230 likes | 241 Views
This research paper explores means to examine if a database has been tampered with, and how to detect who did it. It discusses audit log security, compliant records, and the challenges of applying these to high-performance databases. The paper proposes a method using hash values and external notarization services to maintain the audit log and detect intrusions. It also introduces the RGB Forensic Algorithm and the Polychromatic Algorithm for more precise detection of tampering.
E N D
Forensic Analysis of Database Tampering James Byrd
Abstract • Means to examine if a database has been tampered with already exist • How do you detect who did it?
Introduction • File System and Database communities have expressed interest in built in mechanisms that detect and/or prevent tampering of data • Interest has arisen after laws such as HIPAA, and collusion cases such as Enron and Worldcom companies
Outline of Introduction • Audit Log Security • Compliant Records • How do these apply to high performance databases?
Audit Log Security • a single component of Record Management Systems • RMS’s track documents and their version histories and ensure that a previous version of a document cannot be altered • uses notarization keys to track changes
Compliant Records • records that are required by myriad laws and regulations (roughly 10k in the US) • “to follow certain processes by which they are created, stored, accessed, maintained and retained” • usually stored on a WORM disk (Write Once Read Many) • as the record is modified, all versions are stored along with all of the metadata
High Performance Databases • the previous approaches cannot be applied to HPD’s because all of the data cannot be stored and notarized after each transaction • therefore, we must move the Audit Log Capabilities into the DBMS • one way hashing of all of the data and periodic validation of the audit log database
Thats Great James • What do I do when I detect an intrusion? • All you know is that at some point in the past that the data has been altered • thats dandy • Cue Forensics Analysis
Forensics Analysis • needed to determine • WHEN the intrusion occurred • WHAT was altered • WHO did it
2 - Tamper Detection • DBMS can maintain the audit log in the background • Data can be modified by a transaction and is then hashed • Digitize the hash value with external notarization service • Series of implementation optimizations that minimize notaries and speed up DBMS
First Insight - DBMS Maintain Audit Log • does this by rendering a specified relation as a Transaction-Time Table • this instructs the database to keep all previous values as append only • easily visible to anyone with the database
Second Insight - Hash the Data • Take the data modified by the transaction and cryptographically hash it to generate a secure one way hash of the transaction
Third Insight - Digitally Notarize the Hash • Use an external notarization service to digitally notarize the hash data • therefore, even if the intruder has access to everything (database, hardware, OS, etc) they cannot change the hash data
Fourth Insight - Series of Implementations • make optimizations that allow the DBMS to to implement all hashing and notarizing in an efficient manner to not slow down DBMS performance
2 Different Approaches • normal processing • transactions are run and hash values are digitally notarized • validation • hash values are recomputed and compared with previous hashes • this is where detection is found
3 - Some Definitions • Corruption Event • any event that corrupts the data or the database • Validation Event • finding of a CE • Time = time of ve • Notarization Event • notarization of th documetn by the notary service
Corruption Diagram • Drawing Time :)
Forensic Analysis • Ascertain the “Corruption Zone”, that is the area where the corruption took place • bounds of when and where
Notarization and Validation Intervals • Validation intervals should be equal to or longer than the notarization interval • The VI should also be a multiple of the Notation Interval • The values should be set up that they happen at the same time occasionally
Backdating Issues • If a value is backdated, then the Corruption Zone is increased in size to accommodate the date of the backdate
RGB Forensic Algorithm • useful for postdating • 3 chains of hash functions per database refresh • only portions • no additional disk reads are necessary • useful for forensics analysis
Polychromatic Algorithm • smaller regions than the RGB alg • uses a lot of math and graph theory • summary: • gives a more precise region of where the tampering occured
Comparison • Trivial • the entire triangle is the region • Monochromatic • gives a specific part of the triangle but requires many queries • RGB • area in question reduced to days but requires additional partial hash functions • Polychromatic • limits the region to specific date and time