On the detection of pod slurping attacks - Semantic Scholar

ARTICLE IN PRESS computers & security xxx (2010) 1–6

available at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/cose

On the detection of pod slurping attacks5 Theodoros Kavallaris, Vasilios Katos* Department of Electrical and Computer Engineering, Democritus University of Thrace, University Campus, Kimmeria, Xanthi 67100, Greece

article info

abstract

Article history:

Time is recognised to be a dimension of paramount importance in computer forensics. In

Received 29 October 2009

this paper, we report on the potential of identifying past pod slurping type of attacks by

Received in revised form

constructing a synthetic metric based on information contained in filesystem timestamps.

23 December 2009

More specifically, by inferring the transfer rate of a file from last access timestamps and

Accepted 17 January 2010

correlating that to the characteristic transfer rate capabilities of a suspicious USB found in the Windows registry, one could assess the probability of having suffered an unauthorised

Keywords:

copy of files. Preliminary findings indicate that file transfer rates can be associated with the

USB forensics

make and model of the USB storage device and give supporting information to the forensic

Data transfer rate

analyst to identify file leakages. ª 2010 Elsevier Ltd. All rights reserved.

Digital forensics Pod slurping Information leakage

1.

Introduction

Along with its commercial availability in 2004, the iPod raised security concerns with regards to the confidentiality aspects of corporate security (Rohde, 2004). The iPod seemed to be the vehicle to highlight the risks of allowing portable USB storage devices in the corporate environment, since soon after the published proof of concept slurp.exe (Usher, 2005), similar tools were published – see for example the USB switchblade (Hak 5, 2008) – for a number of portable devices such as those with U3 functionality which offer autorun capabilities (U3, 2008). These tools run stealthy on the host machine and can copy specified directories or files, or execute potentially malicious payloads. Provided that the slurping operation is covert and is not prevented or detected, there are no statistics currently available showing the amount of data leakage slurping is accounted for (Radcliff, 2008). Although Verizon (2008) in a breach investigation report announced that the majority of the attacks were external (73% external vs. 18% internal), such

information if viewed in isolation could be misleading, as in the same study it was reported that the number of stolen records was substantially higher for the case of internal breaches (375,000 stolen via internal breaches against 30,000 via external breaches). It seems therefore that some information may be missing from the study which would allow the analysts to interpret the breach statistics and reach at objective conclusions. The contribution of this research is to provide a means to ascertain to some degree whether there was on a given computer a data leakage via a USB device through a covert, automated slurping attack. More precisely, the scenarios studied were based on the following three assumptions:  there is no access control enforced on the USB ports of the computer;  the adversary is not the owner or regular user of the computer;  the files exist on the hard disk of the computer.

5

A preliminary version of this paper was presented at WDFIA 2009. * Corresponding author. Tel./fax: þ30 2541079754. E-mail address: [email protected] (V. Katos). 0167-4048/$ – see front matter ª 2010 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2010.01.002

Please cite this article in press as: Kavallaris T, Katos V, On the detection of pod slurping attacks, Comput. Secur. (2010), doi:10.1016/j.cose.2010.01.002

ARTICLE IN PRESS 2

computers & security xxx (2010) 1–6

It is important to highlight that the methodology presented is not a post mortem investigation in the strict sense, as data leakage is not assumed to have occurred; the approach aims to assist in detecting whether any leakage occurred at some stage in the past on a certain computer. As such, this methodology would typically precede an incident response exercise. Moreover the proposed method could be used within a host based anomaly detection setting, by enriching the characteristics the detection system monitors. Typically anomaly detection for a host monitors changes in parameters such as CPU usage, process count and CPU allocation time (Ho¨glund et al., 2000), system calls (Yeung and Ding, 2003) traces and calls to specific processes such as logging (Wang et al., 2006), and so forth. These characteristics are then fed into detection algorithms that evaluate whether the underlying operations correspond to benign or malicious activity. The algorithms and techniques can be classification based (Markoyu and Singh, 2003), clustering based (Hodge and Austin, 2004), statistical (Bakar et al., 2006), nearest neighbour based (Patcha and Park, 2007), spectral or information theoretic (Chandola et al., 2009). An overview and comparison of these techniques is presented in (Chandola et al., 2009). This paper is structured as follows. In Section 2 an outline of the methodology is presented. In Section 3 the experimental data are presented and analysed. Section 4 contains the conclusions, issues identified and future directions.

