Intrusion detection systems are split into two groups:
Host-based attacks
Network-based attacks
Anomaly detection systems
Misuse detection systems
Use audit logs
-
Capture all activities in network and hosts.
But the amount of data is huge!
Our Approach: Overview
Training
Data
Class
Hierarchical
Clustering (DGSOT)
SVM Class Training
Testing
DGSOT: Dynamically growing self organizing tree
Testing Data
Our Approach: Hierarchical Clustering
Our Approach
Hierarchical clustering with SVM flow chart
Worm Detection: Introduction
-
What are worms?
Self-replicating program; Exploits software vulnerability on a victim;
Remotely infects other victims
Evil worms
Severe effect; Code Red epidemic cost $2.6 Billion
Automatic signature generation possible
EarlyBird System (S. Singh. -UCSD); Autograph (H. Ah-Kim. - CMU)
Goals of worm detection
Real-time detection
Issues
Substantial Volume of Identical Traffic, Random Probing
Methods for worm detection
Count number of sources/destinations; Count number of failed connection
attempts
Worm Types
Email worms, Instant Messaging worms, Internet worms, IRC worms, Filesharing Networks worms
Email Worm Detection using Data Mining
Task:
given some training instances of both
“normal” and “viral” emails,
induce a hypothesis to detect “viral” emails.
We used:
Naïve Bayes
SVM
Outgoing
Emails
The Model
Test data
Feature
extraction
Machine
Learning
Classifier
Training data
Clean or Infected ?
Firewall Security Systems
Firewall is a system or groups of systems that enforces an
access control policy between two networks
Benefits
Implements access control across networks
- Maintains logs that can be analyzed
Data mining for analyzing firewall logs and ensuring
policy consistency
Limitatations
- No security within the network
- Difficult to implement content based policies
- Difficult to protect against malicious code
Data driven attacks
-
Traffic Mining
To bridge the gap between what is written in the firewall policy rules
and what is being observed in the network is to analyze traffic and
log of the packets– traffic mining
Firewall
Policy Rule
Network traffic trend may show that some rules are outdated or not used recently
Firewall
Log File
Mining Log File
Using Frequency
Filtering
Rule
Generalization
Edit
Firewall Rules
Identify Decaying
&
Dominant Rules
Generic Rules
Traffic Mining Results
1: TCP,INPUT,129.110.96.117,ANY,*.*.*.*,80,DENY
2: TCP,INPUT,*.*.*.*,ANY,*.*.*.*,80,ACCEPT
3: TCP,INPUT,*.*.*.*,ANY,*.*.*.*,443,DENY
4: TCP,INPUT,129.110.96.117,ANY,*.*.*.*,22,DENY
5: TCP,INPUT,*.*.*.*,ANY,*.*.*.*,22,ACCEPT
6: TCP,OUTPUT,129.110.96.80,ANY,*.*.*.*,22,DENY
7: UDP,OUTPUT,*.*.*.*,ANY,*.*.*.*,53,ACCEPT
8: UDP,INPUT,*.*.*.*,53,*.*.*.*,ANY,ACCEPT
9: UDP,OUTPUT,*.*.*.*,ANY,*.*.*.*,ANY,DENY
10: UDP,INPUT,*.*.*.*,ANY,*.*.*.*,ANY,DENY
11: TCP,INPUT,129.110.96.117,ANY,129.110.96.80,22,DENY
12: TCP,INPUT,129.110.96.117,ANY,129.110.96.80,80,DENY
13: UDP,INPUT,*.*.*.*,ANY,129.110.96.80,ANY,DENY
14: UDP,OUTPUT,129.110.96.80,ANY,129.110.10.*,ANY,DENY
15: TCP,INPUT,*.*.*.*,ANY,129.110.96.80,22,ACCEPT
16: TCP,INPUT,*.*.*.*,ANY,129.110.96.80,80,ACCEPT
17: UDP,INPUT,129.110.*.*,53,129.110.96.80,ANY,ACCEPT
18: UDP,OUTPUT,129.110.96.80,ANY,129.110.*.*,53,ACCEPT
Rule 1, Rule 2: ==>
GENRERALIZATION
Rule 1, Rule 16: ==>
CORRELATED
Rule 2, Rule 12: ==> SHADOWED
Rule 4, Rule 5: ==>
GENRERALIZATION
Rule 4, Rule 15: ==>
CORRELATED
Rule 5, Rule 11: ==> SHADOWED
Anomaly Discovery Result
Storage Area Network Security Systems
High performance networks that connects all the storage
systems
After as disaster such as terrorism or natural disaster
(9/11 or Katrina), the data has to be availability
- Database systems is a special kind of storage system
Benefits include centralized management, scalability
reliability, performance
Security attacks on multiple storage devices
- Secure storage is being investigated
-
Network Disaster Recovery Systems
Network disaster recovery is the ability to respond to an
interruption in network services by implementing a disaster
recovery palm
Policies and procedures have to be defined and subsequently
enforced
Which machines to shut down, determine which backup
servers to use, When should law enforcement be notified
Public Key Infrastructure Systems
