Dealing with temporal inconsistency in automated computer forensic profiling

Computer profiling is the automated forensic examination of a computer system in order to provide a human investigator with a characterisation of the activities that have taken place on that system. As part of this process, the logical components of the computer system – components such as users, files and applications - are enumerated and the relationships between them discovered and reported. This information is enriched with traces of historical activity drawn from system logs and from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work examines the impact of temporal inconsistency in such information and discusses two types of temporal inconsistency that may arise – inconsistency arising out of the normal errant behaviour of a computer system, and inconsistency arising out of deliberate tampering by a suspect – and techniques for dealing with inconsistencies of the latter kind. We examine the impact of deliberate tampering through experiments conducted with prototype computer profiling software. Based on the results of these experiments, we discuss techniques which can be employed in computer profiling to deal with such temporal inconsistencies

Increased availability and scalability for clustered services via the wait time calculation, trust based filtering and redirection of TCP connection requests

The paper describes two new transport layer (TCP) options and an expanded transport layer queuing strategy that facilitate three functions that are fundamental to the dispatching-based clustered service. A transport layer option has been developed to facilitate. the use of client wait time data within the service request processing of the cluster. A second transport layer option has been developed to facilitate the redirection of service requests by the cluster dispatcher to the cluster processing member. An expanded transport layer service request queuing strategy facilitates the trust based filtering of incoming service requests so that a graceful degradation of service delivery may be achieved during periods of overload - most dramatically evidenced by distributed denial of service attacks against the clustered service. We describe how these new options and queues have been implemented and successfully tested within the transport layer of the Linux kernel

Detecting network-based obfuscated code injection attacks using sandboxing

Intrusion detection systems (IDSs) are widely recognised as the last line of defence often used to enable incident response when intrusion prevention mechanisms are ineffective, or have been compromised. A signature based network IDS (NIDS) which operates by comparing network traffic to a database of suspicious activity patterns (known as signatures) is a popular solution due to its ease of deployment and relatively low false positive (incorrect alert) rate. Lately, attack developers have focused on developing stealthy attacks designed to evade NIDS. One technique used to accomplish this is to obfuscate the shellcode (the executable component of an attack) so that it does not resemble the signatures the IDS uses to identify the attacks but is still logically equivalent to the clear-text attacks when executed. We present an approach to detect obfuscated code injection attacks, an approach which compensates for efforts to evade IDSs. This is achieved by executing those network traffic segments that are judged potentially to contain executable code and monitoring the execution to detect operating system calls which are a necessary component of any such code. This detection method is based not on how the injected code is represented but rather on the actions it performs. Correct configuration of the IDS at deployment time is crucial for correct operation when this approach is taken, in particular, the examined executable code must be executed in an environment identical to the execution environment of the host the IDS is monitoring with regards to both operating system and architecture. We have implemented a prototype detector that is capable of detecting obfuscated shellcodes in a Linux environment, and demonstrate how it can be used to detect new or previously unseen code injection attacks and obfuscated attacks as well as well known attacks

Machine-Independent Audit Trail Analysis – A Decision Support Tool for Continuous Audit Assurance

This paper reports the results of a research project which examines the feasibility of developing a machine-independent audit trail analyser (MIATA). MIATA is a knowledge based system which performs intelligent analysis of operating system audit trails. Such a system is proposed as a decision support tool for auditors when assessing the risk of unauthorised user activity in multi-user computer systems. It is also relevant to the provision of a continuous assurance service to clients by internal and external auditors. Monitoring user activity in system audit trails manually is impractical because of the vast quantity of events recorded in those audit trails. However, if done manually, an expert security auditor would be needed to look for 2 main types of events- user activity rejected by the system's security settings (failed actions) and user's behaving abnormally (e.g. unexpected changes in activity such as the purchasing clerk attempting to modify payroll data). A knowledge based system is suited to applications that require expertise to perform well-defined, yet complex, monitoring activities (e.g. controlling nuclear reactors and detecting intrusions in computer systems). To permit machine-independent intelligent audit trail analysis, an anomaly-detection approach i

Synapse : auto correlation and dynamic attack redirection in an immunologically-inspired IDS

Intrusion detection systems (IDS) perform an important role in the provision of network security, providing real- time notification of attacks in progress. One promising category of IDS attempts to incorporate into its design properties found in the natural immune system. Although previous attempts to apply immunology to intrusion detection have considered the issue of accuracy, more work still needs to be done. We present an immunologically-inspired intrusion detection model in which the false positive rate is moderated through a process of event correlation between multiple sensors. In addition, the model offers a novel response mechanism. Previous research has flirted with a variety of response mechanisms, including those that are capable of tearing down connections, killing processes and dynamically updating firewall rules. Although such mechanisms may prevent or at least mitigate an attack before its full impact is achieved, they work against the collection of information for investigatory or evidence purposes. To overcome this limitation, a response strategy is proposed in which the attack is dynamically redirected to an isolated host deployed as a honeypot. In this way, it becomes possible to mitigate the effects of the attack while at the same time study the attack itself