140 likes | 172 Vues
Learn how to systematically perform forensic analysis on a compromised database, detect tampering, ascertain intrusion details, and design forensic algorithms for investigation. The study covers tamper detection, forensic analysis, corruption diagram, and three forensic algorithms.
E N D
Forensic Analysis of Database Tampering Kyriacos Pavlou and Richard T. Snodgrass Computer Science Department The University of Arizona
Introduction The problem : How to systematically perform forensic analysis on a compromised database. • Recent federal laws (HIPAA, Sarbanes-Oxley Act etc.) and incidents of corporate collusion mandateaudit log security. • Snodgrass et al. [VLDB04] showed how to detect database tampering. Approach: Hashusing a cryptographically strong hash function, notarize data manipulated by transactions and periodically validate. • Forensic analysis to ascertain: • When the intrusion transpired • What data was altered • Who the intruder is • Why has this transpired
Outline • Tamper Detection • Forensic Analysis • The corruption diagram • Types of corruption events • Forensic Algorithms • Three algorithms • Forensic strength • Future Work
Tamper Detection transactions transactions hash value hash value transactions transactions notary ID notary ID + + hashing hashing hash value + notary ID result rehash • Two phases: • Normal Processing • Validation • The validation result is a single bit.
The Corruption Diagram . INnotarization interval validation interval IV CE When Actual time VE2 VE2 = TRUE NE6 NE: Notarization Event NE5 clock time VE: Validation Event NE4 CE: Corruption Event = TRUE VE1 NE3 link NE2 link NE1 Commit time commit time NE0 Where
Forensic Analysis • If a corruption is detected, the forensic analyzer springs into action. • The analyzer tries to ascertain a corruption region: the bounds on the uncertainty of the “where” and “when” of the corruption.
Monochromatic Algorithm T F F F F . CE When Forensic analysis begins VE2 = FALSE NE6 NE5 time of corruption (tc) NE4 VE1 = TRUE NE3 Corruption Region: captures the uncertainty as to the position of CE NE2 NE1 tl: place of corruption(commit time) NE0 Where
Monochromatic Algorithm • Central insight: data can be rehashed by validator and checked. • Corruption region bounds: IV IN • Area is solely dependent on the two intervals. • Cannot handle CEs involving timestamp corruption. ×
The RGB Forensic Algorithm G B . CE T F F F F F F Postdating CE G B tp: postdating time tp T When F VE4 = FALSE NE8 Forensic analysis begins IV= 4 days IN= 2 days tc NE7 T Notarization of Red R VE3 = TRUE NE6 NE5 T Notarization ofBlue&Green VE2 = TRUE NE4 NE3 Notarization of Red R VE1 = TRUE NE2 NE1 x x tl NE0 Where
The RGB Forensic Algorithm • Introduction of RGB partial hash chains: • Allows the bounding of both tl and tp • Incurs extra NS cost • Each of two corruption regions bounds: IV IN • We would like to reduce the area of the corruption regions. ×
The Polychromatic Algorithm G B . CE T F F F F F F G B F T When F VE4 = FALSE NE8 Forensic analysis begins IV= 4 days IN= 2 days Desired = 1 day tc NE7 T Notarization of 2 Reds R VE3 = TRUE NE6 NE5 T Backdating CE F F Notarization of2Blues&1Green VE2 = TRUE NE4 Uncertainty can be arbitrarily shrunk via a logarithmic number of red and blue hash chains. NE3 Notarization of 2 Reds R VE1 = TRUE NE2 NE1 tb: backdating time x x tl tb NE0
Forensic Strength Components: • Work of forensic analysis • Region-area of CE • Width of postdating / backdating uncertainty Inverse Forensic Strength: IFS( D , IN ,V ) = ( NumNotarizes( D , IN ,V ) + ForensicAnalysis( D , IN ,V ) ) · RegionArea( IN ,V ) · UncertaintyWidth( D , IN) where V = IV / IN is the validation factor and D is the number of days before first validation failure. • Monochromatic: O( V · D2· IN ) • RGB: O( V · D · IN2 ) We assume that D >> IN . • Polychromatic: O( ( V + lg IN ) · D )
Future Work • Develop a stronger lower bound for this problem. • Accommodate multi-locus and complexCEs. • Differentiate postdating and backdatingCEs. • Implement forensic analysis in validator. • Consider interaction between transaction-time storage manager and underlying WORM storage.
Summary • We have presented a means of performing forensic analysis. • We have introduced a graphical representation to visualize CEs, termed the corruption diagram. • We have designed three forensic algorithms. • Monochromatic • RGB • Polychromatic