1 / 14

Forensic Analysis of Database Tampering

Forensic Analysis of Database Tampering . Kyriacos Pavlou and Richard T. Snodgrass Computer Science Department The University of Arizona. Introduction. The problem : How to systematically perform forensic analysis on a compromised database.

caesar
Download Presentation

Forensic Analysis of Database Tampering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forensic Analysis of Database Tampering Kyriacos Pavlou and Richard T. Snodgrass Computer Science Department The University of Arizona

  2. Introduction The problem : How to systematically perform forensic analysis on a compromised database. • Recent federal laws (HIPAA, Sarbanes-Oxley Act etc.) and incidents of corporate collusion mandateaudit log security. • Snodgrass et al. [VLDB04] showed how to detect database tampering. Approach: Hashusing a cryptographically strong hash function, notarize data manipulated by transactions and periodically validate. • Forensic analysis to ascertain: • When the intrusion transpired • What data was altered • Who the intruder is • Why has this transpired

  3. Outline • Tamper Detection • Forensic Analysis • The corruption diagram • Types of corruption events • Forensic Algorithms • Three algorithms • Forensic strength • Future Work

  4. Tamper Detection transactions transactions hash value hash value transactions transactions notary ID notary ID + + hashing hashing hash value + notary ID result rehash • Two phases: • Normal Processing • Validation • The validation result is a single bit.

  5. The Corruption Diagram . INnotarization interval validation interval IV CE When Actual time VE2 VE2 = TRUE NE6 NE: Notarization Event NE5 clock time VE: Validation Event NE4 CE: Corruption Event = TRUE VE1 NE3 link NE2 link NE1 Commit time commit time NE0 Where

  6. Forensic Analysis • If a corruption is detected, the forensic analyzer springs into action. • The analyzer tries to ascertain a corruption region: the bounds on the uncertainty of the “where” and “when” of the corruption.

  7. Monochromatic Algorithm T F F F F . CE When Forensic analysis begins VE2 = FALSE NE6 NE5 time of corruption (tc) NE4 VE1 = TRUE NE3 Corruption Region: captures the uncertainty as to the position of CE NE2 NE1 tl: place of corruption(commit time) NE0 Where

  8. Monochromatic Algorithm • Central insight: data can be rehashed by validator and checked. • Corruption region bounds: IV IN • Area is solely dependent on the two intervals. • Cannot handle CEs involving timestamp corruption. ×

  9. The RGB Forensic Algorithm G B . CE T F F F F F F Postdating CE G B tp: postdating time tp T When F VE4 = FALSE NE8 Forensic analysis begins IV= 4 days IN= 2 days tc NE7 T Notarization of Red R VE3 = TRUE NE6 NE5 T Notarization ofBlue&Green VE2 = TRUE NE4 NE3 Notarization of Red R VE1 = TRUE NE2 NE1 x x tl NE0 Where

  10. The RGB Forensic Algorithm • Introduction of RGB partial hash chains: • Allows the bounding of both tl and tp • Incurs extra NS cost • Each of two corruption regions bounds: IV IN • We would like to reduce the area of the corruption regions. ×

  11. The Polychromatic Algorithm G B . CE T F F F F F F G B F T When F VE4 = FALSE NE8 Forensic analysis begins IV= 4 days IN= 2 days Desired = 1 day tc NE7 T Notarization of 2 Reds R VE3 = TRUE NE6 NE5 T Backdating CE F F Notarization of2Blues&1Green VE2 = TRUE NE4 Uncertainty can be arbitrarily shrunk via a logarithmic number of red and blue hash chains. NE3 Notarization of 2 Reds R VE1 = TRUE NE2 NE1 tb: backdating time x x tl tb NE0

  12. Forensic Strength Components: • Work of forensic analysis • Region-area of CE • Width of postdating / backdating uncertainty Inverse Forensic Strength: IFS( D , IN ,V ) = ( NumNotarizes( D , IN ,V ) + ForensicAnalysis( D , IN ,V ) ) · RegionArea( IN ,V ) · UncertaintyWidth( D , IN) where V = IV / IN is the validation factor and D is the number of days before first validation failure. • Monochromatic: O( V · D2· IN ) • RGB: O( V · D · IN2 ) We assume that D >> IN . • Polychromatic: O( ( V + lg IN ) · D )

  13. Future Work • Develop a stronger lower bound for this problem. • Accommodate multi-locus and complexCEs. • Differentiate postdating and backdatingCEs. • Implement forensic analysis in validator. • Consider interaction between transaction-time storage manager and underlying WORM storage.

  14. Summary • We have presented a means of performing forensic analysis. • We have introduced a graphical representation to visualize CEs, termed the corruption diagram. • We have designed three forensic algorithms. • Monochromatic • RGB • Polychromatic

More Related