Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic Analysis of Database Tampering

Similar presentations

Presentation on theme: "Forensic Analysis of Database Tampering"— Presentation transcript:

1 Forensic Analysis of Database Tampering
Kyriacos Pavlou and Richard T. Snodgrass Computer Science Department The University of Arizona

2 Introduction The problem : How to systematically perform forensic analysis on a compromised database. Recent federal laws (HIPAA, Sarbanes-Oxley Act etc.) and incidents of corporate collusion mandate audit log security. Snodgrass et al. [VLDB04] showed how to detect database tampering. Approach: Hash using a cryptographically strong hash function, notarize data manipulated by transactions and periodically validate. Forensic analysis to ascertain: When the intrusion transpired What data was altered Who the intruder is Why has this transpired

3 Outline Tamper Detection Forensic Analysis Forensic Algorithms
The corruption diagram Types of corruption events Forensic Algorithms Three algorithms Forensic strength Future Work

4 Tamper Detection Several related ideas that allow tamper detection:
DBMS can maintain audit log in background Transaction-time table Append-only Data modified can be cryptographically hashed to produce a secure one-way hash of transaction. Notarize hash value with external notarization service. The hash value cannot change. Implementation optimizations: opportunistic hashing transaction ordering list linked hashing The latest hash value is a hash of all the changes made to the database since database creation.

5 Tamper Detection Two phases: Normal Processing Validation
transactions Two phases: Normal Processing Validation The validation result is a single bit. hash value transactions transactions hashing + notary ID hash value transactions hashing + notary ID rehash hash value notary ID + result

6 Definitions Corruption Event (CE): any event that corrupts data and compromises database (intrusion, human intervention, bug) Corruption time (tc): actual time instant at which a CE occurred. Validation Event (VE): validation of the audit log by the Notarization Service (NS). Time of VE (tv): time instant at which a VE occurred. Validation Failure vs. Validation Success: NS’s answer to a query for a particular hash value. Denotes tampering or lack thereof respectively. Notarization Event (NE): the notarization of a document by the NS. Time of NE (tn): time instant at which a NE occurred.

7 Definitions (cntd) Forensic analysis involves the following:
Temporal detection: determination of tc Spatial detection: determination of “where,” i.e., the location in the database of the data affected in a CE. This data is termed the corruption locus data (lc). In fact, try to ascertain locus time (tl), the time instant lc was originally stored (transaction commit time). Note that a CE can have many lc’s, termed multi-locus, or a only one lc termed single-locus CE.

8 The Corruption Diagram
When = TRUE VE1 NE3 NE: Notarization Event VE: Validation Event link NE2 link NE1 NE0 Where

9 The Corruption Diagram
When Actual time VE2 VE2 = TRUE IV validation interval NE6 NE: Notarization Event CE . clock time IN notarization interval NE5 VE: Validation Event NE4 CE: Corruption Event = TRUE VE1 NE3 link NE2 link NE1 Commit time NE0 commit time Where

10 Forensic Analysis If a corruption is detected, the forensic analyzer springs into action. The analyzer tries to ascertain a corruption region: the bounds on the uncertainty of the “where” and “when” of the corruption.

11 Notarization and Validation Intervals
Non-aligned validation just delays detection of tampering. Validation factor IV = V·IN

12 Analyzing Timestamp Corruption
So far considered data-only CEs. We now examine the case where the timestamps of the tuples are changed. Data-only Backdating Postdating Retroactive Introactive ×

13 Monochromatic Algorithm
When Forensic analysis begins T F F F F VE2 = FALSE NE6 CE . time of corruption (tc) NE5 NE4 VE1 = TRUE NE3 Corruption Region: captures the uncertainty as to the position of CE NE2 NE1 tl: place of corruption (commit time) NE0 Where

14 Monochromatic Algorithm
Central insight: data can be rehashed by validator and checked. Corruption region bounds: IV IN Area is solely dependent on the two intervals. Cannot handle CEs involving timestamp corruption. ×

15 The RGB Forensic Algorithm
When B G T T F F F F F F F VE4 = FALSE NE8 Forensic analysis begins CE . Postdating CE IV = 4 days IN = 2 days tc NE7 T Notarization of Red R VE3 = TRUE NE6 NE5 B G T Notarization of Blue & Green VE2 = TRUE tp tp: postdating time NE4 NE3 Notarization of Red R VE1 = TRUE NE2 NE1 x x NE0 tl Where

16 The RGB Forensic Algorithm
Introduction of RGB partial hash chains: Allows the bounding of both tl and tp Incurs extra NS cost Each of two corruption regions bounds: IV IN We would like to reduce the area of the corruption regions. ×

17 The Polychromatic Algorithm
B G F When F T T F F F F F F VE4 = FALSE NE8 Forensic analysis begins CE . IV = 4 days IN = 2 days Desired = 1 day tc NE7 T Notarization of 2 Reds R VE3 = TRUE NE6 NE5 Backdating CE T B G F F Notarization of 2 Blues & 1 Green VE2 = TRUE NE4 Uncertainty can be arbitrarily shrunk via a logarithmic number of red and blue hash chains. NE3 Notarization of 2 Reds R VE1 = TRUE NE2 tb: backdating time NE1 x x NE0 tb tl

18 The Polychromatic Algorithm
Introduction of extra partial hash chains: Reduces uncertainty of corruption region Incurs additional NS cost Uncertainty can be arbitrarily shrunk via a logarithmic number of red and blue hash chains. Hence, the width is no longer dependent on IV and IN .

19 Forensic Strength Components: Inverse Forensic Strength:
Work of forensic analysis Region-area of CE Width of postdating / backdating uncertainty Inverse Forensic Strength: IFS( D , IN ,V ) = ( NumNotarizes( D , IN ,V ) + ForensicAnalysis( D , IN ,V ) ) · RegionArea( IN ,V ) · UncertaintyWidth( D , IN ) where V = IV / IN is the validation factor and D is the number of days before first validation failure. Monochromatic: O( V · D2 · IN ) RGB: O( V · D · IN2 ) We assume that D >> IN . Polychromatic: O( ( V + lg IN ) · D )

20 Future Work Develop a stronger lower bound for this problem.
Accommodate multi-locus and complex CEs. Differentiate postdating and backdating CEs. Implement forensic analysis in validator. Consider interaction between transaction-time storage manager and underlying WORM storage.

21 Summary We have presented a means of performing forensic analysis.
We have introduced a graphical representation to visualize CEs, termed the corruption diagram. We have designed three forensic algorithms. Monochromatic RGB Polychromatic

22 Acknowledgements NSF grants IIS , IIS and EIA and a grant from Microsoft provided partial support for this work.

Download ppt "Forensic Analysis of Database Tampering"

Similar presentations

Ads by Google