云环境中用于数字取证调查的远程主机的选择和排序

2013 Information Security for South Africa Pub Date : 2013-10-21 DOI:10.1109/ISSA.2013.6641044

G. Sibiya, Thomas Fogwill, H. Venter

{"title":"云环境中用于数字取证调查的远程主机的选择和排序","authors":"G. Sibiya, Thomas Fogwill, H. Venter","doi":"10.1109/ISSA.2013.6641044","DOIUrl":null,"url":null,"abstract":"Cloud computing is a new computing paradigm which presents challenges for digital forensic investigators. Digital forensics is a branch of computer security that makes use of electronic evidence to build up a criminal case or for troubleshooting purposes. Advances have been made since the advent of Cloud computing in addressing issues that came with the Cloud including that of security. However, not all aspects of security are advancing. Developments in digital forensics still leave a lot to be desired in terms of standards and appropriate digital forensic tools that are applicable in the Cloud. To achieve that, standards as well as standard tools are required for successful evidence collection, preservation, analysis and conviction in case of a criminal case. This paper contributes towards addressing issues in digital forensics by presenting an algorithm that can be used in the evidence identification phase of a digital forensic process. Data in Cloud environments exist in the Internet or in networked environments and data is always accessed remotely. There is therefore at least one connection to a host that exists in a Cloud environment. In a case of a computer system that hosts a Cloud service, the number of connections from clients can be very large. In such a scenario it is very hard to identify an attacker from both active and recently disconnected connections to a host. This may require an investigator to probe all individual IP addresses connected to the host which can be time consuming and costly. There is therefore a need for a mechanism that can identify and rank remote hosts that are connected to a victim host and that may be associated with a malicious activity. In this paper we present an algorithm that uses probabilities to identify and rank suspicious remote hosts connected to a victim host. This algorithm helps minimize the effort required of investigators to probe each IP address that is connected to a victim as connected IP addresses will be prioritized according to their rank.","PeriodicalId":300864,"journal":{"name":"2013 Information Security for South Africa","volume":"222 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-10-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":"{\"title\":\"Selection and ranking of remote hosts for digital forensic investigation in a Cloud environment\",\"authors\":\"G. Sibiya, Thomas Fogwill, H. Venter\",\"doi\":\"10.1109/ISSA.2013.6641044\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Cloud computing is a new computing paradigm which presents challenges for digital forensic investigators. Digital forensics is a branch of computer security that makes use of electronic evidence to build up a criminal case or for troubleshooting purposes. Advances have been made since the advent of Cloud computing in addressing issues that came with the Cloud including that of security. However, not all aspects of security are advancing. Developments in digital forensics still leave a lot to be desired in terms of standards and appropriate digital forensic tools that are applicable in the Cloud. To achieve that, standards as well as standard tools are required for successful evidence collection, preservation, analysis and conviction in case of a criminal case. This paper contributes towards addressing issues in digital forensics by presenting an algorithm that can be used in the evidence identification phase of a digital forensic process. Data in Cloud environments exist in the Internet or in networked environments and data is always accessed remotely. There is therefore at least one connection to a host that exists in a Cloud environment. In a case of a computer system that hosts a Cloud service, the number of connections from clients can be very large. In such a scenario it is very hard to identify an attacker from both active and recently disconnected connections to a host. This may require an investigator to probe all individual IP addresses connected to the host which can be time consuming and costly. There is therefore a need for a mechanism that can identify and rank remote hosts that are connected to a victim host and that may be associated with a malicious activity. In this paper we present an algorithm that uses probabilities to identify and rank suspicious remote hosts connected to a victim host. This algorithm helps minimize the effort required of investigators to probe each IP address that is connected to a victim as connected IP addresses will be prioritized according to their rank.\",\"PeriodicalId\":300864,\"journal\":{\"name\":\"2013 Information Security for South Africa\",\"volume\":\"222 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-10-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"4\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2013 Information Security for South Africa\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISSA.2013.6641044\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 Information Security for South Africa","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISSA.2013.6641044","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

摘要

云计算是一种新的计算范式，对数字取证人员提出了挑战。数字取证是计算机安全的一个分支，它利用电子证据来建立刑事案件或进行故障排除。自云计算出现以来，在解决云带来的问题(包括安全问题)方面已经取得了进展。然而，并不是安全的所有方面都在进步。在适用于云的标准和适当的数字取证工具方面，数字取证的发展仍有很多需要改进的地方。要做到这一点，就需要标准和标准工具，以便在刑事案件中成功地收集、保存、分析和定罪。本文通过提出一种可用于数字取证过程的证据识别阶段的算法，有助于解决数字取证中的问题。云环境中的数据存在于互联网或网络环境中，并且数据总是被远程访问。因此，至少存在一个到云环境中存在的主机的连接。在承载云服务的计算机系统的情况下，来自客户机的连接数量可能非常大。在这种情况下，很难从与主机的活动连接和最近断开的连接中识别攻击者。这可能需要调查人员探测连接到主机的所有个人IP地址，这可能是耗时和昂贵的。因此，需要一种机制来识别连接到受害主机并可能与恶意活动相关联的远程主机并对其进行排序。在本文中，我们提出了一种算法，该算法使用概率来识别和排序连接到受害者主机的可疑远程主机。该算法有助于最大限度地减少调查人员探测连接到受害者的每个IP地址所需的工作量，因为连接的IP地址将根据其等级进行优先级排序。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Selection and ranking of remote hosts for digital forensic investigation in a Cloud environment

Cloud computing is a new computing paradigm which presents challenges for digital forensic investigators. Digital forensics is a branch of computer security that makes use of electronic evidence to build up a criminal case or for troubleshooting purposes. Advances have been made since the advent of Cloud computing in addressing issues that came with the Cloud including that of security. However, not all aspects of security are advancing. Developments in digital forensics still leave a lot to be desired in terms of standards and appropriate digital forensic tools that are applicable in the Cloud. To achieve that, standards as well as standard tools are required for successful evidence collection, preservation, analysis and conviction in case of a criminal case. This paper contributes towards addressing issues in digital forensics by presenting an algorithm that can be used in the evidence identification phase of a digital forensic process. Data in Cloud environments exist in the Internet or in networked environments and data is always accessed remotely. There is therefore at least one connection to a host that exists in a Cloud environment. In a case of a computer system that hosts a Cloud service, the number of connections from clients can be very large. In such a scenario it is very hard to identify an attacker from both active and recently disconnected connections to a host. This may require an investigator to probe all individual IP addresses connected to the host which can be time consuming and costly. There is therefore a need for a mechanism that can identify and rank remote hosts that are connected to a victim host and that may be associated with a malicious activity. In this paper we present an algorithm that uses probabilities to identify and rank suspicious remote hosts connected to a victim host. This algorithm helps minimize the effort required of investigators to probe each IP address that is connected to a victim as connected IP addresses will be prioritized according to their rank.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2013 Information Security for South Africa

自引率

0.00%

发文量