Presentation Transcript

1. Effects of Motivation and Demography on the Quantitative Plausibility of the Trojan Horse Defence against Possession of Child Pornography

   Richard E Overill & Jantje A M Silomon Department of Informatics, King’s College London K-P Chow & H Tse Department of Computer Science, University of Hong Kong
2. Synopsis Trojan Horse Defence Possession of Child Pornography Digital Forensic Sub-hypotheses Evidential Traces Recovered Motivationally Enhanced Complexity Model Trojan Horse Model Results: Posterior Odds Conclusions
3. Trojan Horse Defence First reported use in the UK October 2003 (Aaron Caffrey, 19, Port of Houston hack) It concedes that the offence was committed, but contends that it was not by the defendant (Some Other Dude Did It - SODDI) In the absence of other evidence (e.g. DNA, fingerprint) tying defendant to crime scene, it requires the prosecution to prove a negative – that there was no Trojan Horse in operation at the material time
4. Possession of Child Pornography Trojan Horse Defence is highly successful globally in countering prosecutions of various e-crimes, and in particular the possession of child pornography (CP) (HK) law enforcement generally requires at least five items of digital CP before bringing charges – to avoid the defence claiming that the defendant made an inadvertent mistake
5. Digital Forensic Sub-hypotheses (Prosecution) Downloading of CP has been performed three alternative possibilities: browser, email, peer-to-peer (P2P) this study models browser download only Copying of CP has been performed two alternative possibilities: USB and CD/DVD this study models USB device only Viewing of CP has been performed
6. Evidential Traces Recovered (I) CP (image/video) on computer Internet history / cache from downloading Credit card payment to CP website  Metadata on computer matched CP website  USB device was plugged into the computer  CP on computer matched that on USB device 
7. Evidential Traces Recovered (II) Modified timestamp predates created timestamp of CP  Image / video viewing tools on computer CP displayed by image / video viewing tools  Access timestamp postdates created timestamp of CP
8. Motivationally Enhanced Complexity Model - I Hypotheses: Principle of Contingency: the more complex a process, the less likely it is to occur by chance or accidentally A tornado in a junkyard is very unlikely to create a Boeing 747 Ockham’s Razor (ca.1287 – 1347): “Frustra fit per plura quod potestfieri per pauciora” It is futile to do with more that which can be done with fewer; “Entia non suntmultiplicandapraeternecessitatem” Entities are not to be multiplied beyond necessity; When there are alternatives, the least complex explanation that accounts for all the evidence is most likely to be correct.
9. Motivationally Enhanced Complexity Model - II Model complexity using: computational complexity (CC) – byte level GOMS Keystroke Level Model (KLM) – key-stroke / mouse-click level Halstead’s Effort (E) metric – token level Yerkes–Dodson relation (1908): probability of success as a function of degree of motivation – a sigmoid: ps(m) = [erf(m+2)+1]/2 Demographics: determines the proportion of people capable of constructing the Trojan Horse
10. Motivationally Enhanced Complexity Model – III Explanations: For explanation i: pi[ CCi+ KLM(CC)i+ Ei + KLM(E)i]-1 For two mutually exclusive explanations i and j, the ‘posterior odds’ of explanation i over j: O(i:j) = Pr(Hi|E) /Pr(Hj|E) = pi /pj Then: O(MECM) = [O(i:j) +1] / pspcpopf– 1
11. FIGURE 1. Yerkes–Dodson curve for a capable, focused individual performing a task
12. Motivationally Enhanced Complexity Model – IV where: ps is Y-D probability of success due to motivation pc= 0.002 is probability of technical capability, rated as approximately MSc in Computing po= 1 is probability of opportunity pf= 0.02 is probability of failure to detect the Trojan Horse by the installed anti-virus system
13. Trojan Horse Model Simplest possible system that produces all of the requisite evidential traces and no others: an electronic, random framing attack Lower bound on complexity implies upper bound on plausibility of Trojan Horse defence Consists of: Dropper Installer / Uninstaller Payload (incl. key-logger, string search algorithm)
14. Results: Posterior Odds Odds against an OTS Trojan = 132.1 Odds against a DIY Trojan = 99,500 – 198,950 depending on the degree of motivation m We also identified a special case (SC) Trojan which already has the victim’s credit card data Odds against a SC OTS Trojan = 128.5 Odds against a SC DIY Trojan = 65,750 – 131,500 depending on the degree of motivation m
15. Conclusions Potential significance for both prosecution and defence sides when assessing their own worst case scenario and their opponents’ best case scenario For an unprotected computer, posterior odds do not favour a successful criminal prosecution if the defence claims that the TH is OTS For a protected computer, posterior odds strongly favour a successful criminal prosecution, whatever the defence claims about the nature of the hypothecated Trojan Horse
16. Acknowledgements Testwell for the grant of an evaluation licence for their CMT++ Complexity Measures Tool for C/C++ to calculate the Halstead E metric US ONR MINERVA programme “Strategy and the Network Society” research grant UK EPSRC Overseas Travel Grant
17. Thank you!Questions? Comments? Richard E Overill {richard.overill@kcl.ac.uk}