The existing solutions in the field of computer forensics are largely ad hoc. This paper discusses the need for a rigorous model of forensics and outlines qualities that such a model should possess. It presents an overview of a forensic model and an example of how to apply the model to a real-world, multi-stage attack. We show how using the model can result in forensic analysis requiring a much smaller amount of carefully selected, highly useful data than without the model. 1

The insider threat has long been considered one of the most serious threats in computer security, and one of the most difficult to combat. But the problem has never been defined precisely, and that lack of precise definition inhibits solutions. This paper presents a precise definition of insider threat, and shows how the definition enables an analysis of the set of problems traditionally lumped into “the insider threat”. It introduces a hierarchy of policy abstractions, and argues that the discrepancies between the different layers of abstraction expose the potential for insider threat. It also presents a methodology for analyzing the threat based upon our definitions. In the process, we introduce Attribute-Based Group Access Control, a generalization of the Role-Based Access Control model that allows any attributes to define a group. We apply this to the insider threat by defining groups based on access capabilities, and using that to identify users with a high level of threat with respect to high-risk resources.

Abstract not found

Different users apply computer forensic systems, models, and terminology in very different ways. They often make incompatible assumptions and reach different conclusions about the validity and accuracy of the methods they use to log, audit, and present forensic data. This is problematic, because these fields are related, and results from one can be meaningful to the others. We present several forensic systems and discuss situations in which they produce valid and accurate conclusions and also situations in which their accuracy is suspect. We also present forensic models and discuss areas in which they are useful and areas in which they could be augmented. Finally, we present some recommendations about how computer scientists, forensic practitioners, lawyers, and judges could build more complete models of forensics that take into account appropriate legal details and lead to scientifically valid forensic analysis.

Over the past six years, the nation has moved rapidly from punch cards and levers to electronic voting systems. These new systems have occasionally presented election officials with puzzling technical irregularities. The national experience has included unexpected and unexplained incidents in each phase of the election process: preparations, balloting, tabulation, and reporting results. Quick technical or managerial assessment can often identify the cause of the problem, leading to a simple and effective solution. But other times, the cause and scope of anomalies cannot be determined. In this paper, we describe the application of a model of forensics to the types of technical incidents that arise in computer-based voting technologies. We describe the elements of e-voting that current forensic techniques can address, as well as the need for a more structured analysis, and how this can be achieved given modifications to the design of e-voting systems. We also demonstrate how some concrete forensic techniques can be utilized today by election officials and their agents, to understand voting system events and indicators. We conclude by reviewing best practices for structuring a formal forensics team, and suggest legal steps and contractual provisions to undergird the team’s authority and work. 1

Much recent work has focused on the process of auditing the results of elections. Little work has focused on auditing the e-voting systems currently in use. The facilities for doing the former include the voter-verified paper audit trail; unfortunately, that VVPAT is not particularly helpful in tracking down the source of errors within e-voting systems. This paper discusses the need for a detailed forensic audit trail (FAT) to enable auditors to analyze the actions of e-voting systems, in order to demonstrate either the absence of problems or to find the causes of problems. We also discuss methods to prevent the use of the FAT as a covert channel for violating the necessary properties of secrecy of the ballot, so voters cannot sell their votes, and anonymity of the ballot, so a third party cannot associate a particular ballot with the voter who cast it. 1

Systems and infrastructure rarely enforce a site’s security policy precisely. Conversely, determining the policy (or policy components) that the systems and infrastructure do enforce is difficult because of the plethora of configuration files and systems at the site. We propose a way to unify these problems by applying a bi-directional method of enforcing and reverse-engineering system and infrastructure policy. The process uses a platform-independent intermediate policy representation (IPR) to bridge the gap between a high-level expression of policy and a machine-dependent, system configuration. The result of these methods, shown along with a detailed example, is that both policy discovery and enforcement can be made into a much more rigorous process. 1

Uncertainty is an innate feature of intrusion analysis due to the limited views provided by system monitoring tools, including intrusion detection systems (IDS) and the numerous types of logs. Attackers are essentially invisible in cyber space and those monitoring tools can only observe the symptoms produced by malicious activities, mingled with the same effects produced by non-malicious activities. Thus the conclusions one can draw from these observations inevitably suffer from varying degrees of uncertainty, which is the major source of false positives/false negatives in intrusion analysis. This paper presents a practical approach to modeling such uncertainty so that the various security implications from those low-level observations are captured in a simple logical language augmented with certainty tags. We design an automated reasoning process so that the model can combine multiple sources of system monitoring data and identify highly-confident attack traces from the numerous possible interpretations of low-level observations. We develop our model formulation through studying a true intrusion that happened on a campus network, using a Datalog-like language to encode the model and a Prolog system to carry out the reasoning process. Our model and reasoning system can reach the same conclusions the human administrator did regarding which machines were certainly compromised. We then apply the developed model to the Treasure Hunt (TH) data set, which contains large amounts of system monitoring data collected during a live cyber attack exercise in a graduate course taught at University of California, Santa Barbara. Our results show that the reasoning model developed from the true intrusion is effective to the TH data set as well, and our reasoning system can identify high-confidence attack traces automatically. Such a model thus has the potential of codifying the seemingly ad-hoc human reasoning of uncertain events, and can yield useful tools for automated intrusion analysis. 1

Abstract not found

Firewalls are a cornerstone of how sites implement “defense in depth. ” Many security policies assume that outside attackers must first penetrate a firewall configured to block their access. This paper examines what firewalls protect against, and whether those protections are sufficient to warrant placing the current level of trust in firewalls. 1