Theory and practice of proactive database forensics

Whilst external threats such as malware infections and SQL injection, are usually attributed to cybercriminals (outsiders), trusted employees (insiders) with privileged access credentials to information assets have become carriers of internal threats. In fact, uncontrolled insider activity has made...

Full description

Bibliographic Details
Main Author: Flores Armas, Denys
Format: Thesis
Language:unknown
Published: 2019
Subjects:
QA76 Electronic computers. Computer science. Computer software
DML
Online Access:http://wrap.warwick.ac.uk/151529/
http://wrap.warwick.ac.uk/151529/1/WRAP_Theses_Flores_Armas_2019.pdf
http://webcat.warwick.ac.uk/record=b3501449~S15
id ftuwarwick:oai:wrap.warwick.ac.uk:151529
record_format openpolar
spelling ftuwarwick:oai:wrap.warwick.ac.uk:151529 2023-05-15T16:02:09+02:00 Theory and practice of proactive database forensics Flores Armas, Denys 2019-08 application/pdf http://wrap.warwick.ac.uk/151529/ http://wrap.warwick.ac.uk/151529/1/WRAP_Theses_Flores_Armas_2019.pdf http://webcat.warwick.ac.uk/record=b3501449~S15 unknown http://wrap.warwick.ac.uk/151529/1/WRAP_Theses_Flores_Armas_2019.pdf Flores Armas, Denys (2019) Theory and practice of proactive database forensics. PhD thesis, University of Warwick. QA76 Electronic computers. Computer science. Computer software Thesis or Dissertation NonPeerReviewed 2019 ftuwarwick 2022-03-16T21:38:48Z Whilst external threats such as malware infections and SQL injection, are usually attributed to cybercriminals (outsiders), trusted employees (insiders) with privileged access credentials to information assets have become carriers of internal threats. In fact, uncontrolled insider activity has made it very difficult to differentiate if the confidentiality and integrity of a database could have been either compromised by outsiders, or could be attributed to malicious insiders. This research discusses the relationship between insider credential misuse and the potential contamination of transactional databases which, on the one hand, could be used to legitimise illegal actions, and on the other, might affect the normal operation of audit controls set on transactional databases. We argue that both threats are a result of the lack of role segregation in databases which may allow highly-skilled insiders to misuse their access credentials, and conveniently disable audit mechanisms to cover their footprints. Furthermore, we also state that even if enough audit records could be produced to enforce insider accountability, their legal admissibility as forensic evidence may be challenged if Chain-of-Custody (CoC) is not properly justified during their production. Therefore, as a solution, the theoretical and practical foundations towards adopting a proactive approach to database forensics is presented in this thesis. Our work introduces a novel forensics-aware database architecture, designed to produce admissible audit records during its normal operation. We begin providing an exhaustive analysis of internal and external threats to identify plausible attack scenarios which can be properly attributed to either outsider attackers, or insider adversaries. Then, based on this threat analysis, forensic controllers are implemented to operate as the architecture’s core functionality for the generation, collection, and preservation of admissible audit records, assuming role segregation, provenance, timeline construction and causality as CoC-based system properties. For timeline construction, logical clocks are used as time keeping mechanisms for timestamping the occurrence of DML operations, having a Vector Clock (VC) mechanism operating in a centralised environment, and a Hybrid Logical Clock (HLC) in its distributed counterpart. Finally, experimental results demonstrate the architecture’s resilience against insider credential misuse and its acceptable performance in terms of system latency under low and high transactional workload. Thesis DML The University of Warwick: WRAP - Warwick Research Archive Portal
institution Open Polar
collection The University of Warwick: WRAP - Warwick Research Archive Portal
op_collection_id ftuwarwick
language unknown
topic QA76 Electronic computers. Computer science. Computer software
spellingShingle QA76 Electronic computers. Computer science. Computer software
Flores Armas, Denys
Theory and practice of proactive database forensics
topic_facet QA76 Electronic computers. Computer science. Computer software
description Whilst external threats such as malware infections and SQL injection, are usually attributed to cybercriminals (outsiders), trusted employees (insiders) with privileged access credentials to information assets have become carriers of internal threats. In fact, uncontrolled insider activity has made it very difficult to differentiate if the confidentiality and integrity of a database could have been either compromised by outsiders, or could be attributed to malicious insiders. This research discusses the relationship between insider credential misuse and the potential contamination of transactional databases which, on the one hand, could be used to legitimise illegal actions, and on the other, might affect the normal operation of audit controls set on transactional databases. We argue that both threats are a result of the lack of role segregation in databases which may allow highly-skilled insiders to misuse their access credentials, and conveniently disable audit mechanisms to cover their footprints. Furthermore, we also state that even if enough audit records could be produced to enforce insider accountability, their legal admissibility as forensic evidence may be challenged if Chain-of-Custody (CoC) is not properly justified during their production. Therefore, as a solution, the theoretical and practical foundations towards adopting a proactive approach to database forensics is presented in this thesis. Our work introduces a novel forensics-aware database architecture, designed to produce admissible audit records during its normal operation. We begin providing an exhaustive analysis of internal and external threats to identify plausible attack scenarios which can be properly attributed to either outsider attackers, or insider adversaries. Then, based on this threat analysis, forensic controllers are implemented to operate as the architecture’s core functionality for the generation, collection, and preservation of admissible audit records, assuming role segregation, provenance, timeline construction and causality as CoC-based system properties. For timeline construction, logical clocks are used as time keeping mechanisms for timestamping the occurrence of DML operations, having a Vector Clock (VC) mechanism operating in a centralised environment, and a Hybrid Logical Clock (HLC) in its distributed counterpart. Finally, experimental results demonstrate the architecture’s resilience against insider credential misuse and its acceptable performance in terms of system latency under low and high transactional workload.
format Thesis
author Flores Armas, Denys
author_facet Flores Armas, Denys
author_sort Flores Armas, Denys
title Theory and practice of proactive database forensics
title_short Theory and practice of proactive database forensics
title_full Theory and practice of proactive database forensics
title_fullStr Theory and practice of proactive database forensics
title_full_unstemmed Theory and practice of proactive database forensics
title_sort theory and practice of proactive database forensics
publishDate 2019
url http://wrap.warwick.ac.uk/151529/
http://wrap.warwick.ac.uk/151529/1/WRAP_Theses_Flores_Armas_2019.pdf
http://webcat.warwick.ac.uk/record=b3501449~S15
genre DML
genre_facet DML
op_relation http://wrap.warwick.ac.uk/151529/1/WRAP_Theses_Flores_Armas_2019.pdf
Flores Armas, Denys (2019) Theory and practice of proactive database forensics. PhD thesis, University of Warwick.
_version_ 1766397748970520576

Similar Items