Mikołaj Komisarek, M. Pawlicki, M. Kowalski, A. Marzecki, R. Kozik, M. Choraś
There is a profuse abundance of network security incidents around the world every day. Increasingly, services and data stored on servers fall victim to sophisticated techniques that cause all sorts of damage. Hackers invent new ways to bypass security measures and modify the existing viruses in order to deceive defense systems. Therefore, in response to these illegal procedures, new ways to defend against them are being developed. In this paper, a method for anomaly detection based on machine learning technique is presented and a near real-time processing system architecture is proposed. The main contribution is a test-run of ML algorithms on real-world data coming from a world-class telecom operator. This work investigates the effectiveness of detecting malicious behaviour in network packets using several machine learning techniques. The results achieved are expressed with a set of metrics. For better clarity on the classifier performance, 10-fold cross-validation was used.
{"title":"Network Intrusion Detection in the Wild - the Orange use case in the SIMARGL project","authors":"Mikołaj Komisarek, M. Pawlicki, M. Kowalski, A. Marzecki, R. Kozik, M. Choraś","doi":"10.1145/3465481.3470091","DOIUrl":"https://doi.org/10.1145/3465481.3470091","url":null,"abstract":"There is a profuse abundance of network security incidents around the world every day. Increasingly, services and data stored on servers fall victim to sophisticated techniques that cause all sorts of damage. Hackers invent new ways to bypass security measures and modify the existing viruses in order to deceive defense systems. Therefore, in response to these illegal procedures, new ways to defend against them are being developed. In this paper, a method for anomaly detection based on machine learning technique is presented and a near real-time processing system architecture is proposed. The main contribution is a test-run of ML algorithms on real-world data coming from a world-class telecom operator. This work investigates the effectiveness of detecting malicious behaviour in network packets using several machine learning techniques. The results achieved are expressed with a set of metrics. For better clarity on the classifier performance, 10-fold cross-validation was used.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126905595","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper deals with the use of cyber range in education to teach cybersecurity. Particular attention is paid exclusively to open-source solutions, as such solutions are available to the general public, which is essential in raising awareness of cyber defense. First,the available open-source cyber ranges are described, their advantages and disadvantages. Subsequently, it presents our selected solution, the procedure of implementation in the Brno University of Technology laboratory, our use in our study programe and stress testing of selected cyber range. Last but not least, it provides a unique guide to designing and building own open-source cyber range LAB from scratch.
{"title":"Building Open Source Cyber Range To Teach Cyber Security","authors":"Tomáš Lieskovan, J. Hajny","doi":"10.1145/3465481.3469188","DOIUrl":"https://doi.org/10.1145/3465481.3469188","url":null,"abstract":"This paper deals with the use of cyber range in education to teach cybersecurity. Particular attention is paid exclusively to open-source solutions, as such solutions are available to the general public, which is essential in raising awareness of cyber defense. First,the available open-source cyber ranges are described, their advantages and disadvantages. Subsequently, it presents our selected solution, the procedure of implementation in the Brno University of Technology laboratory, our use in our study programe and stress testing of selected cyber range. Last but not least, it provides a unique guide to designing and building own open-source cyber range LAB from scratch.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"63 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122896834","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The security of protocols and the absence of design-related weaknesses and vulnerabilities is crucial for the prevention of cyber attacks. This paper provides the first formal model for EnOcean, an IoT protocol widely used in home automation systems. Based on EnOcean’s security specification a formal model of its teach-in and high security authentication is created in the applied pi calculus. In an automated security analysis with the security protocol model checker ProVerif several security requirements are checked. While the analysis shows that all the secrecy statements can be verified, it identifies some weaknesses for the authentication. Based on an analysis of the potential attacks, we suggest a provable fix for the detected attacks.
{"title":"A Formal Analysis of EnOcean’s Teach-in and Authentication","authors":"Katharina Hofer-Schmitz","doi":"10.1145/3465481.3470097","DOIUrl":"https://doi.org/10.1145/3465481.3470097","url":null,"abstract":"The security of protocols and the absence of design-related weaknesses and vulnerabilities is crucial for the prevention of cyber attacks. This paper provides the first formal model for EnOcean, an IoT protocol widely used in home automation systems. Based on EnOcean’s security specification a formal model of its teach-in and high security authentication is created in the applied pi calculus. In an automated security analysis with the security protocol model checker ProVerif several security requirements are checked. While the analysis shows that all the secrecy statements can be verified, it identifies some weaknesses for the authentication. Based on an analysis of the potential attacks, we suggest a provable fix for the detected attacks.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"18 5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129026693","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
J. Fabini, Alexander Hartl, Fares Meghdouri, Claudia Breitenfellner, T. Zseby
The Covid-19 crisis has challenged cyber security teaching by creating the need for secure remote access to existing cyber security laboratory infrastructure. In this paper, we present requirements, architecture and key functionalities of a secure remote laboratory access solution that has been instantiated successfully for two existing laboratories at TU Wien. The proposed design prioritizes security and privacy aspects while integrating with existing Moodle eLearning platforms to leverage available authentication and group collaboration features. Performance evaluations of the prototype implementation for real cyber security classes support a first estimate of dimensioning and resources that must be provisioned when implementing the proposed secure remote laboratory access.
