Towards Proactive ComputerSystem Forensics

1
Towards Proactive Computer-System Forensics

• Phillip G. Bradford
• Marcus Brown
• Josh Perdue
• Bonnie Self
• The University of Alabama

2
Outline

• Motivation
• Classical Forensics
• Digital Forensics
• Different from Classical Forensics
• Leverage Computer Science
• This papers focus
• Sequential Statistics
• System Design
• Conclusions

3
Motivation

• Computer Assisted Crimes
• Computer Enabled crimes
• Focus computer enabled crimes
• Employees or stakeholders of a firm
• Most likely to commit computer crimes against the
  firm
• Which employees should be the focus?
• Must be careful of resource use!
• A few Cycles to ensure security before donating
  them!

4
Classical Digital Forensics

• Classical Forensics is reactive
• Digital Forensics has opportunity to be proactive
• Digital forensics (so far)
• A lot of focus on file recovery from disks
• Generally reactive
• Computer Security
• Focus on preventative measures

5
Proactive Computer-System Forensics

• System structuring and augmentation for
• Automated data discovery
• Lead formation
• Efficient data preservation
• Make these issues proactive
• Challenges
• System resources
• Exposure

6
Proactive Forensics

• Our proposal
• Sequential Hypothesis testing
• (1) Use the Neyman-Pearson Lemma
• Get best-critical regions for hypothesis testing
• Assuming empirical data
• (2) Use classical Stopping rules
• Aggregate cost is the same as fixed sample
  hypothesis testing
• Incremental cost is negligible

7
Proactive Forensics Principles

• Small-security-breach Principle
• A single breach of a system can be catastrophic.
• Viruses as small as 1K bytes
• Small-user-world Principle
• Most users only use a very few systems or
  programs.
• Incremental violation Principle
• Learning curve for breaking (internal) security

8
Implementing Proactive Forensics

• Fixed Hypothesis Testing

9
Implementing Proactive Forensics

• How often do we run fixed hypothesis testing?
• How much data do we save?
• How costly?
• How can we adjust it with the changing demands of
  our employees?

10
Sequential Hypothesis Testing

• Let f(Xi, T1) or f(Xi, T2) be the ith data points
  for samples from T1 and T2.
• Likelihood ratio
• Rn S log ( f(Xi, T1) / f(Xi, T2) )
• For i?1 to n
• Stopping Rule
• Used to focus more resources

11
Sequential Hypothesis Testing

• Given a and b
• H0 holds with error probability a
• H1 holds with error probability b
• Let A ? (1- b)/a and B ? b/(1- a)
• Stopping Rule
• Stop if Log(B) gt Rn or Rn gt Log(A)
• If Rn lt Log(B), then H0 with conf. a
• If Rn gt Log(A), then H1 with conf. b

12
Stopping Rule

• A. Wald showed the stopping rule will eventually
  terminate with probability 1.
• Convergence issues
• Also
• Wald and Wolfowitz
• This is the best ratio test possible
• Expected number of steps to get conclusion is at
  least as good as any other test

13
Back to Forensics

• Neyman-Person Lemma
• Conditions to determine optimal critical regions
• Best regions for determining which category the
  data falls into
• Why is optimality important?
• Forensics!!

14
Implementation Issues

• Starting work with FUPIDS
• Fuzzy User Profile Intrusion Detection
• By S. Wendzel
• Gathers data and compares to static tables of
  expectations
• Modified the kernel on openBSD
• Small mods, but potentially costly in timing
• Stays stealthy

15
Implementation Issues

• How we are different
• Data is not static
• Online rebalancing
• We use sequential statistics
• Focus more resources on target users
• Not just for intrusion detection
• Still potentially costly!

16
Conclusions

• Proactive Forensics
• New area
• Different from intrusion detection, security,
  classical digital forensics
• May be unique to computers networks
• Lots of possibilities