Professional Documents
Culture Documents
Digital investigation aims to conduct a post-incident analysis on compromised systems and make inquiries to past events.
The purpose is to collect digital evidences left on the system
further to the attack scenario occurrence, and analyze them in
order to answer questions about digital states and events and
reconstruct information about past events. Digital evidences
are ubiquitous and used to support or disprove a theory of how
the security incident occurred. They include any digitalized
information such as images, text, audio, and video. During
the process of analysis, an investigator requires to formulate
theories about the potential events and the behavior of the
compromised system in order to a) determine the vulnerabilities exploited to compromise the system; b) reconstruct the
conducted attack scenario; c) trace attackers to their source in
the network; d) study the attackers trends and motives; and e)
propose a set of countermeasures to mitigate the effect of the
incident.
Few research works were proposed by the literature in order
to make the digital investigation process based on formal
methods, theories and principles. Such feature allows generating irrefutable proofs regarding reconstructed attack scenarios,
reducing the complexity of their generation, and automating
the reasoning on incidents. Stephenson took interest in [9] to
the root cause analysis of digital incidents and used Colored
Petri Nets. Stallard and Levitt used in [8] an expert system with
a decision tree that exploits invariants relationship between
existing data redundancies within the investigated system.
Gladychev provided in [4] a Finite State Machine (FSM)
approach for the construction of potential attack scenarios
discarding scenarios that disagree with the available evidences.
Carrier and Spafford proposed in [2] a model that supports
existing investigation frameworks. It uses a computation model
based on a FSM and the history of a computer. A digital
investigation is considered as the process that formulates and
tests hypotheses about occurred events or states of digital data.
Willanssen takes interest, in [11], in enhancing the evidentiary
value of timestamp evidences. The aim is to alleviate problems
9781-4244-3941-6/09/$25.00 2009 IEEE
related to the use of evidences whose timestamps were modified or referred to an erroneous clock (i.e., which was subject
to manipulation or maladjustment). The proposed approach
consists in formulating hypotheses about clock adjustment and
verifying them by testing consistency with observed evidences.
Later in [12], the testing of hypotheses consistency is enhanced
by constructing a model of actions affecting timestamps in the
investigated system. An action may affect several timestamps
by setting new values and removing the previous ones. In [1], a
model checking-based approach for the analysis of log files is
proposed. The aim is to search for pattern of events expressed
in formal language using the model checking technique. Using
this approach logs are modeled as a tree whose edges represent
extracted events in the form of algebraic terms. In [7], we
provided a logic for digital investigation of security incidents
and its high level-specification language. The logic is used
to prove the existence or non-existence of potential attack
scenarios which, if executed on the investigated system, would
produce the different forms of specified evidences.
Generally speaking, the solutions provided by the above
described approaches are unsuitable to cope with wireless
attacks. In fact, the dynamic aspect of routing protocols and
topology in wireless multihop systems makes it necessary to
provide techniques and mechanisms for distributed collection
of evidences, correlation of scattered collected evidences,
handling of the of incompleteness evidences which occurs
due to the existence of network areas that are uncovered
by the deployed security solutions. Second, most of the
provided approaches require the use of libraries of attacks
which should be explored at every process of attack scenario
reconstruction to assemble the suitable sequence of executed
actions that vindicates the availability of evidences. Such
feature requires heavy resources and may increase the overload
on the mobile wireless nodes, which could be resourceimpoverished devices. Third, most of the attack scenarios
reconstruction techniques require the availability of evidences
showing the description of some actions, which happened on
the compromised system, and their attributes. In practice, the
identification of actions and their attributes is difficult and
may be subject to different false positives. In fact, most of
the security solutions do not directly monitor actions, but they
supervise the system behavior and identify malicious events
starting from the observed effect on the system. Providing
a technique of digital investigation which allows to identify
occurred attack scenarios starting from evidences describing
,,
,--------------------------,
,
C-~_~ ---------_
""
,/
r------r~-------'1
J __
J
:
l __ J'
,/
""
:
j
Figure 1.