A certificate authority that issues and verifies digital
certificates
A registration authority that acts as a verifier for the certificate
authority before a digital certificate is issued to a requester
One or more directories where the certificates with their
public keys are held
A certificate management systems
Digital Identity Management
Digital identity is the identity that a user has to access an
electronic resource
A person could have multiple identities
- A physician could have an identity to access medical
resources and another to access his bank accounts
Digital identity management is about managing the multiple
identities
- Manage databases that store and retrieve identities
- Resolve conflicts and heterogeneity
- Make associations
- Provide security
Ontology management for identity management is an
emerging research area
Digital Identity Management - II
Federated Identity Management
- Corporations work with each other across organizational
boundaries with the concept of federated identity
- Each corporation has its own identity and may belong to
multiple federations
Individual identity management within an organization
and federated identity management across organizations
Technologies for identity management
- Database management, data mining, ontology
management, federated computing
-
Identity Theft Management
Need for secure identity management
- Ease the burden of managing numerous identities
- Prevent misuse of identity: preventing identity theft
Identity theft is stealing another person’s digital identity
Techniques for preventing identity thefts include
- Access control, Encryption, Digital Signatures
- A merchant encrypts the data and signs with the public
-
key of the recipient
Recipient decrypts with his private key
Biometrics
Early Identication and Authentication (I&A) systems, were
based on passwords
Recently physical characteristics of a person are being used
for identification
- Fingerprinting
- Facial features
- Iris scans
- Voice recognition
- Facial expressions
Biometrics techniques will provide access not only to
computers but also to building and homes
Systems are vulnerable to attack e.g., Fake biometrics
Homeland Security Systems
Border and Transportation Security
- RFID technologies?
Emergency preparedness
- After an attack happens what actions are to be taken?
Chemical, Biological, Radiological and Nuclear security
- Sensor technologies
Information analysis and Infrastructure protection
- Data mining, security technologies
Other Types of Systems
Wireless security systems
- Protecting PDAs and phones against denial of service
and related attacks
Satellite encryption systems
- Pretty Good Privacy – PGP that uses RSA security
Instant messaging
- Deployment of instant messaging is usually not
controlled
- Should IM be blocked?
Net Privavacy
- Can we ensure privacy on the networks and systems
- Privacy preserving access?
Conclusion
We have discussed many types of forensics systems
These are systems that are secure, but can be
attacked
Security solutions include policy enforcement,
access control encryption, protecting against
malicious code
How can these systems be compromised and what
are the actions that need to be taken?
Open Source and Related Tools
http://www.opensourceforensics.org/tools/index.html
http://www.cerias.purdue.edu/research/forensics/
http://www.digital-evidence.org/papers/opensrc_legal.pdf
http://digitalforensics.ch/nikkel05b.pdf
http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf
http://www.vascan.org/webdocs/06confdocs/Day1-
TechnicalTrack-DONE/CrimJesseDigital%20Forensics.pdf
Assignment #1
Four exercises at the end of Chapters 1, 2, 3 and 4
Due date: September 24, 2007
You can read the answers at the back, but please try to
produce your own answers
Lab Tour and possible Programming projects
SAIAL: Security Analysis and Information Assurance
Laboratory
Develop programs to monitor what your adversary is doing
Will help our research a lot
Can you develop techniques that will put pieces of the deleted
files together to create the original file?
Use data analysis/mining for intrusion detection
Simulate an attack and use the open source tools
Analyze a disk image
- Will try to give you a disk image to work with
-