2.

Data leakage detection approach

The main metric used for detecting the data leakage is the data transfer rate of the USB device which is correlated with the file timestamps and the device insertion timestamp. When a bulk file transfer takes place between an (internal) hard disk and a USB device, the bottleneck is normally placed on the communication channel between the USB controller and the USB device. We argue that once a file access timeline is constructed, one can probabilistically determine which files have been copied without permission. As expected, this probability is influenced by the contribution of peripheral circumstantial pieces of evidence by the owner of the computer, such as the recognition of a USB ownership, whether he or she has performed a file backup and so forth. In addition, the probability of a successful identification of the attack depends on the elapsed time from the event; the more recent the attack, the higher the probability of a successful identification.

2.1.

Evidence sources

In a forensics investigation, the identification of the evidence domain (traditionally this is referred to as the crime scene) is a step of paramount importance, as potential omissions could lead to drawing wrong conclusions. The practice of identifying, acquiring, analysing and presenting electronic evidence from multiple sources in a forensically accepted manner is referred to as e-discovery. In this section we present the sources of evidence which are relevant to the USB based data leakage context.

In Windows XP operating systems, there are primarily two sources of USB related information, the Registry, and the human readable file setupapi.log (Thomas and Morris, 2008). The relevant information contained in the Registry includes the identification of the USB device (serial number, manufacturer, product), as well as time related information, such as the last plugin timestamp (Carvey, 2005; Carvey and Altheide, 2005). The file setupapi.log contains information relating to the first connection of the device to the USB port such as driver installation information. The data which are of particular relevance in the proposed approach are the USB serial number and the timestamps. It should be highlighted that it is not mandatory for a USB device to have a serial number and that depends on the manufacturer. Whenever there is a serial number though, the manufacturer is required to offer uniqueness. The existence of a serial number is important if a forensic investigation involves a seizure and suspect USB devices have been recovered, but it does not affect the accuracy of the proposed method, since the emphasis of this method is primarily on the timestamps. Consequently, the integrity of the timestamps is crucial to the success of the proposed method. Another important source of evidence is the timestamps which accompany the files on a given filesystem. NTFS metadata contain last access information to the precision of the 100th nanosecond, but the granularity of the Windows operating system is much smaller, as it is limited to the precision of 1 ms. Furthermore the access times for NTFS filesystems in Windows operating systems may be delayed for up to an hour (MSDN, 2009). Assuming that the detection attempt is not performed within the hour after the slurping attack took place, this feature would not affect the effectiveness of the proposed method. Finally, the identification process of a particular USB storage device could be supported by its characteristic transfer rate, that is the throughput and performance of the device. In other words, if different USB devices exhibit different transfer rates, then such differentiation could be used as supporting evidence of a particular device being used for a particular file transfer. This claim is investigated in this paper by means of testing the following hypotheses: H0: Two USB devices of a different model have the same characteristic transfer rate. Ha: Two USB devices of a different model have different characteristic transfer rate. Ha essentially supports the proposition that the bottleneck is not really placed on the USB bus, but on the USB storage circuitry, as two USB devices on the same USB port would exhibit different transfer rates.

2.2.

Correlation

Let U denote the set of USB storage devices and UO the devices which belong to the legitimate user of the computer. Then US ¼ UXUO will be the set of suspicious devices. The proposed method takes place if US sB. US is an unordered set with indexed elements.

Please cite this article in press as: Kavallaris T, Katos V, On the detection of pod slurping attacks, Comput. Secur. (2010), doi:10.1016/j.cose.2010.01.002