Observer node
Regular MASNet node
V.
Several definitions and use of attack patterns were considered by the literature. In this paper, we consider an attack
pattern as a combination of predicates over the set of system
states through which the system progresses during the attack.
We distinguish two types of predicates: single-state based
predicate, and multi-state based predicate.
A single-state predicate, say 7T, is defined over a single
system state of an execution to specify possible values or
C. Operations on patterns
In order to investigate complicated and advanced attack scenarios and reduce false positives, we defined in the following
examples of temporal-like operators over the attack scenarios.
These operators allow to construct advanced patterns starting
from simple ones.
Global t: : The predicate 1r should always hold at every
state of the execution.
1r BeforeT,T' : the predicate 1r holds, at least, T time instants before the predicate becomes true. After it holds,
the predicate 1r remains true during T' time instants.
1r AfterT, T' : the predicate 1r should become true after,
at least, T time instants the predicate became true.
After it holds, the predicate 1r remains true during T'
time instants.
AtT 1r: the predicate 1r holds at some time instant, say T,
of an execution.
EverYT 1r: the predicate 1r should hold, at least one time,
in each T time instants.
Exist x 1r: the predicate 1r should be true at least x times
in the execution.
1r Until : the predicate 1r should hold until holds.
1r Next : the predicate 1r becomes true at the time instant
that succeeds the time instant at which the predicate
holds.
Note that, if the specification is timeliness, a time instant
can refer to a separate state in the execution. The expression
EverYT1r will mean that the predicate 1r should be true, at
least, one time after the transition of each T states. Despite
temporal-like operators, logic operators including 1\, V, -, can
be used to build compound patterns.
VI. ATTACK INVESTIGATION
This section provides a formal model of observed scenarios
and describes a methodology for pattern-based digital investigation.
A. Observing attack scenarios
Figure 2.
wormhole attack
[n1' n2, n3, n5, n6, nS, nU, n12] will appear shorter than the
path [nl, n4, ng, n lO, n13, n12] ' Node n3 encapsulates the
route request forwarded by n2, forcing the subsequent nodes
in the path to append their identities on the new packet header.
At encapsulation, the route record of the inner packet becomes
invisible and the new outer packet appears with an empty route
record. The node n3 appends its identity to the new empty
route record. Later, node n u decapsulates the received route
request, appends its identity and forwards it. Node n12 extracts
from the received route request the series of nodes identities
appended during the forwarding of that datagram. Only the
identities of nodes nl, n2, n u , and n 12 will be visible.
Figure 3 shows the description of the attack scenario, say
w, as a series of eight states, where every state is a valuation
of the six variables. Formally, w = (so, ..., ss).
Since, by definition, the observer node is able to detect the
transmission of any datagram within its cluster, we define
P( s) ~ cid(s ) E ListCov(o) and PI(s) ~ (nid(s ) E
Li stCov(o) as the predicate which allows to test whether the
packet is sent by, or sent to, a node within the coverage of
some observer node say 0 , respectively. Function Li stCov( -)
takes as input the identity of the observer node and returns the
list of nodes within its coverage.
Th observation function related to the observer nodes in the
network is defined using the following dynamic labels on the
system variables.
l(s, src ) = IF (P( s) V P( S')) THEN src ELSE 0.
l(s , cid) = IF (P( s) V P (S')) THEN cid ELSE 0.
l(s, ni d) = IF (P (s ) V P(s'))THEN nidELSE0.
l(s, nl) = IF P (s) THEN src E LSE 0.
l(s, pid) = IF (P (s ) V P( S')) THEN src E LSE 0.
l(s, rreq) = IF (P( s) V P( S')) THEN sr cELSE 0.
