Digital ForensicsOutlineSome DevelopmentsReview of Lectures 3 and 4Types of Computer Forensics SystemsInternet Security SystemsIntrusion Detection SystemsOur Approach: OverviewSlide 9Worm Detection: IntroductionEmail Worm Detection using Data MiningFirewall Security SystemsTraffic MiningSlide 14Storage Area Network Security SystemsNetwork Disaster Recovery SystemsPublic Key Infrastructure SystemsDigital Identity ManagementDigital Identity Management - IIIdentity Theft ManagementBiometricsHomeland Security SystemsOther Types of SystemsConclusionOpen Source and Related ToolsAssignment #1Lab Tour and possible Programming projectsDigital ForensicsDr. Bhavani ThuraisinghamThe University of Texas at DallasLecture #5Forensics SystemsSeptember 5, 2007OutlineSome developmentsReview of Lectures 3 and 4Lectures 5-Types of Computer Forensics Systems-Objective: Identify issues in corporate planning for computer forensicsTools for Digital ForensicsAssignment #1Lab TourSome DevelopmentsInternships positions available in commuter forensics with DFW area FBI and Law EnforcementGuest lectures are being arranged to be given by DFW FBI and Law Enforcement-Dates to be givenMid-term exam: week of October 9 or October 16Review of Lectures 3 and 4Lecture 3-Forensics TechnologyMilitary, Law Enforcement, Business Forensics -Forensics TechniquesFinding Hidden Data, Spyware, Encryption, Data Protection, Tracing, Data Mining-Security TechnologiesWireless, Firewalls, Biometrics-APPENDIX: Data MiningLecture 4: Data Mining for Malicious Code DetectionTypes of Computer Forensics SystemsInternet Security SystemsIntrusion Detection SystemsFirewall Security SystemsStorage Area Network Security SystemsNetwork disaster recovery systemsPublic key infrastructure systemsWireless network security systemsSatellite encryption security systemsInstant Messaging Security SystemsNet privacy systemsIdentity management security systemsIdentify theft prevention systemsBiometric security systemsHomeland security systemsInternet Security SystemsSecurity hierarchy-Public, Private and Mission Critical data-Unclassified, Confidential, Secret and TopSecret dataSecurity Policy-Who gets access to what data-Bell LaPadula Security Policy, Noninterference PolicyAccess Control-Role-based access control, Usage controlEncryption-Public/private keys-Secret payment systemsDirections-Smart cardsIntrusion Detection SystemsAn intrusion can be defined as “any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource”. Attacks are:-Host-based attacks -Network-based attacks Intrusion detection systems are split into two groups:-Anomaly detection systems -Misuse detection systems Use audit logs-Capture all activities in network and hosts.-But the amount of data is huge!Our Approach: OverviewTrainingDataClassHierarchical Clustering (DGSOT)TestingTesting DataSVM Class TrainingDGSOT: Dynamically growing self organizing treeHierarchical clustering with SVM flow chartOur ApproachOur Approach: Hierarchical ClusteringWorm Detection: IntroductionWhat are worms?-Self-replicating program; Exploits software vulnerability on a victim; Remotely infects other victimsEvil worms-Severe effect; Code Red epidemic cost $2.6 BillionAutomatic signature generation possible -EarlyBird System (S. Singh. -UCSD); Autograph (H. Ah-Kim. - CMU)Goals of worm detection-Real-time detectionIssues-Substantial Volume of Identical Traffic, Random ProbingMethods for worm detection-Count number of sources/destinations; Count number of failed connection attemptsWorm Types-Email worms, Instant Messaging worms, Internet worms, IRC worms, File-sharing Networks wormsEmail Worm Detection using Data MiningTraining dataFeature extractionClean or Infected ?Outgoing EmailsClassifierMachine LearningTest dataThe ModelTask: given some training instances of both “normal” and “viral” emails, induce a hypothesis to detect “viral” emails.We used:Naïve BayesSVMFirewall Security SystemsFirewall is a system or groups of systems that enforces an access control policy between two networksBenefits-Implements access control across networks-Maintains logs that can be analyzedData mining for analyzing firewall logs and ensuring policy consistencyLimitatations-No security within the network-Difficult to implement content based policies-Difficult to protect against malicious codeData driven attacksTraffic MiningTo bridge the gap between what is written in the firewall policy rules and what is being observed in the network is to analyze traffic and log of the packets– traffic miningNetwork traffic trend may show that some rules are out-dated or not used recentlyFirewallFirewallLog FileLog FileMining Log File Mining Log File Using FrequencyUsing FrequencyFilteringFilteringRule Rule GeneralizationGeneralization Generic RulesGeneric RulesIdentify Decaying Identify Decaying &&Dominant RulesDominant RulesEditEditFirewall RulesFirewall RulesFirewallPolicy RuleTraffic Mining ResultsAnomaly Discovery ResultAnomaly Discovery ResultRule 1, Rule 2: ==> GENRERALIZATIONRule 1, Rule 16: ==> CORRELATEDRule 2, Rule 12: ==> SHADOWEDRule 4, Rule 5: ==> GENRERALIZATIONRule 4, Rule 15: ==> CORRELATEDRule 5, Rule 11: ==> SHADOWED1: TCP,INPUT,129.110.96.117,ANY,*.*.*.*,80,DENY2: TCP,INPUT,*.*.*.*,ANY,*.*.*.*,80,ACCEPT3: TCP,INPUT,*.*.*.*,ANY,*.*.*.*,443,DENY4: TCP,INPUT,129.110.96.117,ANY,*.*.*.*,22,DENY5: TCP,INPUT,*.*.*.*,ANY,*.*.*.*,22,ACCEPT6: TCP,OUTPUT,129.110.96.80,ANY,*.*.*.*,22,DENY7: UDP,OUTPUT,*.*.*.*,ANY,*.*.*.*,53,ACCEPT8: UDP,INPUT,*.*.*.*,53,*.*.*.*,ANY,ACCEPT9: UDP,OUTPUT,*.*.*.*,ANY,*.*.*.*,ANY,DENY10: UDP,INPUT,*.*.*.*,ANY,*.*.*.*,ANY,DENY11: TCP,INPUT,129.110.96.117,ANY,129.110.96.80,22,DENY12: TCP,INPUT,129.110.96.117,ANY,129.110.96.80,80,DENY13: UDP,INPUT,*.*.*.*,ANY,129.110.96.80,ANY,DENY14: UDP,OUTPUT,129.110.96.80,ANY,129.110.10.*,ANY,DENY15: TCP,INPUT,*.*.*.*,ANY,129.110.96.80,22,ACCEPT16: TCP,INPUT,*.*.*.*,ANY,129.110.96.80,80,ACCEPT17: UDP,INPUT,129.110.*.*,53,129.110.96.80,ANY,ACCEPT18: UDP,OUTPUT,129.110.96.80,ANY,129.110.*.*,53,ACCEPTStorage Area Network Security SystemsHigh performance networks that connects all the storage systems-After as disaster such as terrorism or natural disaster (9/11 or Katrina), the data has to be availability-Database systems is a special kind of storage
View Full Document