Computer forensic systems are large-scale auditing systems that are complementary with on-line intrusion and anomaly detection and have been a relatively understudied field in network security. Whereas intrusion and anomaly detection systems attempt to do an active on-line analysis of events, forensic systems seek to log all of the information being processed for subsequent, off-line analysis. For the most part, computer forensics is still an ad-hoc activity that is applied to a system that has already been compromised.
Leveraging the advances in computing, networking, and storage systems and building on the work within the IDS community, the project will build an experimental computer forensics system that will allow system administrators, law enforcement officials, and security experts to quickly and easily track down sources of security incidents after they have happened. There are a number of unique aspects of proposed approach including: (i) Actively tracking changes to the system being monitored at the operating system kernel level before an attack occurs to capture forensic data (ii) Backing the audit information to a locally connected logging host. This logging host exports only one service: the audit trail information from the host being monitored. All other access to the logging host is allowed only through the console. Thus, the logging host is a system that will provide extremely detailed system information. (iii) A database system to hold logging information. With an investigation of techniques for populating a database to allow advanced queries on the logging information. The goal of this is to allow complex queries to be performed while monitoring the system.
The main questions to answer as a result of this research are: (i) Can a scalable proactive logging hosts be built to capture a large number of attacks? (ii) Can database technologies be used to actively mine fore malicious activities? (iii) How can file systems and database technologies be developed to support scalable logging?