ARTICLE IN PRESS 3

computers & security xxx (2010) 1–6

Let ti denote the date and time that device ui ˛ US was last connected to the computer and let Ta denote a time span constant. For each ui ˛ US, i ¼ 1.#US , let rv;ui denote the average transfer rate of a file of size v for the specific device ui. Finally, for a given set F of files f ˛ F, let tfj denote the access time of file fj ˛ F, j ¼ 1.#F. If a leakage took place, then it is expected that the access times of a subset of the leaked files are placed within the time range [ti,ti þ Ta]. It should be evident that the older the leakage event, the smaller the subset of the leaked files and consequently the accuracy of the proposed method is reduced. Moreover, if the legitimate user performed a backup of the files after the leakage, the method cannot be applied. Let Gi 4F such that for each g in Gi, it is ti < tg < ti þ Ta, where tg is the last access timestamp of file g. Furthermore, Gi is ordered by the last access timestamp. That is, Gi ¼ fg1 ; g2 ; .; g#G g, such that tgm < tgmþ1 , m ¼ 1.#Gi  1. Let Ai be the ordered, set of timestamps of files in Gi. That is, Ai ¼ fa1 ; a2 ; .; a#Gi g with am < amþ1, m ¼ 1.#Gi  1. For every file in Gi =fg#Gi g that was potentially transferred to the USB device, the maximum transfer rate would be equal to r0m ¼ ðsize of gm Þ=ðamþ1  am Þ. This transfer rate is then compared with the average transfer rate of the USB device under investigation. As such, file gm has potentially been leaked, if statistically r0m ¼ rvm ;ui , where vm is the size of gm. The above approach is represented graphically in Fig. 1. Each rectangle represents a file, the horizontal axis is the timeline showing the access timestamps. Consequently the width of the box represents the time duration of a particular file accessed, whereas the height of the box represents the size of that file. On a slurping attack the access patterns would appear like the files on the right side of ti which is the time of the insertion of the rogue USB device. In that case it would be possible to calculate the width of the boxes by measuring the distances of the access times, as in general there are no data that contain the access durations of the files and therefore these need to be calculated indirectly. From the graphical representation of the files the transfer rate for each file would be the ratio of the two sides of the rectangle. A key metric for assisting in determining whether a slurping attack was performed at time ti by device ui is the leakage probability L ¼ (potentially leaked files)/#Gi. In a production

system, it is expected that L will be smaller than 1, but the user’s contribution is crucial at this stage. For instance, if the user is aware of certain files that he or she has accessed, these could be excluded from the calculations and L could be recomputed more accurately. In addition, it is expected that the larger the number of files leaked, the more potentially accurate the information expressed by L (always under the assumption that there have been no external events that have influenced the file access timestamps). The value of the time span Ta depends on a number of factors such as number of files in ‘‘attractive’’ directories, total size of ‘‘attractive’’ files and size of the USB storage device. In any case, a histogram showing the last access timestamps of files in certain windows near the device plugin timestamp, would contribute with valuable information in order to assist the analyst with assigning a reasonable value to the time span.

3.

Three sets of experiments were conducted. The first was in order to find an acceptable approximation function of the average transfer rate, rvm ;ui . The second was for establishing whether there is discrimination between different makes and models of USB sticks with respect to the transfer rate; that is, rvm ;ui srvm ;uj for i s j. The third test was to investigate whether the probability L can be high enough, given a slurping attack.

3.1.

f2 f1 t1

t2

[0.0000]

R2 ¼ 0:871057

[0.0006]

The relation above refers to a Kingston DataTraveler 2.0 device. The total volume transfer for all each file size was 1 Gb. The lower transfer rates referred to the smaller files as

v6 t7 − t6

v5 t6 − t5

f7 v7

f6

f5 t4

R2 ¼ 0.88278

y(x) ¼ 0.8423 log(x) þ 2.1069 Mb/s

f4

f3 t3

r5′ =

Transfer rate

Fig. 2 shows a plot of file sizes in log(kb) against the average transfer rate, in MB/sec. The linear regression produced the following:

r6′ =

max transfer v4 ′ rate: r4 = t5 − t 4

Empirical data

t5

t6

v6

t7

f9

f8 t8

t9 timeline

ti “USB inserted” Fig. 1 – An example access pattern on a potential pod slurping attack. Please cite this article in press as: Kavallaris T, Katos V, On the detection of pod slurping attacks, Comput. Secur. (2010), doi:10.1016/j.cose.2010.01.002

ARTICLE IN PRESS 4

computers & security xxx (2010) 1–6

3.2.

transfer rate (Mb/s)

observed transfer rate fitted values

10 8 6 4 2 0 2

3

4

5

6

7

file size (log Kb)

Fig. 2 – Scatter plot between file size (log) and average transfer rate.

