Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Analysis of Database Tampering

Published byTayler Veals Modified over 9 years ago

Similar presentations

Presentation on theme: "Forensic Analysis of Database Tampering"— Presentation transcript:

1 Forensic Analysis of Database Tampering
Kyriacos Pavlou and Richard T. Snodgrass Computer Science Department The University of Arizona

2 Introduction The problem : How to systematically perform forensic analysis on a compromised database. Recent federal laws (HIPAA, Sarbanes-Oxley Act etc.) and incidents of corporate collusion mandate audit log security. Snodgrass et al. [VLDB04] showed how to detect database tampering. Approach: Hash using a cryptographically strong hash function, notarize data manipulated by transactions and periodically validate. Forensic analysis to ascertain: When the intrusion transpired What data was altered Who the intruder is Why has this transpired

3 Outline Tamper Detection Forensic Analysis Forensic Algorithms
The corruption diagram Types of corruption events Forensic Algorithms Three algorithms Forensic strength Future Work

4 Tamper Detection Several related ideas that allow tamper detection:
DBMS can maintain audit log in background Transaction-time table Append-only Data modified can be cryptographically hashed to produce a secure one-way hash of transaction. Notarize hash value with external notarization service. The hash value cannot change. Implementation optimizations: opportunistic hashing transaction ordering list linked hashing The latest hash value is a hash of all the changes made to the database since database creation.

5 Tamper Detection Two phases: Normal Processing Validation
transactions Two phases: Normal Processing Validation The validation result is a single bit. hash value transactions transactions hashing + notary ID hash value transactions hashing + notary ID rehash hash value notary ID + result

6 Definitions Corruption Event (CE): any event that corrupts data and compromises database (intrusion, human intervention, bug) Corruption time (tc): actual time instant at which a CE occurred. Validation Event (VE): validation of the audit log by the Notarization Service (NS). Time of VE (tv): time instant at which a VE occurred. Validation Failure vs. Validation Success: NS’s answer to a query for a particular hash value. Denotes tampering or lack thereof respectively. Notarization Event (NE): the notarization of a document by the NS. Time of NE (tn): time instant at which a NE occurred.

7 Definitions (cntd) Forensic analysis involves the following:
Temporal detection: determination of tc Spatial detection: determination of “where,” i.e., the location in the database of the data affected in a CE. This data is termed the corruption locus data (lc). In fact, try to ascertain locus time (tl), the time instant lc was originally stored (transaction commit time). Note that a CE can have many lc’s, termed multi-locus, or a only one lc termed single-locus CE.

8 The Corruption Diagram
When = TRUE VE1 NE3 NE: Notarization Event VE: Validation Event link NE2 link NE1 NE0 Where

9 The Corruption Diagram
When Actual time VE2 VE2 = TRUE IV validation interval NE6 NE: Notarization Event CE . clock time IN notarization interval NE5 VE: Validation Event NE4 CE: Corruption Event = TRUE VE1 NE3 link NE2 link NE1 Commit time NE0 commit time Where

10 Forensic Analysis If a corruption is detected, the forensic analyzer springs into action. The analyzer tries to ascertain a corruption region: the bounds on the uncertainty of the “where” and “when” of the corruption.

11 Notarization and Validation Intervals
Non-aligned validation just delays detection of tampering. Validation factor IV = V·IN

12 Analyzing Timestamp Corruption
So far considered data-only CEs. We now examine the case where the timestamps of the tuples are changed. Data-only Backdating Postdating Retroactive Introactive ×

13 Monochromatic Algorithm
When Forensic analysis begins T F F F F VE2 = FALSE NE6 CE . time of corruption (tc) NE5 NE4 VE1 = TRUE NE3 Corruption Region: captures the uncertainty as to the position of CE NE2 NE1 tl: place of corruption (commit time) NE0 Where

14 Monochromatic Algorithm
Central insight: data can be rehashed by validator and checked. Corruption region bounds: IV IN Area is solely dependent on the two intervals. Cannot handle CEs involving timestamp corruption. ×

15 The RGB Forensic Algorithm
When B G T T F F F F F F F VE4 = FALSE NE8 Forensic analysis begins CE . Postdating CE IV = 4 days IN = 2 days tc NE7 T Notarization of Red R VE3 = TRUE NE6 NE5 B G T Notarization of Blue & Green VE2 = TRUE tp tp: postdating time NE4 NE3 Notarization of Red R VE1 = TRUE NE2 NE1 x x NE0 tl Where

16 The RGB Forensic Algorithm
Introduction of RGB partial hash chains: Allows the bounding of both tl and tp Incurs extra NS cost Each of two corruption regions bounds: IV IN We would like to reduce the area of the corruption regions. ×

17 The Polychromatic Algorithm
B G F When F T T F F F F F F VE4 = FALSE NE8 Forensic analysis begins CE . IV = 4 days IN = 2 days Desired = 1 day tc NE7 T Notarization of 2 Reds R VE3 = TRUE NE6 NE5 Backdating CE T B G F F Notarization of 2 Blues & 1 Green VE2 = TRUE NE4 Uncertainty can be arbitrarily shrunk via a logarithmic number of red and blue hash chains. NE3 Notarization of 2 Reds R VE1 = TRUE NE2 tb: backdating time NE1 x x NE0 tb tl

18 The Polychromatic Algorithm
Introduction of extra partial hash chains: Reduces uncertainty of corruption region Incurs additional NS cost Uncertainty can be arbitrarily shrunk via a logarithmic number of red and blue hash chains. Hence, the width is no longer dependent on IV and IN .

