Theory and practice of proactive database forensics
Saved in:
| Title: | Theory and practice of proactive database forensics |
|---|---|
| Authors: | Flores Armas, Denys |
| Publisher Information: | University of Warwick, 2019. |
| Publication Year: | 2019 |
| Collection: | University of Warwick |
| Subject Terms: | QA76 Electronic computers. Computer science. Computer software |
| Description: | Whilst external threats such as malware infections and SQL injection, are usually attributed to cybercriminals (outsiders), trusted employees (insiders) with privileged access credentials to information assets have become carriers of internal threats. In fact, uncontrolled insider activity has made it very difficult to differentiate if the confidentiality and integrity of a database could have been either compromised by outsiders, or could be attributed to malicious insiders. This research discusses the relationship between insider credential misuse and the potential contamination of transactional databases which, on the one hand, could be used to legitimise illegal actions, and on the other, might affect the normal operation of audit controls set on transactional databases. We argue that both threats are a result of the lack of role segregation in databases which may allow highly-skilled insiders to misuse their access credentials, and conveniently disable audit mechanisms to cover their footprints. Furthermore, we also state that even if enough audit records could be produced to enforce insider accountability, their legal admissibility as forensic evidence may be challenged if Chain-of-Custody (CoC) is not properly justified during their production. Therefore, as a solution, the theoretical and practical foundations towards adopting a proactive approach to database forensics is presented in this thesis. Our work introduces a novel forensics-aware database architecture, designed to produce admissible audit records during its normal operation. We begin providing an exhaustive analysis of internal and external threats to identify plausible attack scenarios which can be properly attributed to either outsider attackers, or insider adversaries. Then, based on this threat analysis, forensic controllers are implemented to operate as the architecture's core functionality for the generation, collection, and preservation of admissible audit records, assuming role segregation, provenance, timeline construction and causality as CoC-based system properties. For timeline construction, logical clocks are used as time keeping mechanisms for timestamping the occurrence of DML operations, having a Vector Clock (VC) mechanism operating in a centralised environment, and a Hybrid Logical Clock (HLC) in its distributed counterpart. Finally, experimental results demonstrate the architecture's resilience against insider credential misuse and its acceptable performance in terms of system latency under low and high transactional workload. |
| Document Type: | Electronic Thesis or Dissertation |
| Language: | English |
| Access URL: | https://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.828107 |
| Accession Number: | edsble.828107 |
| Database: | British Library EThOS |
Nájsť tento článok vo Web of Science | FullText | Text: Availability: 0 CustomLinks: – Url: https://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.828107 Name: EDS - British Library EThOS Category: fullText Text: View record in EThOS – Url: https://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=EBSCO&SrcAuth=EBSCO&DestApp=WOS&ServiceName=TransferToWoS&DestLinkType=GeneralSearchSummary&Func=Links&author=Armas%20F Name: ISI Category: fullText Text: Nájsť tento článok vo Web of Science Icon: https://imagesrvr.epnet.com/ls/20docs.gif MouseOverText: Nájsť tento článok vo Web of Science |
|---|---|
| Header | DbId: edsble DbLabel: British Library EThOS An: edsble.828107 RelevancyScore: 963 AccessLevel: 3 PubType: Dissertation/ Thesis PubTypeId: dissertation PreciseRelevancyScore: 963.215454101563 |
| IllustrationInfo | |
| Items | – Name: Title Label: Title Group: Ti Data: Theory and practice of proactive database forensics – Name: Author Label: Authors Group: Au Data: <searchLink fieldCode="AR" term="%22Flores+Armas%2C+Denys%22">Flores Armas, Denys</searchLink> – Name: Publisher Label: Publisher Information Group: PubInfo Data: University of Warwick, 2019. – Name: DatePubCY Label: Publication Year Group: Date Data: 2019 – Name: Subset Label: Collection Group: HoldingsInfo Data: University of Warwick – Name: Subject Label: Subject Terms Group: Su Data: <searchLink fieldCode="DE" term="%22QA76+Electronic+computers%2E+Computer+science%2E+Computer+software%22">QA76 Electronic computers. Computer science. Computer software</searchLink> – Name: Abstract Label: Description Group: Ab Data: Whilst external threats such as malware infections and SQL injection, are usually attributed to cybercriminals (outsiders), trusted employees (insiders) with privileged access credentials to information assets have become carriers of internal threats. In fact, uncontrolled insider activity has made it very difficult to differentiate if the confidentiality and integrity of a database could have been either compromised by outsiders, or could be attributed to malicious insiders. This research discusses the relationship between insider credential misuse and the potential contamination of transactional databases which, on the one hand, could be used to legitimise illegal actions, and on the other, might affect the normal operation of audit controls set on transactional databases. We argue that both threats are a result of the lack of role segregation in databases which may allow highly-skilled insiders to misuse their access credentials, and conveniently disable audit mechanisms to cover their footprints. Furthermore, we also state that even if enough audit records could be produced to enforce insider accountability, their legal admissibility as forensic evidence may be challenged if Chain-of-Custody (CoC) is not properly justified during their production. Therefore, as a solution, the theoretical and practical foundations towards adopting a proactive approach to database forensics is presented in this thesis. Our work introduces a novel forensics-aware database architecture, designed to produce admissible audit records during its normal operation. We begin providing an exhaustive analysis of internal and external threats to identify plausible attack scenarios which can be properly attributed to either outsider attackers, or insider adversaries. Then, based on this threat analysis, forensic controllers are implemented to operate as the architecture's core functionality for the generation, collection, and preservation of admissible audit records, assuming role segregation, provenance, timeline construction and causality as CoC-based system properties. For timeline construction, logical clocks are used as time keeping mechanisms for timestamping the occurrence of DML operations, having a Vector Clock (VC) mechanism operating in a centralised environment, and a Hybrid Logical Clock (HLC) in its distributed counterpart. Finally, experimental results demonstrate the architecture's resilience against insider credential misuse and its acceptable performance in terms of system latency under low and high transactional workload. – Name: TypeDocument Label: Document Type Group: TypDoc Data: Electronic Thesis or Dissertation – Name: Language Label: Language Group: Lang Data: English – Name: URL Label: Access URL Group: URL Data: <link linkTarget="URL" linkTerm="https://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.828107" linkWindow="_blank">https://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.828107</link> – Name: AN Label: Accession Number Group: ID Data: edsble.828107 |
| PLink | https://erproxy.cvtisr.sk/sfx/access?url=https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=edsble&AN=edsble.828107 |
| RecordInfo | BibRecord: BibEntity: Languages: – Text: English Subjects: – SubjectFull: QA76 Electronic computers. Computer science. Computer software Type: general Titles: – TitleFull: Theory and practice of proactive database forensics Type: main BibRelationships: HasContributorRelationships: – PersonEntity: Name: NameFull: Flores Armas, Denys IsPartOfRelationships: – BibEntity: Dates: – D: 01 M: 01 Type: published Y: 2019 Identifiers: – Type: issn-locals Value: edsble |
| ResultId | 1 |