Forensic Analysis of Database Tampering Kyriacos Pavlou and
Forensic Analysis of Database Tampering Kyriacos Pavlou and Richard T. Snodgrass Computer Science Department The University of Arizona
Introduction The problem : How to systematically perform forensic analysis on a compromised database. • Recent federal laws (HIPAA, Sarbanes-Oxley Act etc. ) and incidents of corporate collusion mandate audit log security. • Snodgrass et al. [VLDB 04] showed how to detect database tampering. Approach: Hash using a cryptographically strong hash function, notarize data manipulated by transactions and periodically validate. • Forensic analysis to ascertain: – – When the intrusion transpired What data was altered Who the intruder is Why has this transpired
Outline • Tamper Detection • Forensic Analysis – The corruption diagram – Types of corruption events • Forensic Algorithms – Three algorithms – Forensic strength • Future Work
Tamper Detection Two phases: transactions + hashing hash value hash. IDvalue notary • Normal Processing • Validation notary ID hash value + notary ID result rehash The validation result is a single bit.
The Corruption Diagram When Actual time VE 2 = TRUE NE 6 NE: Notarization Event VE: Validation Event clock time . I CEV validation interval CE: Corruption Event NE 5 IN notarization interval NE 4 VE 1 = TRUE NE 3 link NE 2 link NE 1 NE 0 commit time Commit time Where
Forensic Analysis • If a corruption is detected, the forensic analyzer springs into action. • The analyzer tries to ascertain a corruption region: the bounds on the uncertainty of the “where” and “when” of the corruption.
Monochromatic Algorithm When Forensic analysis begins T F F F . time of corruption (tc) F VE 2 = FALSE NE 6 NE 5 CE NE 4 VE 1 = TRUE NE 3 Corruption Region: captures the uncertainty as to the position of CE NE 2 NE 1 NE 0 tl: place of corruption (commit time) Where
Monochromatic Algorithm • Central insight: data can be rehashed by validator and checked. • Corruption region bounds: IV × IN – Area is solely dependent on the two intervals. • Cannot handle CEs involving timestamp corruption.
The RGB Forensic Algorithm When G B T F F FF Forensic analysis begins IV = 4 days IN = 2 days . tc T Postdating CE tp: postdating time VE 4 = FALSE NE 8 NE 7 CE R T Notarization of Red VE 3 = TRUE NE 6 NE 5 T G B Notarization of Blue & Green VE 2 = TRUE NE 4 NE 3 Notarization of Red VE 1 = TRUE NE 2 R NE 1 NE 0 x tl x tp Where
The RGB Forensic Algorithm • Introduction of RGB partial hash chains: – Allows the bounding of both tl and tp – Incurs extra NS cost • Each of two corruption regions bounds: IV × IN • We would like to reduce the area of the corruption regions.
The Polychromatic Algorithm When G B T F F Forensic analysis begins IV = 4 days IN = 2 days tc T R F . CE Desired = 1 day Backdating CE Uncertainty can be arbitrarily shrunk via a logarithmic number of red and blue hash chains. T F F G B NE 1 NE 0 x tb VE 4 = FALSE NE 8 NE 7 Notarization of 2 Reds VE 3 = TRUE NE 6 Notarization of 2 Blues & 1 Green VE 2 = TRUE NE 4 Notarization of 2 Reds VE 1 = TRUE NE 2 tb: backdating time T NE 5 NE 3 R F F F x tl
Forensic Strength Components: – Work of forensic analysis – Region-area of CE – Width of postdating / backdating uncertainty Inverse Forensic Strength: IFS( D , IN , V ) = ( Num. Notarizes( D , IN , V ) + Forensic. Analysis( D , IN , V ) ) · Region. Area( IN , V ) · Uncertainty. Width( D , IN ) where V = IV / IN is the validation factor and D is the number of days before first validation failure. • Monochromatic: O( V · D 2 · IN ) • RGB: O( V · D · IN 2 ) • Polychromatic: O( ( V + lg IN ) · D ) We assume that D >> IN.
Future Work • Develop a stronger lower bound for this problem. • Accommodate multi-locus and complex CEs. • Differentiate postdating and backdating CEs. • Implement forensic analysis in validator. • Consider interaction between transaction-time storage manager and underlying WORM storage.
Summary • We have presented a means of performing forensic analysis. • We have introduced a graphical representation to visualize CEs, termed the corruption diagram. • We have designed three forensic algorithms. – Monochromatic – RGB – Polychromatic
- Slides: 14