expected, as there were more operations involved, other than read and write. The same files were also transferred to a Kingston DT 101 II and a Kingston DataTraveler Mini. The results are summarised in Table 1 and presented in Fig. 3. It can be seen from the above regressions that a characteristic transfer rate footprint can be constructed and could be distinct for different USB devices. We can now test the hypotheses stated in Section 2.1. In order for the characteristic transfer rates to be different, the above regression equations are compared. Since the equations consist of two coefficients (slope and constant), we accept Ha when at least one of them differs, and H0 otherwise. The pairwise comparisons of the three USB devices are summarised in Table 2. Although Ha seems to prevail, for case 1–2, Ha can be marginally acceptable as the two constants are not different and the slopes are not significantly different, as opposed to 1–3 and 2–3 where the two devices are significantly different. In general it can be claimed that different USB devices can have statistically different transfer rates, but this step of the approach must be repeated as part of the forensic analysis process on the respective case, by comparing the suspect device with those that belong to the legitimate user prior to making claims based on the differences of the transfer rates of the devices. The following section focuses on the detection potential of this information when correlated with the actual last access times.

Slurping detection potential

The third USB was used as a destination for the ‘‘unauthorised’’ copying of three folders. The first folder contained 13 files, the second folder contained 25 files, and the third folder contained 570 files. Initially all folders contained files of 3 different sizes. The probability of attack L, as presented earlier, was the number of potentially leaked files to the total number of files. A potentially leaked file was a file where the calculated transfer rate was within the interval [y(x)  2  SE, y(x) þ 2  SE], where y(x) is the modelled transfer rate y(x)¼1.7179 log(x)  1.3264. The interval limits were chosen in order to contain the 95.5% of the scores. The results are summarised in Table 3. It can be seen from the above that the probability of successfully detecting the attack is in the region of 0.80, given the relatively higher amount of files transferred in the third test case. Provided that this probability was calculated for a given attack, this value should be a future reference point for establishing whether an attack took place at a given time in the past. Fig. 4 shows the effect of time span Ta and the resulting leakage probability on a known attack. This was also compared against a case where no file transfer between the hard disc and the USB device was performed, i.e. the file access operations and access times registered correspond to normal, benign activity. For the latter case the leakage probability was consistently zero. From the above the following conclusions are drawn:  The leakage probability L is negligible when there is no slurping attack. This suggests that false positives would also be negligible.  The leakage probability L is high (in the range of 0.3–1), even for a small number of files transferred in the case of a slurping attack.  The leakage probability L decreases monotonically for files accessed after the attack is complete. It can be concluded that in the case where an attack is detected, the extent and time of the unauthorised file transfer can also be inferred.

4.

Discussion, conclusions and outlook

A method for detecting slurping attacks against publicly known malware was presented. Although this method claims

Table 1 – Summary of statistical results for the three USB devices. USB device

y(x)¼a log(x) þ b

R2

R2

SE

1. Kingston DataTraveler 2.0

y(x) ¼ 0.8423 log(x) þ 2.1069 [0.0000] [0.0006] SE: 0.097 0.424

0.882779

0.871057

0.363236

2. Kingston DT 101 II

y(x) ¼ 0.6379 log(x) þ 1.4190 [0.0000] [0.0002] SE: 0.0557 0.2434

0.929115

0.922027

0.208513

3. Kingston DataTraveler Mini

y(x) ¼ 1.7179 log(x)  1.3264 [0.0000] [0.0767] SE: 0.1538 0.6722

0.925727

0.918300

0.575844

Please cite this article in press as: Kavallaris T, Katos V, On the detection of pod slurping attacks, Comput. Secur. (2010), doi:10.1016/j.cose.2010.01.002

ARTICLE IN PRESS 5

computers & security xxx (2010) 1–6

USB 1 (♦)

Transfer rate (Mb/s)

USB 2 (▲) USB 3 (*)

10 9 8 7 6 5 4 3 2 1 0 2

3

4

5

6

7

file size (log Kb) Fig. 3 – Scatter plot between file size (log) and average transfer rate for all three test USB subjects.

