Theory and practice of proactive database forensics
Whilst external threats such as malware infections and SQL injection, are usually attributed to cybercriminals (outsiders), trusted employees (insiders) with privileged access credentials to information assets have become carriers of internal threats. In fact, uncontrolled insider activity has made...
| Main Author: | |
|---|---|
| Format: | Thesis |
| Language: | unknown |
| Published: |
2019
|
| Subjects: | |
| Online Access: | http://wrap.warwick.ac.uk/151529/ http://wrap.warwick.ac.uk/151529/1/WRAP_Theses_Flores_Armas_2019.pdf http://webcat.warwick.ac.uk/record=b3501449~S15 |
| Summary: | Whilst external threats such as malware infections and SQL injection, are usually attributed to cybercriminals (outsiders), trusted employees (insiders) with privileged access credentials to information assets have become carriers of internal threats. In fact, uncontrolled insider activity has made it very difficult to differentiate if the confidentiality and integrity of a database could have been either compromised by outsiders, or could be attributed to malicious insiders. This research discusses the relationship between insider credential misuse and the potential contamination of transactional databases which, on the one hand, could be used to legitimise illegal actions, and on the other, might affect the normal operation of audit controls set on transactional databases. We argue that both threats are a result of the lack of role segregation in databases which may allow highly-skilled insiders to misuse their access credentials, and conveniently disable audit mechanisms to cover their footprints. Furthermore, we also state that even if enough audit records could be produced to enforce insider accountability, their legal admissibility as forensic evidence may be challenged if Chain-of-Custody (CoC) is not properly justified during their production. Therefore, as a solution, the theoretical and practical foundations towards adopting a proactive approach to database forensics is presented in this thesis. Our work introduces a novel forensics-aware database architecture, designed to produce admissible audit records during its normal operation. We begin providing an exhaustive analysis of internal and external threats to identify plausible attack scenarios which can be properly attributed to either outsider attackers, or insider adversaries. Then, based on this threat analysis, forensic controllers are implemented to operate as the architecture’s core functionality for the generation, collection, and preservation of admissible audit records, assuming role segregation, provenance, timeline construction and causality as CoC-based system properties. For timeline construction, logical clocks are used as time keeping mechanisms for timestamping the occurrence of DML operations, having a Vector Clock (VC) mechanism operating in a centralised environment, and a Hybrid Logical Clock (HLC) in its distributed counterpart. Finally, experimental results demonstrate the architecture’s resilience against insider credential misuse and its acceptable performance in terms of system latency under low and high transactional workload. |
|---|