Forensix: Large-scale Tamper-resistant Computer Forensic Systems

Forensix：大规模防篡改计算机取证系统

• 批准号: 0529809
• 负责人: Wu-chang Feng
• 金额: $ 39.9万
• 依托单位: Portland State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2004
• 资助国家: 美国
• 起止时间: 2004-10-15 至 2006-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0529809&HistoricalAwards=false
• 关键词: Forensix; Large; scale; Tamper; resistant

Computer forensic systems are large-scale auditing systems that are complementary with on-line intrusion and anomaly detection and have been a relatively understudied field in network security. Whereas intrusion and anomaly detection systems attempt to do an active on-line analysis of events, forensic systems seek to log all of the information being processed for subsequent, off-line analysis. For the most part, computer forensics is still an ad-hoc activity that is applied to a system that has already been compromised.Leveraging the advances in computing, networking, and storage systems and building on the work within the IDS community, the project will build an experimental computer forensics system that will allow system administrators, law enforcement officials, and security experts to quickly and easily track down sources of security incidents after they have happened. There are a number of unique aspects of proposed approach including:(i) Actively tracking changes to the system being monitored at the operating system kernel level before an attack occurs to capture forensic data(ii) Backing the audit information to a locally connected logging host. This logging host exports only one service: the audit trail information from the host being monitored. All other access to the logging host is allowed only through the console. Thus, the logging host is a system that will provide extremely detailed system information.(iii) A database system to hold logging information. With an investigation of techniques for populating a database to allow advanced queries on the logging information. The goal of this is to allow complex queries to be performed while monitoring the system.The main questions to answer as a result of this research are:(i) Can a scalable proactive logging hosts be built to capture a large number of attacks?(ii) Can database technologies be used to actively mine fore malicious activities?(iii) How can file systems and database technologies be developed to support scalable logging?

计算机取证系统是大规模审计系统，与在线入侵和异常检测相辅相成，一直是网络安全领域研究相对较少的领域。入侵和异常检测系统试图对事件进行主动的在线分析，而取证系统则试图记录正在处理的所有信息以供后续离线分析。在大多数情况下，计算机取证仍然是一项临时活动，适用于已受到损害的系统。利用计算、网络和存储系统的进步并以 IDS 社区内的工作为基础，该项目将建立一个实验性计算机取证系统，使系统管理员、执法官员和安全专家能够在安全事件发生后快速轻松地追踪其来源。所提出的方法有许多独特的方面，包括：（i）在攻击发生之前主动跟踪在操作系统内核级别监视的系统的变化以捕获取证数据（ii）将审核信息备份到本地连接的日志主机。该日志主机仅导出一项服务：来自被监视主机的审计跟踪信息。仅允许通过控制台对日志记录主机进行所有其他访问。因此，日志主机是一个将提供极其详细的系统信息的系统。(iii) 保存日志信息的数据库系统。研究填充数据库的技术，以允许对日志信息进行高级查询。这样做的目的是允许在监控系统的同时执行复杂的查询。这项研究的结果是要回答的主要问题是：（i）是否可以构建可扩展的主动日志记录主机来捕获大量攻击？（ ii) 数据库技术能否用于主动挖掘恶意活动？(iii) 如何开发文件系统和数据库技术来支持可扩展的日志记录？