19 Forensic Strength Components: Inverse Forensic Strength:
Work of forensic analysis Region-area of CE Width of postdating / backdating uncertainty Inverse Forensic Strength: IFS( D , IN ,V ) = ( NumNotarizes( D , IN ,V ) + ForensicAnalysis( D , IN ,V ) ) · RegionArea( IN ,V ) · UncertaintyWidth( D , IN ) where V = IV / IN is the validation factor and D is the number of days before first validation failure. Monochromatic: O( V · D2 · IN ) RGB: O( V · D · IN2 ) We assume that D >> IN . Polychromatic: O( ( V + lg IN ) · D )

20 Future Work Develop a stronger lower bound for this problem.
Accommodate multi-locus and complex CEs. Differentiate postdating and backdating CEs. Implement forensic analysis in validator. Consider interaction between transaction-time storage manager and underlying WORM storage.

21 Summary We have presented a means of performing forensic analysis.
We have introduced a graphical representation to visualize CEs, termed the corruption diagram. We have designed three forensic algorithms. Monochromatic RGB Polychromatic

22 Acknowledgements NSF grants IIS , IIS and EIA and a grant from Microsoft provided partial support for this work.

Download ppt "Forensic Analysis of Database Tampering"

Similar presentations

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:

Brewer’s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Authored by: Seth Gilbert and Nancy Lynch Presented by:
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Detection and Analysis of Database Tampering November 2012.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Detection and Analysis of Database Tampering November 2012.
Distributed Databases John Ortiz. Lecture 24Distributed Databases2  Distributed Database (DDB) is a collection of interrelated databases interconnected.

Distributed Databases John Ortiz. Lecture 24Distributed Databases2  Distributed Database (DDB) is a collection of interrelated databases interconnected.
Case Tools Trisha Cummings. Our Definition of CASE  CASE is the use of computer-based support in the software development process.  A CASE tool is a.

Case Tools Trisha Cummings. Our Definition of CASE  CASE is the use of computer-based support in the software development process.  A CASE tool is a.
Transaction.

Transaction.
Efficient Solutions to the Replicated Log and Dictionary Problems

Efficient Solutions to the Replicated Log and Dictionary Problems
Database Management System

Database Management System
Managing Data Resources

Managing Data Resources
Distributed Systems Fall 2010 Time and synchronization.

Distributed Systems Fall 2010 Time and synchronization.
Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.
CPSC 668Set 12: Causality1 CPSC 668 Distributed Algorithms and Systems Fall 2009 Prof. Jennifer Welch.

CPSC 668Set 12: Causality1 CPSC 668 Distributed Algorithms and Systems Fall 2009 Prof. Jennifer Welch.
Temporal Indexing MVBT. Temporal Indexing Transaction time databases : update the last version, query all versions Queries: “Find all employees that worked.

Temporal Indexing MVBT. Temporal Indexing Transaction time databases : update the last version, query all versions Queries: “Find all employees that worked.
Temporal Databases. Outline Spatial Databases Indexing, Query processing Temporal Databases Spatio-temporal ….

Temporal Databases. Outline Spatial Databases Indexing, Query processing Temporal Databases Spatio-temporal ….
11 3 / 12 CHAPTER Databases MIS105 Lec14 Irfan Ahmed Ilyas.

11 3 / 12 CHAPTER Databases MIS105 Lec14 Irfan Ahmed Ilyas.
SIM5102 Software Evaluation

SIM5102 Software Evaluation
Performance Comparison of Existing Leader Election Algorithms for Dynamic Networks Mobile Ad Hoc (Dynamic) Networks: Collection of potentially mobile computing.

Performance Comparison of Existing Leader Election Algorithms for Dynamic Networks Mobile Ad Hoc (Dynamic) Networks: Collection of potentially mobile computing.
Spatio-Temporal Databases. Introduction Spatiotemporal Databases: manage spatial data whose geometry changes over time Geometry: position and/or extent.

Spatio-Temporal Databases. Introduction Spatiotemporal Databases: manage spatial data whose geometry changes over time Geometry: position and/or extent.
Chapter 18: Distributed Coordination (Chapter 18.1 – 18.5)

Chapter 18: Distributed Coordination (Chapter 18.1 – 18.5)

Similar presentations

Ads by Google