When computer security violations are detected, computer forensic analysts attempting to determine the relevant causes and effects are forced to perform the tedious tasks of finding and preserving useful clues in large networks of operational machines. To augment a computer crime investigator's efforts, we present an expert system with a decision tree that uses predetermined invariant relationships between redundant digital objects to detect semantic incongruities. By analyzing data from a host or network and searching for violations of known data relationships, particularly when an attacker is attempting to hide his presence, an attacker's unauthorized changes may be automatically identified. Examples of such invariant data relationships are provided, as are techniques to identify new, useful ones. By automatically identifying relevant evidence, experts can focus on the relevant files, users, times and other facts first.
[1]
Michael C. Tanner,et al.
Automated diagnosis for computer forensics
,
2002
.
[2]
David D. Clark,et al.
A Comparison of Commercial and Military Computer Security Policies
,
1987,
1987 IEEE Symposium on Security and Privacy.
[3]
Steven J. Templeton,et al.
A requires/provides model for computer attacks
,
2001,
NSPW '00.
[4]
Marvin Minsky,et al.
A framework for representing knowledge
,
1974
.
[5]
Karl N. Levitt,et al.
NetKuang - A Multi-Host Configuration Vulnerability Checker
,
1996,
USENIX Security Symposium.
[6]
Dan A. Simovici,et al.
Impurity measures in databases
,
2002,
Acta Informatica.
[7]
Henry A. Kautz.
A formal theory of plan recognition
,
1987
.
[8]
Matt Bishop,et al.
Computer Security: Art and Science
,
2002
.