Cross-Platform File System Activity Monitoring and Forensics - A Semantic Approach

Ensuring data confidentiality and integrity are key concerns for information security professionals, who typically have to obtain and integrate information from multiple sources to detect unauthorized data modifications and transmissions. The instrumentation that operating systems provide for the monitoring of file system level activity can yield important clues on possible data tampering and exfiltration activity but the raw data that these tools provide is difficult to interpret, contextualize and query. In this paper, we propose and implement an architecture for file system activity log acquisition, extraction, linking and storage that leverages semantic techniques to tackle limitations of existing monitoring approaches in terms of integration, contextualization, and cross-platform interoperability. We illustrate the applicability of the proposed approach in both forensic and monitoring scenarios and conduct a performance evaluation in a virtual setting.

[1]  Jianhui Li,et al.  Publishing distributed files as Linked Data , 2011, 2011 Eighth International Conference on Fuzzy Systems and Knowledge Discovery (FSKD).

[2]  M. Tahar Kechadi,et al.  Semantic Modelling of Digital Forensic Evidence , 2010, ICDF2C.

[3]  Andrew Jones,et al.  An Ontology-Based Forensic Analysis Tool , 2013 .

[4]  Kabul Kurniawan,et al.  Semantic Integration and Monitoring of File System Activity , 2019, SEMANTICS Posters&Demos.

[5]  N. R. Suresh,et al.  An integrated data exfiltration monitoring tool for a large organization with highly confidential data source , 2012, 2012 4th Computer Science and Electronic Engineering Conference (CEEC).

[6]  Elisa Bertino,et al.  A-PANDDE: Advanced Provenance-based ANomaly Detection of Data Exfiltration , 2019, Comput. Secur..

[7]  Niko Popitsch,et al.  Lifting File Systems into the Linked Data Cloud with TripFS , 2010, LDOW.

[8]  Fang Liu,et al.  Enterprise data breach: causes, challenges, prevention, and future directions , 2017, WIREs Data Mining Knowl. Discov..

[9]  Flora Amato,et al.  An Application of Semantic Techniques for Forensic Analysis , 2018, 2018 32nd International Conference on Advanced Information Networking and Applications Workshops (WAINA).

[10]  Filip De Turck,et al.  C-Sprite: Efficient Hierarchical Reasoning for Rapid RDF Stream Processing , 2019, DEBS.

[11]  Alfredo Cuzzocrea,et al.  A semantic-web-technology-based framework for supporting knowledge-driven digital forensics , 2016, MEDES.

[12]  Yi Hu,et al.  Profiling file repository access patterns for identifying data exfiltration activities , 2011, 2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS).

[13]  Elisa Bertino,et al.  PANDDE: Provenance-based ANomaly Detection of Data Exfiltration , 2016, CODASPY.

[14]  Andreas Ekelhart,et al.  Taming the logs - Vocabularies for semantic security analysis , 2018, SEMANTICS.

[15]  Eugene H. Spafford,et al.  A hypothesis-based approach to digital forensic investigations , 2006 .

[16]  Syed Rahman Mashwani,et al.  The Design and Development of a Semantic File System Ontology , 2018 .

[17]  Kabul Kurniawan,et al.  The SEPSES Knowledge Graph: An Integrated Resource for Cybersecurity , 2019, SEMWEB.

[18]  Brian Lee,et al.  Data Leakage Detection Using System Call Provenance , 2016, 2016 International Conference on Intelligent Networking and Collaborative Systems (INCoS).