Advertisement

An Efficient Forensic Evidence Collection Scheme of Host Infringement at the Occurrence Time

  • Yoon-Ho Choi
  • Jong-Ho Park
  • Sang-Kon Kim
  • Seung-Woo Seo
  • Yu Kang
  • Jin-Gi Choe
  • Ho-Kun Moon
  • Myung-Soo Rhee
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4296)

Abstract

The Computer Forensics is a research area that finds the malicious users by collecting and analyzing the intrusion or infringement evidence of computer crimes such as hacking. Many researches about Computer Forensics have been done so far. But those researches have focused on how to collect the forensic evidence for both analysis and proofs after receiving the intrusion or infringement reports of hosts from computer users or network administrators. In this paper, we describe how to selectively collect the forensic evidence of good quality from observable and protective hosts at the time of infringement occurrence by malicious users. By correlating the event logs of Intrusion Detection Systems(IDSes) and hosts with the configuration information of hosts periodically, we calculate the value of infringement severity that implies the real infringement possibility of the hosts. Based on this severity value, we selectively collect the evidence for proofs at the time of infringement occurrence. As a result, we show that we can minimize the information damage of the evidence for both analysis and proofs, and reduce the amount of data which are used to analyze the degree of infringement severity.

Keywords

Malicious User Attack Scenario Infringement Severity Forensic Evidence Protective Host 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [Sn1]
    Snort v2.0, an open source network intrusion detection system, http://www.snort.org
  2. [AS1]
    ASAX: Software Architecture and Rule-Based Language for Universal Audit Trail Analysis (1992)Google Scholar
  3. [AS2]
    Advanced Security Audit Trail Analysis on (ASAX also called SAT-X) (1994)Google Scholar
  4. [BH1]
    Morin, B., Debar, H.: Correlation of Intrusion Symptoms: An Application of Chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. [Em1]
    Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: National Information Systems Security Conference (1997)Google Scholar
  6. [SK1]
    Templeton, S., Levit, K.: A requires/provides model for computer attacks. In: Proc. of New Security Paradigms Workshop, September 2000, pp. 31–38 (2000)Google Scholar
  7. [BM1]
    Morin, B., et al.: M2D2: A formal data model for IDS Alert Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. [HA1]
    Debar, H., Wespi, A.: Aggregation and Correlation of Intrusion-Detection Alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. [FA1]
    Cuppens, F., Miege, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. Proceedings of IEEE S&P (2002)Google Scholar
  10. [Ch1]
    A tool to locally check for signs of a rootkit, http://www.chkrootkit.org/
  11. [Ma1]
    Burdach, M.: Forensic Analysis of a Live Linux System, Pt. 1, 2 (1997), http://www.securityfocus.com/
  12. [Nm1]
    nmap-3.93, a free open source utility for network exploration or security auditing, http://www.insecure.org/nmap/
  13. [Ne1]
    Nessus 2.2.8, the network vulnerability scanner, http://www.nessus.org/
  14. [Ip1]
    iplog 2.2.3, a TCP/IP traffic logger, http://www.freshports.org/net/iplog/

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Yoon-Ho Choi
    • 1
  • Jong-Ho Park
    • 1
  • Sang-Kon Kim
    • 1
  • Seung-Woo Seo
    • 1
  • Yu Kang
    • 2
  • Jin-Gi Choe
    • 2
  • Ho-Kun Moon
    • 2
  • Myung-Soo Rhee
    • 2
  1. 1.School of Electrical and Computer EngineeringSeoul National UniversitySeoulKorea
  2. 2.KT Information Security CenterSeoulKorea

Personalised recommendations