Forensix: Large-scale Tamper-resistant Computer Forensic Systems

Forensix：大规模防篡改计算机取证系统

• 批准号: 0529809
• 负责人: Wu-chang Feng
• 金额: $ 39.9万
• 依托单位: Portland State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2004
• 资助国家: 美国
• 起止时间: 2004-10-15 至 2006-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0529809&HistoricalAwards=false
• 关键词: Forensix; Large; scale; Tamper; resistant

Computer forensic systems are large-scale auditing systems that are complementary with on-line intrusion and anomaly detection and have been a relatively understudied field in network security. Whereas intrusion and anomaly detection systems attempt to do an active on-line analysis of events, forensic systems seek to log all of the information being processed for subsequent, off-line analysis. For the most part, computer forensics is still an ad-hoc activity that is applied to a system that has already been compromised.Leveraging the advances in computing, networking, and storage systems and building on the work within the IDS community, the project will build an experimental computer forensics system that will allow system administrators, law enforcement officials, and security experts to quickly and easily track down sources of security incidents after they have happened. There are a number of unique aspects of proposed approach including:(i) Actively tracking changes to the system being monitored at the operating system kernel level before an attack occurs to capture forensic data(ii) Backing the audit information to a locally connected logging host. This logging host exports only one service: the audit trail information from the host being monitored. All other access to the logging host is allowed only through the console. Thus, the logging host is a system that will provide extremely detailed system information.(iii) A database system to hold logging information. With an investigation of techniques for populating a database to allow advanced queries on the logging information. The goal of this is to allow complex queries to be performed while monitoring the system.The main questions to answer as a result of this research are:(i) Can a scalable proactive logging hosts be built to capture a large number of attacks?(ii) Can database technologies be used to actively mine fore malicious activities?(iii) How can file systems and database technologies be developed to support scalable logging?

计算机取证系统是与在线入侵和异常检测相辅相成的大规模审计系统，在网络安全领域一直是一个相对欠研究的领域。入侵和异常检测系统试图对事件进行主动的在线分析，而取证系统则试图记录正在处理的所有信息，以便进行后续的离线分析。在大多数情况下，计算机取证仍然是一个临时的活动，适用于一个系统，已经受到损害。利用先进的计算，网络和存储系统，并建立在IDS社区的工作，该项目将建立一个实验性的计算机取证系统，将允许系统管理员，执法官员，和安全专家，以便在安全事件发生后快速轻松地追踪其来源。所提出的方法有许多独特的方面，包括：（i）在攻击发生之前，在操作系统内核级别主动跟踪对被监视系统的更改，以捕获取证数据（ii）将审计信息备份到本地连接的日志主机。这个日志记录主机只导出一个服务：来自被监视主机的审计跟踪信息。对日志记录主机的所有其他访问只能通过控制台进行。因此，日志主机是将提供极其详细的系统信息的系统。(iii)保存日志信息的数据库系统。调查填充数据库以允许对日志信息进行高级查询的技术。这样做的目的是允许复杂的查询，同时监测system.The主要问题，以回答作为本研究的结果是：（i）可以建立一个可扩展的主动日志主机捕获大量的攻击？(ii)数据库技术可以用来主动挖掘恶意活动吗？(iii)如何开发文件系统和数据库技术来支持可伸缩日志记录？