Forensic Analysis of Database Tampering

Transcription

1 orensic Analysis of Database Tampering Kyriacos Pavlou and Richard T. Snodgrass Computer Science Department The University of Arizona

2 Introduction The problem : How to systematically perform forensic analysis on a compromised database. Recent federal laws (HIPAA, Sarbanes-Oxley Act etc.) and incidents of corporate collusion mandate audit log security. Snodgrass et al. [VLDB04] showed how to detect database tampering. Approach: Hash using a cryptographically strong hash function, notarize data manipulated by transactions and periodically validate. orensic analysis to ascertain: When the intrusion transpired What data was altered Who the intruder is Why has this transpired

3 Outline Tamper Detection orensic Analysis The corruption diagram Types of corruption events orensic Algorithms Three algorithms orensic strength uture Work

4 Tamper Detection Two phases: transactions hash value Normal Processing transactions transactions + hashing notary hash ID value Validation transactions + hashing rehash result notary ID hash value notary ID + The validation result is a single bit.

5 The Corruption Diagram When Actual time VE 2 = TRUE NE: Notarization Event NE 6 VE: Validation Event clock time I V CĖ validation interval NE 5 I N notarization interval CE: Corruption Event NE 4 VE 1 = TRUE NE 3 link NE 2 NE 0 link NE 1 commit time Where Commit time

6 orensic Analysis If a corruption is detected, the forensic analyzer springs into action. The analyzer tries to ascertain a corruption region: the bounds on the uncertainty of the where and when of the corruption.

7 Monochromatic Algorithm When orensic analysis begins T VE 2 = ALSE NE 6 time of corruption (t c ) CĖ NE 5 NE 4 Corruption Region: captures the uncertainty as to the position of CE NE 2 VE 1 = TRUE NE 3 NE 1 NE 0 t l : place of corruption (commit time) Where

8 Monochromatic Algorithm Central insight: data can be rehashed by validator and checked. Corruption region bounds: I V I N Area is solely dependent on the two intervals. Cannot handle CEs involving timestamp corruption.

9 The RGB orensic Algorithm When G B T orensic analysis begins T VE 4 = ALSE NE 8 I V = 4 days I N = 2 days R t c CĖ T NE 7 Notarization of Red VE 3 = TRUE NE 6 Postdating CE t p : postdating time G B T NE 5 Notarization of Blue & Green VE 2 = TRUE NE 4 NE 3 R Notarization of Red VE 1 = TRUE NE 2 NE 1 NE 0 t l x x t p Where

10 The RGB orensic Algorithm Introduction of RGB partial hash chains: Allows the bounding of both t l and t p Incurs extra NS cost Each of two corruption regions bounds: I V I N We would like to reduce the area of the corruption regions.

11 I V = 4 days I N = 2 days When Desired = 1 day G B R t c The Polychromatic Algorithm T orensic analysis begins CĖ T T VE 4 = ALSE NE 8 NE 7 Notarization of 2 Reds VE 3 = TRUE NE 6 Backdating CE Uncertainty can be arbitrarily shrunk via a logarithmic number of red and blue hash chains. G B R NE 5 T Notarization of 2 Blues & 1 Green VE 2 = TRUE NE 4 NE 3 Notarization of 2 Reds VE 1 = TRUE NE 2 t b : backdating time NE 0 NE 1 x t b t l x

12 orensic Strength Components: Work of forensic analysis Region-area of CE Width of postdating / backdating uncertainty Inverse orensic Strength: IS( D, I N,V ) = ( NumNotarizes( D, I N,V ) + orensicanalysis( D, I N,V ) ) RegionArea( I N,V ) UncertaintyWidth( D, I N ) where V = I V / I N is the validation factor and D is the number of days before first validation failure. Monochromatic: O( V D 2 I N ) RGB: O( V D I N 2 ) We assume that D >> I N. Polychromatic: O( ( V + lg I N ) D )

13 uture Work Develop a stronger lower bound for this problem. Accommodate multi-locus and complex CEs. Differentiate postdating and backdating CEs. Implement forensic analysis in validator. Consider interaction between transaction-time storage manager and underlying WORM storage.

14 Summary We have presented a means of performing forensic analysis. We have introduced a graphical representation to visualize CEs, termed the corruption diagram. We have designed three forensic algorithms. Monochromatic RGB Polychromatic