Adaptive evidence collection in the cloud using attack scenarios

Pasquale, Liliana; Hanvey, Sorren; Mcgloin, Mark; Nuseibeh, Bashar

doi:10.1016/j.cose.2016.03.001

Cited by 27 publications

(19 citation statements)

References 19 publications

(27 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, in large scale environments like cloud systems, monitoring all potential evidence is not a viable solution, as it might be cumbersome to analyse. Pasquale et al [37] propose a more targeted approach, where evidence preservation activities aim to detect potential attack scenarios that can violate existing security policies. However, this approach is less selective as it prescribe to preserve any type of event within a history leading to an incident, independently of other events that have previously occurred or preserved.…”

Section: Related Workmentioning

confidence: 99%

On evidence preservation requirements for forensic-ready systems

Alrajeh

Pasquale

Nuseibeh

2017

Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

Self Cite

View full text Add to dashboard Cite

Forensic readiness denotes the capability of a system to support digital forensic investigations of potential, known incidents by preserving in advance data that could serve as evidence explaining how an incident occurred. Given the increasing rate at which (potentially criminal) incidents occur, designing software systems that are forensic-ready can facilitate and reduce the costs of digital forensic investigations. However, to date, little or no attention has been given to how forensic-ready software systems can be designed systematically. In this paper we propose to explicitly represent evidence preservation requirements prescribing preservation of the minimal amount of data that would be relevant to a future digital investigation. We formalise evidence preservation requirements and propose an approach for synthesising specifications for systems to meet these requirements. We present our prototype implementationbased on a satisfiability solver and a logic-based learner-which we use to evaluate our approach, applying it to two digital forensic corpora. Our evaluation suggests that our approach preserves relevant data that could support hypotheses of potential incidents. Moreover, it enables significant reduction in the volume of data that would need to be examined during an investigation.

show abstract

Section: Related Workmentioning

confidence: 99%

On evidence preservation requirements for forensic-ready systems

Alrajeh

Pasquale

Nuseibeh

2017

Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering

Self Cite

View full text Add to dashboard Cite

show abstract

“…Pasquale et al [19] propose an evidence collection approach aimed to adaptively identify relevant evidence that should be collected proactively by IaaS (Infrastructure as a Service) cloud service providers. This evidence is identified from potential attack scenarios that may exploit well known vulnerabilities, such as those documented in the Common Vulnerabilities Exposures CVE dictionary.…”

Section: Forensic Readiness Requirementsmentioning

confidence: 99%

Software Engineering Challenges for Investigating Cyber-Physical Incidents

Alrimawi¹,

Pasquale²,

Nuseibeh³

2017

2017 IEEE/ACM 3rd International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS)

Self Cite

View full text Add to dashboard Cite

Cyber-Physical Systems (CPS) are characterized by the interplay between digital and physical spaces. This characteristic has extended the attack surface that could be exploited by an offender to cause harm. An increasing number of cyber-physical incidents may occur depending on the configuration of the physical and digital spaces and their interplay. Traditional investigation processes are not adequate to investigate these incidents, as they may overlook the extended attack surface resulting from such interplay, leading to relevant evidence being missed and testing flawed hypotheses explaining the incidents. The software engineering research community can contribute to addressing this problem, by deploying existing formalisms to model digital and physical spaces, and using analysis techniques to reason about their interplay and evolution. In this paper, we use a motivating example to describe some emerging software engineering challenges to support investigations of cyberphysical incidents. We review and critique existing research proposed to address these challenges, and sketch an initial solution based on a meta-model to represent cyber-physical incidents and a representation of the topology of digital and physical spaces that supports reasoning about their interplay.

show abstract

“…Moreover, the former approach is not preserved in cases where the CSP itself is dishonest or the logger in the cloud is malicious. Most of the mechanisms use chaining methods of encryption to preserve the logs that an external attacker cannot access or modify the log traces …”

Section: Introductionmentioning

confidence: 99%

“…Most of the mechanisms use chaining methods of encryption to preserve the logs that an external attacker cannot access or modify the log traces. [8][9][10] In order to deal with such challenges, secure logging scheme is proposed to store the logs in a secure manner. Since the data remaining in VMs are volatile in nature, the proposed scheme collects the logs in central physical storage to resolve the volatility issues of logs.…”

mentioning

confidence: 99%

Secure logging scheme for forensic analysis in cloud

Sree

Bhanu

2019

Concurrency and Computation

View full text Add to dashboard Cite

Summary Cloud computing has emerged as a prominent technology that provides reliable on‐demand cloud services to users. Among the various kind of attacks, Distributed Denial of Service (DDoS) attack is one of the major application layer attacks that target the resources and services running in the cloud. Due to the distributed nature of attacks or crimes in the cloud, the evidence are collected from various components such as the router, switches, hard disk, log traces, and virtual machines. An attacker may collude with the cloud provider or investigators to tamper the log files or by inserting false information or by deleting the malicious activity logs altogether by leaving no trace. Hence, security is the major concern in cloud wherein investigation of crimes and attacks are very difficult. Collecting logs from the cloud providers is very hard since many users share the same network resources and the investigators rely on the providers to access the information. Therefore, in order to preserve the confidentiality, integrity, and authentication of logs, secure logging scheme is proposed to preserve the logs for forensic investigation. This paper highlights the secure logging scheme by extracting the features from logs of all virtual machine instances by double encryption scheme and also deals the integrity of the logs using hashing and verifies the signatures using Bloom filter–based R tree (BR tree). Furthermore, the verification is performed using Shamir Secret Sharing (SSS) scheme, and it is responsible for sharing the secret (private) keys to all the three parties, ie, user, investigator, and cloud providers. It is inferred from the experimental results that the proposed scheme requires minimal log processing time, minimal verification time for inserting logs, stores logs in time, and space efficient manner and scalable than existing methods.

show abstract

Adaptive evidence collection in the cloud using attack scenarios

Cited by 27 publications

References 19 publications

On evidence preservation requirements for forensic-ready systems

On evidence preservation requirements for forensic-ready systems

Software Engineering Challenges for Investigating Cyber-Physical Incidents

Secure logging scheme for forensic analysis in cloud

Contact Info

Product

Resources

About