Since all the fields in the datagram can be read by an
observer node if it able to detect it transmission, all system
variable, except variable nl, are visible if one of the predicates
P or P' is true. Especially, variable nl is visible if the
predicate P is true. In fact, the observer is able to determine
the list of neighbors of some node, only if its within its
coverage. Note that this information can be deduced later if
the observer asks its neighbor in the observation network to
obs o5 (w)
= ([0,0,0,
0,0,0] ,
[n1, n6, ns , 0,
h' , (n3, n5, n6)],
[n1, ns, n u, {n6, n7, n u }
h' , (n3, n5, n6, ns) ], [nl, n u, n12, 0, h , (n1, n2, n u) ],
[0, 0, 0, 0, 0, 0]).
To detect the attack, the following pattern fragments should
be defined. The first, say n , is a multi-state based predicate
which states that the packet hash changes when the route
request is forwarded from node ni d to node cid, and the packet
is forwarded to a neighbor node which appends its identity to
the route request. The second pattern fragment is a single-state
predicate which indicates that the route request includes only
the identity of the processing node. This processing node does
not represent the node which initiates the route request. The
third predicate, say 'IjJ, is a multi-state based pattern which
states that the route record contained in the route request
forwarded by a node does not include any node identity from
the route request it received.
'Jr(Si, Si+1) ~
1\
1\
1\
(s )
.<.
pid(Si+1) i- pid(Si)
ni d(si ) = cid(si+1)
cid(Si-1 ) (j rre q(Si)
src = nl
cid = nl
nid = n2
nl = {n2, n4}
pid = h
rreq = (nl)
src = nl
cid = n2
nid = n4
nl = {nl, n3}
pid = h
rreq = (nl, n2)
src = nl
cid = ns
nid = nIl
nl = {n6, n7,nll}
pid = h'
rreq = (n3, ns, n6, ns)
src = nl
cid = n3
nid = ns
nl = {n2,nS}
pid = h'
rreq = (n3)
src = nl
cid = nIl
nid = n12
nl = {ns, n12}
pid = h
rreq = (nl, n2, nIl)
Figure 3.
src = nl
cid = n6
nid= ns
nl = {nS, n7,nS}
pid = h'
rreq = (n3, ns, n6)
src = nl
cid = n12
nid= nl = {nIl, n13}
pid = h
rreq = (nl, tiz, nIl, n12)
tt rreq ( s, )
/\cid(s) E nl(si-l)
To detect encapsulation-based wormhole attack, the following pattern, defined as (( /\ 1r) Afterl, 1 -,( /\ 1r), (-,(1r /\
tt/J) After. 1 (1r /\ tt/J) ), can be used. It states that the predicate
/\ 1r should become true immediately after the predicate
-,( /\ 1r) became true. After it holds, the predicate /\ 1r
remains true during one step of the execution. Later in the
execution the predicate (1r /\ ) should become true, and
immediately after that the predicate -, (1r /\ ) holds for one
step of the execution.
Further to the attack scenario execution, the observer node
01 detects the holding of the predicate fragments 1r and . As
for the observer node 04, it detects the holding of the predicate
1r. However, since variable nl in the sixth state is unobservable,
the observer node 04 is unable to determine whether the
predicate tt/J is holding. It indicates in the message that it sends
to the investigator node that the predicate tt/J cannot be verified
unless the value of variable nl is visible. The observer node
Os is able to determine that the predicate fragment tt/J holds
after it is computed on the third and fourth elements of the
observations. By assembling all the messages received from
the observer nodes, which contain, additionally to the predicate
fragments that hold, the timestamps of their detection, the
investigator node will be able to compute the whole pattern
and prove therefore the execution of the encapsulation-based
wormhole attack scenario.
VIII.
src = nl
cid = ns
nid= n6
nl = {n3,n6}
pid = h'
rreq = (n3, ns)
CONCLUSION
We provided in this work a formal technique for patternbased digital investigation of attack scenarios in wireless adhoc
and sensor networks. The concept of evidences in the form
of patterns, their formal model, and techniques to generate
and verify them are defined. A network of observers in
charge of monitoring nodes communications and verifying
patterns in the forwarded traffic is defined. The use of patterns
for digital investigation allows to reduce the processing and