Systematic Approaches to Forensic Analysis, Information Disclosure, and Auditing Elections

Date: Friday, May 1, 2009
Time: 11:30am - 12:30pm
Location: LBNL Bldg. 50F, Room 1647

Speaker:
Sean Peisert
Department of Computer Science
University of California, Davis

Abstract:

Many scenarios exist where risk and trust, and security and
usability, are in conflict and cannot be resolved using traditional
protection matrices. In such cases, tightening security can make a
system less usable for legitimate users, or potentially even less
secure by denying essential access to critical resources. But
loosening security can open a system to risk from insiders. In some
cases, if it were possible to have reasonable assurance that an
event could be reconstructed in a post mortem investigation, then
security policies could be partially loosened, and thus the event is
allowed but the action logged.

A lot of "forensic" data gets collected, but most of it is useless
for accurately or even measurably understanding what happened
previously on a computer system. Forensic techniques could have
broad applications, from analyzing attacks, compliance, and as legal
evidence, but also particularly for analyzing behavior of insiders,
where using typical access control and intrusion detection
techniques would prevent legitimate users from doing their jobs.
However, current forensic techniques have limited usefulness.

Our research has sought to enable analysis of many types of attacks,
including multi-step intrusions, insider attacks, worms, and
client-side scripting exploits. We have focused on systematic
approaches to forensic logging and analysis, with the goal of making
system and network audit logs more useful and usable. Our goal is to
record better, potentially useful data specifically designed for
forensic analysis, as opposed to simply high-level debugging,
performance measurement, or accounting. We do this by turning the
typical procedure around and asking, "given a set of intrusions,
what data do we need to record in order to analyze those
intrusions?" We also ask, "given a system instrumented normally to
record a set of data, what intrusions can we analyze?"

Finally, we have also begun turning the question around to
information meaning and disclosure by exploring questions such as,
"What other information could be derived with this information," or
"if this information were combined with other information sets
containing X, Y, or Z, what could be done with it," etc.... The
results of our approach have shown promise for allowing more
accurate and efficient forensic analysis, and we have started
working to apply the techniques to production systems, particularly
electronic voting machines.

Host of Seminar:

    Erich Strohmaier