Security Incident Tracking in Virtualized Linux Environment

Virtualized environment provides a heaven for malicious and criminal activities. It is expected that illegal activities in virtualized environments will be increased as virtualization gains its popularity. Meanwhile, numerous digital security and privacy laws and regulations have put business and organizations under obligations to prepare for auditing and legal investigations. Therefore, businesses must prepare for the responsiveness to unforeseen security incidents in virtualized environments. To establish forensics readiness for businesses and organizations, it is essential to identify what fingerprints are relevant and where they can be located, and whether all the needed fingerprints are available to reconstruct the incidents successfully. Also, fingerprint identification and locating mechanisms should be provided to guide potential forensics investigation in the future. Furthermore, mechanisms should be established to automate the security incident tracking and reconstruction processes. All these rely on the knowledge of security attacks and the fingerprints left by them. In this research, we will explore potential security exploitations and their corresponding fingerprints left in the virtualized Linux environment. Attacks are modeled as augmented attack trees and then are conducted against a simulated virtualized environment, which is followed by a forensic investigation. Finally, an evidence tree is built for each attack based on fingerprints identified within the system. With evidence tree, it is possible to identify sensitive fingerprints for each attack. Also, the evidence tree is expected to provide contextual information needed for automating forensics investigation of a security incident.

[1]  Dawn M. Cappelli,et al.  The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures , 2008, Insider Attack and Cyber Security.

[2]  Mark Pollitt,et al.  Advances in Digital Forensics , 2006 .

[3]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[4]  Carlos Caicedo,et al.  Security challenges and countermeasures for trusted virtualized computing environments , 2012, World Congress on Internet Security (WorldCIS-2012).

[5]  Harri Oinas-Kukkonen,et al.  A review of information security issues and respective research contributions , 2007, DATB.

[7]  Stephen Biggs,et al.  Cloud Computing: The impact on digital forensic investigations , 2009, 2009 International Conference for Internet Technology and Secured Transactions, (ICITST).

[8]  Alec Yasinsac,et al.  Policies to Enhance Computer and Network Forensics , 2001 .

[9]  Ed Skoudis,et al.  Hiding Virtualization from Attackers and Malware , 2007, IEEE Security & Privacy.

[10]  Indrajit Ray,et al.  Investigating Computer Attacks Using Attack Trees , 2007, IFIP Int. Conf. Digital Forensics.

[11]  Daniel A. Menascé,et al.  Virtualization: Concepts, Applications, and Performance Modeling , 2005, Int. CMG Conference.

[12]  Deborah A. Frincke,et al.  A Theoretical Framework for Organizational Network Forensic Readiness , 2007, J. Comput..

[13]  Eugene H. Spafford,et al.  An Event-Based Digital Forensic Investigation Framework , 2004 .

[14]  Eugene H. Spafford,et al.  Getting Physical with the Digital Investigation Process , 2003, Int. J. Digit. EVid..

[15]  Mikhail J. Atallah,et al.  An empirical study of automatic event reconstruction systems , 2006, Digit. Investig..

[16]  Sherali Zeadally,et al.  Virtualization: Issues, security threats, and solutions , 2013, CSUR.

[17]  Tahar Kechadi,et al.  Survey on Cloud Forensics and Critical Criteria for Cloud Forensic Capability: A Preliminary Analysis , 2011 .

[18]  Mohand Tahar Kechadi,et al.  Cloud Forensics , 2011, IFIP Int. Conf. Digital Forensics.

[19]  Eoghan Casey,et al.  Digital Evidence and Computer Crime - Forensic Science, Computers and the Internet, 3rd Edition , 2011 .

[20]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.