Title :
NIS08-4: Execution-based Digital Investigation on Compromised Systems with Automated Hypotheses Generation
Author :
Rekhis, Slim ; Boudriga, Noureddine
Author_Institution :
CN&S Res. Lab., Univ. of the 7th of November, Carthage
fDate :
Nov. 27 2006-Dec. 1 2006
Abstract :
This paper proposes an execution-based formal approach for digital forensic investigation. It considers an attack scenario as a sequence of legitimate and malicious actions. Using a library of potential hypotheses, a library of legitimate actions and a formal description of the system under investigation, our approach works by rebuilding the attack scenarios in forward and backward chaining manner. During reconstruction, malicious events are generated based on selected hypotheses. The execution graph is produced with an enhancement in states representation and hypotheses management. A case study on a compromised FTP server is provided to show how our method performs practically.
Keywords :
security of data; telecommunication security; FTP server; automated hypotheses generation; compromised systems; digital forensic investigation; execution graph; execution-based digital investigation; execution-based formal approach; legitimate actions; malicious actions; Automation; Computer crime; Computer hacking; Computer security; Digital forensics; Formal specifications; Network servers; Pattern matching; Pattern recognition; Software libraries;
Conference_Titel :
Global Telecommunications Conference, 2006. GLOBECOM '06. IEEE
Conference_Location :
San Francisco, CA
Print_ISBN :
1-4244-0356-1
Electronic_ISBN :
1930-529X
DOI :
10.1109/GLOCOM.2006.305