a nontrivial probability of success, it inherits the caveats of the forensic techniques that rely on metadata which can be trivially modified. Nevertheless the metrics developed in this paper could be used in conjunction with other parameters on a host based anomaly detection setting to support and improve host intrusion and vice versa, host based anomaly detection data types could be correlated with the proposed metrics to improve the effectiveness of the proposed method. It can be reconfirmed that the integrity of the system is of paramount importance in digital forensics and that a strong security policy enforcing, among other elements, integrity protection of the key system files (including the registry) is required. In this particular case, unauthorised modifications of the registry can render the proposed method ineffective. Apart from the obvious tampering of the USB device registry keys, a malicious payload could completely disable the file access times for NTFS filesystems. This is achieved by setting the following key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ FileSystem] Value Name: NtfsDisableLastAccessUpdate Data Type: REG_DWORD (DWORD Value) Value Data: 1 (enable) The purpose of the above facility serves to improve performance, and as such this loss of information could have a significant negative impact on security. It should be highlighted that in Windows Vista this setting is enabled by default

and this is done possibly due to the pressing need for elevating the overall performance of a resource-demanding operating system like Vista. Nevertheless, in XP if the last access update key was updated with a disable value through a malicious payload as part of a combined integrity breach and slurping attack, although it would not be possible to enumerate the leaked files, the type and model as well as the time of the device could be identified, provided that no other unauthorised changes were made in the registry (or the timestamps of the changes were not modified by unauthorised means). In a ‘‘real life’’ XP system we need to accept that uncertainty will be higher than that of a sterile, reference system used for empirically establishing the transfer rates and therefore there can be a high deviation on the actual transfer rates. Although the list of influencing factors cannot be complete, the following points are expected to impair the effectiveness of the proposed approach: - file maintenance activities, such as scheduled backups. If a backup is performed at a time between the slurping attack and the detection attempt, then this method cannot be applied, if the backup application modifies the last access times. - resource-intensive operations, such as antivirus checks. Not only an antivirus will influence the transfer rates, if it happens to run during the attack, but if it is performed between the attack time and the detection attempt, it may spoil the last access times. Scenarios based on the above points were developed and will be enriched in future research. Early findings revealed that backup activities do have a negative impact on the effectiveness of the proposed method only if these backup activities involve the USB bus, whereas intensive hard disk access activities such as file search and antivirus operations do not affect the detection leakage probability. This is due to the fact that the bottleneck on the transfer speed is placed on the USB device, so the (internal) hard disk and CPU activity does not contribute to that bottleneck. However this assumption will require re-examination following the introduction of USB 3 which is announced to be a protocol with faster rates than USB 2. At the time of writing this, there is emerging research on developing methodologies for representation of the historical states of a system, see for example the recent work in (Zhu et al., 2009). Such research direction seems to be vital for the success and improvement of forensic analysis methods such as the one presented in this paper, as correlation with past system activity would reduce the uncertainty and improve the accuracy of the method. This would be an example of live forensic approaches providing useful information on a dead forensics investigation.

Table 2 – Pairwise hypothesis testing results. Case 1–2 2–3 1–3

Constant

Slope

pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð2:1069  1:1419= 0:4242 þ 0:24342 Þ ¼ 1:407 pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð1:1419  1:326= 0:24342 þ 0:67222 Þ ¼ 0:258 pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð2:1069  1:326= 0:4242 þ 0:67222 Þ ¼ 4:32

pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð0:8423  0:6379= 0:0972 þ 0:05572 Þ ¼ 1:826 pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð0:6379  1:7179= 0:05572 þ 0:15382 Þ ¼ 6:6025 pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ð0:8423  1:7179= 0:0972 þ 0:15382 Þ ¼ 4:8127

Hypoth. Ha Ha Ha

Please cite this article in press as: Kavallaris T, Katos V, On the detection of pod slurping attacks, Comput. Secur. (2010), doi:10.1016/j.cose.2010.01.002

ARTICLE IN PRESS 6

computers & security xxx (2010) 1–6

Table 3 – The slurping detection attempts. Test case

Number of potentially leaked files

Total number of filesa

Probability of attack L

1. (13 files) 2. (25 files) 3. (570 files)

9 23 464

12 24 569

0.75 0.96 0.81

a The total number of files is the number of files in the case minus 1, since the total access time of the last file cannot be calculated.

Fig. 4 – Dependency between Ta (normalised to represent number of files) and L.

