Slim Rekhis

A System for Formal Digital Forensic Investigation Aware of Anti-Forensic Attacks

To defeat the process of investigation and make the analysis and reconstruction of attack scenarios difficult, challenging, or even impossible, attackers are motivated by conducting anti-forensic attacks. Several methods were proposed by the literature to formally reconstruct the sequence of events executed during the incident using theoretical and scientifically proven methods. However, these methods are not tailored to cope with anti-forensic attacks, as they assume that the collected evidence is trusted, do not model anti-forensic actions, and do not characterize provable anti-forensic attacks based on the knowledge of attacks, security solutions, and forms of evidence expected to be generated. We develop in this work a theoretical approach of digital investigation aware of anti-forensic attacks. After describing an investigation process which is able to address these attacks, we develop a state-based logic to describe the investigated system, the deployed security solution, the evidence they provide, and the library of attacks. An inference system is proposed to mitigate anti-forensic attacks and generate potential scenarios starting from traces that were targeted by these attacks. To exemplify the proposal, we provide a case study related to the investigation of an incident that exhibited anti-forensic attacks.

A temporal logic-based model for forensic investigation in networked system security

Research in computer and network forensic investigation has recently addressed the development of procedural guidelines, technical documents, and semi-automation tools. It has however omitted the need of formal proof. This work provides a novel approach that formalizes and automates the proof in digital forensic investigation. First, it brings out a formal logic-based language, called S-TLA+, to enable reasoning on systems with uncertainty, by adding forward hypotheses to fulfill potential lack of details. S-TLA+ is suitable for the description of evidences, as well as elementary scenarios fragments representing the investigators knowledge. Secondly, the proposal provides an automated verification tool, S-TLC, to prove the correctness of S-TLA+ specifications. It checks whether there are possible hacking scenarios that meet the available digital evidences, and explores additional evidences. To demonstrate its effectiveness, the formalized analysis is applied on a compromised host.

Visibility: a novel concept for characterising provable network digital evidences

Providing a formal method of digital investigation happened to be of utmost importance, as it allows to: demonstrate the absence of design weaknesses in the used technique; analyse the security incident with an accurate manner; provide non refutable proofs regarding the obtained results. We provide in this work a new formal concept, entitled Visibility, and we develop its relation with network digital investigation, particularly the investigation of source address spoofing attacks. To demonstrate the effectiveness of our visibility-based theory, we use it in conjunction with an efficient traceback technique to prove IP spoofing attacks occurrence and identify their source.

Logic-based approach for digital forensic investigation in communication Networks

In this paper, we provide a logic for digital investigation of security incidents and its high-level-specification language. The logic is used to prove the existence or non-existence of potential attack scenarios which, if executed on the investigated system, would produce the different forms of specified evidence. To generate executable attack scenarios showing with details how the attack scenario was conducted and how the system behaved accordingly, we develop in this paper a Model Checker tool which provides tolerance to unknown attacks and integrates a technique for hypothetical actions generation

Digital Investigation of Wormhole Attacks in Wireless Sensor Networks

Several solutions were proposed by the literature to detect wormhole attacks in wireless sensor networks (WSN)but, to the best of our knowledge, none of them has taken interest to the problem of digital investigation. We propose in this paper a solution for digital investigation of wormhole attacks in WSN. An observed WSN is defined to support generation and secure forwarding of evidences regarding sensor nodes behavior in the network. A set of investigator nodes, called observers, are distributed over the network in charge of monitoring the network topology and datagram forwarding by sensor nodes. A set of algorithms are proposed to aggregate the collected evidences, identify colluding nodes, and reconstruct the potential scenarios of wormholes attacks.

Formal Digital Investigation of Anti-forensic Attacks

One of the major interest perceived by research in digital forensic investigation is the development of theoretical andscientifically proven methods of incident analysis. However, two main problems, which remain unsolved by the literature, could lead the formal incident analysis to be inconclusive. The former is related to the absence of techniques to cope with anti-forensic attacks and reconstruction of scenarios when evidences are compromised by these attacks. The latter is related to lack of theoretical techniques, usable during the system preparation (a phase which precedes the occurrence of an incident)to assess whether the evidence to be generated would be sufficient to prove relevant events that occurred on the compromised system in the presence of anti-forensic attacks.The aim of this research is to develop a theoretical technique of digital investigation which copes with anti-forensic attacks. After developing a formal logic-based model which allows to describe complex investigated systems and generated evidences under different levels of abstractions, we extend the concept of Visibility [1] to characterize situations where anti-forensic attacks would be provable and traces regarding actions hidden by these attacks would become identified. A methodology showing the use of Visibility properties during investigation of anti-forensic attacks is described, and a case study, which exemplifies the proposal, is provided.

A Formal Approach for the Reconstruction of Potential Attack Scenarios

In this paper, we provide a logic for digital investigation of security incidents and its high level-specification language. The logic is used to prove the existence or non-existence of potential attack scenarios which, if executed on the investigated system, would produce the different forms of specified evidences. To generate executable attack scenarios showing with details how the attack scenario was conducted and how the system behaved accordingly, we develop in this paper a Model Checker tool which provides tolerance to unknown attacks and integrates a technique for hypothetical actions generation.

A privacy preserving solution for the protection against sybil attacks in vehicular ad hoc networks

Services provided by vehicular Adhoc Networks (VANETs) would be impaired if faced to sybil attacks, by which malicious vehicles claim multiple identities at the same time. The prevention of these attacks, which could occur in or out of the Road Side Units (RSUs) coverage, is challenging, as it should meet a compromise between the ability to identify the real identity of the malicious vehicle, and prevention of vehicles from being tracked by malicious entities. We propose in this paper a solution to prevent and detect Sybil attacks in VANETs. The identification of attackers is based on two types of authentication techniques. The first uses RFID tags embedded in the vehicle to authenticate them to the RSU and obtain short lifetime certificates. The second uses certificates to authenticate vehicles to their neighbors. The vehicular network we are considering is divided into different zones brought under the control of different certification authorities, forcing a vehicle to change its certificate when moving from a zone to another. One important characteristic of the proposed solution is that it prevents attackers from tracking the mobility of the vehicles. Avoiding false negatives is also addressed using observers (e.g., software components in charge of monitoring) in vehicle nodes. A set of simulation scenarios are conducted to evaluate the performance of the solution.

A Formal Rule-Based Scheme for Digital Investigation in Wireless Ad-hoc Networks

Existing investigation schemes are not suitable to cope with attacks in wireless networks, especially in MANet. We propose in this paper a formal approach for digital investigation of security attacks in wireless networks. We provide a model for describing attack scenarios in wireless environment, and system and network evidences generated consequently. We develop an inference system that integrates the two types of evidences, handles incompleteness and duplication of information in them, and allows to generate potential and provable actions and attack scenarios. To exemplify the proposal, we consider a case study dealing with a Denial of Service attack on a web server, where the attacker and the target represent mobile nodes.

Cognitive-Maps Based Investigation of Digital Security Incidents

Investigation of security incidents is of great importance as it allows to trace back the actions taken by the intruders. In this paper we develop a formal technique for digital investigation based on the use of Incident Response Probabilistic Cognitive Maps. Three main issues are addressed here: (1) construction and extraction of plausible known attack scenarios, (2) construction of hypothetical scenarios and their validation using a logic-based formalism, and (3) selection of optimal counter-measures addressing the detected attacks.