1. I would like to thank Louis P. Wilder and Dr. Joseph Trien for the opportunity to work on this project and for their continued support. The Research Alliance in Math and Science program is sponsored by the Office of Advanced Scientific Computing Research, U.S. Department of Energy. The work was performed at the Oak Ridge National Laboratory, which is managed by UT-Battelle, LLC under Contract No. De-AC05-00OR22725. This work has been authored by a contractor of the U.S. Government, accordingly, the U.S. Government retains a nonexclusive, royalty-free license to publish or reproduce the published form of this contribution, or allow others to do so, for U.S. Government purposes. Attack Graphs for Proactive Digital Forensics Tara L. McQueen Delaware State University Research Alliance in Math and Science Computational Sciences and Engineering Division Mentor: Louis P. Wilder http://wiki.ornl.gov/sites/rams09/t_mcqueen/Pages/default.aspx Cyber Security Maintaining confidentiality, availability and access of information Identifying legitimate Users Requests Tasks Preserving information integrity Mending network vulnerabilities Cyber Protection Growing need as fraudulent activity increases Affecting industries dependent on Networks Computer Systems Internet Hacking Gaining unauthorized Access Control Data Using technical knowledge and exposed information Cleaning tracks Preventing is difficult and expensive USB Exploits Take milliseconds to initiate (in and out) Collect confidential documents Send worm through network Execute applications automatically Easy to develop, retrieve and unleash Occur unknowingly Proactive Digital Forensics Anticipating hacker/exploit path Detecting hacker/exploit in progress Collecting proper data immediately for judicial efforts Enhancing security Attack Graphs Communicate information about threats Display combinations of vulnerabilities Show vulnerabilities as vertices Express hierarchical constraints via edges USB Exploit Attack Graph Theoretical Proactive Design All computers/nodes on network use Splunk Splunk’s additional behavior configurations stem from attack graphs Attack graphs designed for all known exploits Plug-in device triggered Real-time alerts sent after trigger Instant in depth recording of “suspicious” activity Splunk Analyzes/monitors IT infrastructure Records and indexes data Logs Configurations Scripts Alerts Messages Operates in real-time Search, navigate, graph and report data Splunk with Attack Graphs Targets specific attacks paths Allows unlimited attack types Provides systematic and proactive approach Event logs and Registry Standard on Windows Monitors events Application Security System Identifies operations and information Essential for Attack Graph Purpose Increase cyber security and protection Identify possible cyber attacks as they occur Examine Universal Serial Bus (USB) exploits Create attack graph of USB exploit Explore event logs and registry data Investigate theoretical proactive design Future work Create plug-in Implement design on test network Run trial exploit Research and prepare other exploits/attacks Fig. 1 USB exploit attack graph Fig. 2 Windows XP Event Viewer Fig. 4 Proactive Digital Forensic Design Fig. 3 Splunk