A Temporal Logic-Based Model for Forensic Investigation in ...

Download PDF
7 downloads 0 Views 897KB Size Report
Comment
ing recognition between their side effects and log files entries. This technique ... one,s privilege via local vulnerability exploit, 3) Logging to the system from a.
CNAS REPORT CNAS-2008-002 Public

Printed January 2008 Supersedes CNAS-2007-002 Dated Dec. 2007

A Temporal Logic-Based Model for Forensic Investigation in Networked System Security Slim Rekhis Noureddine Boudriga

Prepared by CN&S Research Lab.

The Communication Network and Security (CN&S) research Laboratory, (Created in 1999, 02/UR/11-08) is located at the Communication School of Engineering (University of 7th of November at Carthage, Tunisia). Approved for public release.

c 2007 by the Communication Networks and Security Research Lab. All Copyright ° rights reserved.

NOTICE: No part of this publication may be reproduced, stored in a retrieval system, or transmitted without written authorization from the CN&S research lab. Available from CN&S research lab. Engineering school of communications. Techno-parc El Ghazala, Route de Raoued. Ariana, 2083, Tunisia. Telephone: Facsimile: E-Mail:

(+216) 71857000 (ext. 2104) (+216) 71856829 [email protected]

Approved for public release Professor Noureddine Boudriga Head of CN&S research lab.

                      

                        

          !    !   ! !   !    " ! #        !       !    !$       !   %     ! ! "  ! !! " &+    !             !'!! " ! !  ! " &+   !          !!  !        !  !   !    '  ! "         " &+  '  #          !          ! ! " !    (! !      "     !$ !  !                        

                                               !   "     !   #             $ %&'     

(           #   ) *      + *               + *                  ,                ) *              !               *                    -         .  

                              /  .    #              0 

      

                           -          #           

   

                        !" ## $ "  % #& '& (' )'*& 



)*+

     ,

/                    1                %2'     3                    -                                            

       1 

               %4'       

                  

                        1   !                             #                        %5'  #                                   (                   .                            (    #      %6' /               78+ . 9            1             !     78+ %:' 78+                             ;           *                    ! 



   7         78+ !    

           7    %:                                            #  



  =   = 1 ∧  =   ∧   =   

  ) 8        !   

 =   = 2 ∧  =  ∧   =   (  ) 8        

  #        =   = 2 ∧  =  ∧   =     )     1       0          =   = ∧    = 0 ∧   =  (  ,   ,   ) -    !  )   = ”) *) ” ∧   = ”)+  ”,   ∆







      

       (          ) *        

   *  

           -                

    !                  ∆       =   (  ) = ” ”, ” ' ”       !               “ ”, “ ' ”         !  78+              5&           ;   !

 # 

    

  *



(



=

  = 0 ∧  =  ∧  =



∧   = ∇ ∧   = ∇

   

/ 5        7             -    1     ;      *                         #  

           #                          ) &*                                + 2*                                    ) & 8                  8    #              

& !  ", -!  % #

))

(0,  , “”) {(“  ”, ∇)}

 



(1, “  ”, “ ”, “”) {(“  ”, ∇)}

(1, “  ”, “ ”, “ ”) {(“  ”, ∇)}



 !"# (2, “  ”, “ ”“  ”, “ ”, “ ”) {(“  ”, “  ”)}



(2, “  ”, “ ”“  ”, “! ”, “”) {(“  ”, “ " ”)}

(2, , “ ”) {(“  ”, “  ”)}

 



$%



(2, , “”)

(2, “  ”, “! ”, “ ”) {(“  ”, “  ”)}

(“  ”, “ " ”) (“  ”, “  ”)

 

(2, “  ”, “! ”, “”)





(“  ”, “ " ”) (“  ”, “  ”)



  &         (0,  , “   ”) {(“  ”, ∇)}

 

(1, “  ”, “ ”, “   ”) {(“  ”, ∇)}

 %

(1, “  ”, “ ”, “ ”) {(“  ”, ∇)}

 !"#

(2, “  ”, “ ”“  ”, “ ”, “ ”) {(“  ”, “  ”)}



(2, , “ ”) {(“  ”, “  ”)}

 

$%

(2, “  ”, “! ”, “ ”) {(“  ”, “  ”)}

 (2, , “”)

(“  ”, “ " ”) (“  ”, “  ”)

 

(2, “  ”, “! ”, “”)





(“  ”, “ " ”) (“  ”, “  ”)



  '                       H       

     -         1     /           2 8                        8          

 #                                !                

                          -   

 ( 

                                    !            / 6          #              /       

)).

     ,

                  / 5 A         -           

         #                                         #  

          

(

 

B       

             78+               )                                      78+                               

     B     7         !   

        78+ !   -                                 

          

)    3 7 8 9  / : 9 0  % 0 #   ;! *   < 0 -!  "    ! #! :!  ?! ;  @! *  * =*22)> ) ;!   - 0 &      

    -#;  =*223> 4 !!    7 0 & !  !    0     5     ,  0 & %!  "     & @" '  ! %  % # =*225> +  0   0    &+   !  /   ; &"8! =*22*>  A A  -! <   0 -!    &+  '       / ?  @'  -  =3111> 54B++ . 7 :  C!$  : 0 & !      ! !