Although the prediction power of the resulting regression was reported to be high, the actual detection probability was rather average. This is due to the fact that there are overheads during the copying process which are not accounted for in the regression model, but exist in the synthesis of the transfer rate from the last access times. Future work includes the investigation of the detections via more advanced statistical methods such as probit and logit, or even by experimenting with other regression equations such as multinomial, Box– Cox and logistic. It is expected that these will allow the detection method to compensate for the hidden overheads and yield a higher accuracy for the attack probability. Finally, further research currently looks into the possibilities of including sources of circumstantial evidence in order to attain higher correlation in non-sterile environments.

Acknowledgement The authors are indebted to Sophoclis Kesinis for his invaluable technical input and constructive feedback in all stages of this paper.

Carvey H, Altheide C. Tracking USBnext term storage: analysis of windows artifacts generated by USB storage devices. Digital Investigation 2005;2(2):94–100. Carvey H. The Windows registry as a forensic resource. Digital Investigation 2005;2(3):201–5. Chandola V, Banerjee A, Kumar V. Anomaly detection: a survey. ACM Computing Surveys 2009;41(3). article 15. Hak 5, http://wiki.hak5.org/wiki//USB_Switchblade; 2008 [accessed 19.01.09]. Hodge V, Austin J. A survey of outlier detection methodologies. Artificial Intelligence Review 2004;22(2):85–126. Ho¨glund AJ, Ha¨to¨nen K, Sorvari AS. A computer host-based user anomaly detection system using self-organizing map. In: Proceedings of the IEEE–INNS–ENNS international joint conference on neural networks, vol. 5; 2000. p. 411–6. Markoyu M, Singh S. Novelty detection: a review-part 1: statistical approaches. Signal Processing 2003;83(12):2481–97. MSDN. File Times, http://msdn.microsoft.com/en-us/library/ ms724290%28VS.85%29.aspx; 2009 [accessed 20.10.09]. Patcha A, Park J-M. An overview of anomaly detection techniques: existing solutions and latest technological trends. Computer Networks 2007;51(12):3448–70. Radcliff D. Slurping the USB port. SC Magazine, http://www. scmagazineus.com/Slurping-the-USB-port/article/115762; 2008 [accessed 19.01.09]. Rohde L. iPods pose security risk for enterprises, Gartner says, http://www.infoworld.com/article/04/07/06/HNipodsrisk_1. html; 2004 [accessed 12.01.09]. Thomas P., Morris A. An investigation into the development of an anti-forensic tool to obscure USB Flash Drive Device Information on a Windows XP Platform. Third Annual Workshop on Digital Forensics and Incident Analysis, Malaga, Spain, 9 October 2008, pp. 60–66. U3, http://www.u3.com/; 2008 [accessed 19.01.09]. Usher A. Pod slurping, sharp ideas LLC available from, http://www. sharp-ideas.net/pod_slurping.php; 2005 [accessed 12.01.09]. Verizon. Data breach investigations report, http://www. verizonbusiness.com/resources/security/databreachreport. pdf; 2008 [accessed 18.10.09]. Wang W, Guan X, Zhang X, Yang L. Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data. Computers and Security 2006;25(7):539–50. Yeung D, Ding Y. Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition 2003;36(1): 229–43. Zhu Y, James J, Gladyshev P. A comparative methodology for the reconstruction of digital events using windows restore points. Digital Investigation; 2009; doi:10.1016/j.diin.2009.02.004. Vasilios Katos is Assistant Professor of Information and Communications Systems Security at the Department of Electrical and Computer Engineering of Democritus University of Thrace in Greece. Prior to his current post he was Principal Lecturer at the School of Computing at the University of Portsmouth where he participated in the development of the interdisciplinary Masters course MSc in Forensic IT. He has worked in the industry as a security consultant and expert witness in information systems security. His research interests are in information security, privacy, digital forensics and incident response.

references

Bakar Z, Mohemad R, Ahmad A, Deris M. A comparative study for outlier detection techniques in data mining. Proceedings of the IEEE Conference on Cybernetics and Intelligent Systems; 2006:1–6.

Theodoros Kavallaris is troubleshouting and verification engineer for Intracom Telecom delivering testing and certification services for the company’s broadband products according to international standards. Prior to that he was troubleshouting and verification ˆ engineer for Intralot. He has also industrial experience as E´O administartor and security engineer.

Please cite this article in press as: Kavallaris T, Katos V, On the detection of pod slurping attacks, Comput. Secur. (2010), doi:10.1016/j.cose.2010.01.002