Seeing the invisible: forensic uses of anomaly detection and machine learning

Anti-forensics is the practice of circumventing classical forensics analysis procedures making them either unreliable or impossible. In this paper we propose the use of machine learning algorithms and anomaly detection to cope with a wide class of definitive anti-forensics techniques. We test the proposed system on a dataset we created through the implementation of an innovative technique of anti-forensics, and we show that our approach yields promising results in terms of detection.

[1]  Sushil Jajodia,et al.  Exploring steganography: Seeing the unseen , 1998, Computer.

[2]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[3]  Peter J. Denning,et al.  The working set model for program behavior , 1968, CACM.

[4]  Abhi Shelat,et al.  Remembrance of Data Passed: A Study of Disk Sanitization Practices , 2003, IEEE Secur. Priv..

[5]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[6]  Hal Berghel,et al.  Hiding data, forensics, and anti-forensics , 2007, CACM.

[7]  Dirk Ourston,et al.  Applications of hidden Markov models to detecting multi-stage network attacks , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[8]  Bradley L. Schatz,et al.  BodySnatcher: Towards reliable volatile memory acquisition by software , 2007, Digit. Investig..

[9]  Simson L. Garfinkel,et al.  Anti-Forensics: Techniques, Detection and Countermeasures , 2007 .

[10]  William A. Arbaugh,et al.  FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory , 2006, Digit. Investig..

[11]  Steven A. Hofmeyr,et al.  Intrusion Detection via System Call Traces , 1997, IEEE Softw..

[12]  George M. Mohay,et al.  Computer and Intrusion Forensics , 2003 .

[13]  Giuseppe Serazzi,et al.  Unsupervised learning algorithms for intrusion detection , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[14]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[15]  Matthew Geiger,et al.  Evaluating Commercial Counter-Forensic Tools , 2005, DFRWS.

[16]  Stefano Zanero,et al.  Detecting Intrusions through System Call Sequence and Argument Analysis , 2010, IEEE Transactions on Dependable and Secure Computing.

[17]  Somesh Jha,et al.  Markov chains, classifiers, and intrusion detection , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[18]  Sujeet Shenoi,et al.  Detecting Hidden Data in Ext2/Ext3 File Systems , 2005, IFIP Int. Conf. Digital Forensics.

[19]  Raman K. Mehra,et al.  Detection and classification of intrusions and faults using sequences of system calls , 2001, SGMD.

[20]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[21]  Christopher Krügel,et al.  Anomalous system call detection , 2006, TSEC.

[22]  Petra Perner,et al.  Data Mining - Concepts and Techniques , 2002, Künstliche Intell..

[23]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[24]  Lizy K. John Program Chair's Message , 2001 .

[25]  Ryan Harris,et al.  Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem , 2006, Digit. Investig..

[26]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[27]  Gemma Casas-Garriga,et al.  ISSA: An Integrated System for Sequence Analysis , 2004 .

[28]  Ken Thompson,et al.  The UNIX time-sharing system , 1974, CACM.

[29]  Eric Cole,et al.  Volatile Memory Computer Forensics to Detect Kernel Level Compromise , 2004, ICICS.

[30]  LewisLundy,et al.  Detection and classification of intrusions and faults using sequences of system calls , 2001 .

[31]  Christopher Krügel,et al.  On the Detection of Anomalous System Call Arguments , 2003, ESORICS.