An Efficient Forensic Evidence Collection Scheme of Host Infringement at the Occurrence Time
The Computer Forensics is a research area that finds the malicious users by collecting and analyzing the intrusion or infringement evidence of computer crimes such as hacking. Many researches about Computer Forensics have been done so far. But those researches have focused on how to collect the forensic evidence for both analysis and proofs after receiving the intrusion or infringement reports of hosts from computer users or network administrators. In this paper, we describe how to selectively collect the forensic evidence of good quality from observable and protective hosts at the time of infringement occurrence by malicious users. By correlating the event logs of Intrusion Detection Systems(IDSes) and hosts with the configuration information of hosts periodically, we calculate the value of infringement severity that implies the real infringement possibility of the hosts. Based on this severity value, we selectively collect the evidence for proofs at the time of infringement occurrence. As a result, we show that we can minimize the information damage of the evidence for both analysis and proofs, and reduce the amount of data which are used to analyze the degree of infringement severity.
KeywordsMalicious User Attack Scenario Infringement Severity Forensic Evidence Protective Host
Unable to display preview. Download preview PDF.
- [Sn1]Snort v2.0, an open source network intrusion detection system, http://www.snort.org
- [AS1]ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis (1992)Google Scholar
- [AS2]Advanced Security Audit Trail Analysis on (ASAX also called SAT-X) (1994)Google Scholar
- [Em1]Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: National Information Systems Security Conference (1997)Google Scholar
- [SK1]Templeton, S., Levit, K.: A requires/provides model for computer attacks. In: Proc. of New Security Paradigms Workshop, September 2000, pp. 31–38 (2000)Google Scholar
- [FA1]Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. Proceedings of IEEE S&P (2002)Google Scholar
- [Ch1]A tool to locally check for signs of a rootkit, http://www.chkrootkit.org/
- [Ma1]Burdach, M.: Forensic Analysis of a Live Linux System, Pt. 1, 2 (1997), http://www.securityfocus.com/
- [Nm1]nmap-3.93, a free open source utility for network exploration or security auditing, http://www.insecure.org/nmap/
- [Ne1]Nessus 2.2.8, the network vulnerability scanner, http://www.nessus.org/
- [Ip1]iplog 2.2.3, a TCP/IP traffic logger, http://www.freshports.org/net/iplog/