{"title":"SecTULab: A Moodle-Integrated Secure Remote Access Architecture for Cyber Security Laboratories","authors":"J. Fabini, Alexander Hartl, Fares Meghdouri, Claudia Breitenfellner, T. Zseby","doi":"10.1145/3465481.3470034","DOIUrl":"https://doi.org/10.1145/3465481.3470034","url":null,"abstract":"The Covid-19 crisis has challenged cyber security teaching by creating the need for secure remote access to existing cyber security laboratory infrastructure. In this paper, we present requirements, architecture and key functionalities of a secure remote laboratory access solution that has been instantiated successfully for two existing laboratories at TU Wien. The proposed design prioritizes security and privacy aspects while integrating with existing Moodle eLearning platforms to leverage available authentication and group collaboration features. Performance evaluations of the prototype implementation for real cyber security classes support a first estimate of dimensioning and resources that must be provisioned when implementing the proposed secure remote laboratory access.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126766451","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Money laundering is the set of operations aimed at giving a legitimate appearance to capital whose origin is illegal, thus making it more difficult to identify and subsequently recover it. It is one of the phenomena on which the so-called underground economy relies and therefore constitutes a crime for which the charge for money laundering applies. For supporting the fight against this phenomenon, the interest towards analysis models for Anti-Money Laundering (AML) based on a combined use of automatic tools and artificial intelligence (AI) techniques increases, as it is also shown by the European Central Bank (ECB) during recent press conferences. Following this direction, this paper proposes a model for enhancing the detection of suspicious transactions related to money laundering. It is based on a set of features that are defined by considering different aspects such as the time, the amount of money, number of transactions, type of operations and level of internationalization. An AI-based computational approach centered on Machine Learning (ML) techniques has been adopted to evaluate the goodness of such feature-based model, in supporting the automatic detection of suspicious transactions, by experimenting 5 different classifiers. From the experiments emerged that the Random Forest provided the best performance not only among the classifiers tested within the paper, but also in comparison to those presented in the related work with an accuracy, a recall and f1-score greater than 94% by decreasing the False Positive Rate (FPR). Furthermore, an analysis on the feature importance has been provided, to understand which feature, among the proposed ones, plays the major role in such application domain.
{"title":"Fighting organized crime by automatically detecting money laundering-related financial transactions","authors":"A. Tundis, Soujanya Nemalikanti, M. Mühlhäuser","doi":"10.1145/3465481.3469196","DOIUrl":"https://doi.org/10.1145/3465481.3469196","url":null,"abstract":"Money laundering is the set of operations aimed at giving a legitimate appearance to capital whose origin is illegal, thus making it more difficult to identify and subsequently recover it. It is one of the phenomena on which the so-called underground economy relies and therefore constitutes a crime for which the charge for money laundering applies. For supporting the fight against this phenomenon, the interest towards analysis models for Anti-Money Laundering (AML) based on a combined use of automatic tools and artificial intelligence (AI) techniques increases, as it is also shown by the European Central Bank (ECB) during recent press conferences. Following this direction, this paper proposes a model for enhancing the detection of suspicious transactions related to money laundering. It is based on a set of features that are defined by considering different aspects such as the time, the amount of money, number of transactions, type of operations and level of internationalization. An AI-based computational approach centered on Machine Learning (ML) techniques has been adopted to evaluate the goodness of such feature-based model, in supporting the automatic detection of suspicious transactions, by experimenting 5 different classifiers. From the experiments emerged that the Random Forest provided the best performance not only among the classifiers tested within the paper, but also in comparison to those presented in the related work with an accuracy, a recall and f1-score greater than 94% by decreasing the False Positive Rate (FPR). Furthermore, an analysis on the feature importance has been provided, to understand which feature, among the proposed ones, plays the major role in such application domain.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"47 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114197307","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Various services ranging from finance to public services are digitalized in recent years for higher efficiency and user convenience. With this service digitalization, the need for identifying and authenticating users is increasing. Amongst the user authentication methods, biometric authentication is spreading as it does not require the user to remember a password or to have a specific token. As a more convenient authentication method, research is also being conducted on unconscious authentication using smartphones’ movement history. In this paper, we propose location history-based implicit user authentication acquired through GPS-equipped mobile devices. This method enables hands-free user authentication just by having a mobile device. However, location data are sensitive information that needs to be secured from the risk of location data leakage. By using the template protection technique, location data can be transformed so that the original location data cannot be recovered while enabling authentication. However, it has a trade-off between security and accuracy and remains as a problem to be solved. This paper proposes a new location history matching method based on Modified Weighted Jaccard Coefficient. Then it extends it to template protected location history authentication by presenting a new template protection technique using b-Bit MinHash. Our experimental results show that our proposed location matching method achieves practical accuracy compared with the conventional location history matching method. Furthermore, our template-protected location authentication has comparable accuracy to unprotected matching.
{"title":"Template Protected Authentication based on Location History and b-Bit MinHash","authors":"Masakazu Fujio, Kenta Takahashi, Yosuke Kaga, Wataru Nakamura, Yoshiko Yasumura, R. Yamaguchi","doi":"10.1145/3465481.3470473","DOIUrl":"https://doi.org/10.1145/3465481.3470473","url":null,"abstract":"Various services ranging from finance to public services are digitalized in recent years for higher efficiency and user convenience. With this service digitalization, the need for identifying and authenticating users is increasing. Amongst the user authentication methods, biometric authentication is spreading as it does not require the user to remember a password or to have a specific token. As a more convenient authentication method, research is also being conducted on unconscious authentication using smartphones’ movement history. In this paper, we propose location history-based implicit user authentication acquired through GPS-equipped mobile devices. This method enables hands-free user authentication just by having a mobile device. However, location data are sensitive information that needs to be secured from the risk of location data leakage. By using the template protection technique, location data can be transformed so that the original location data cannot be recovered while enabling authentication. However, it has a trade-off between security and accuracy and remains as a problem to be solved. This paper proposes a new location history matching method based on Modified Weighted Jaccard Coefficient. Then it extends it to template protected location history authentication by presenting a new template protection technique using b-Bit MinHash. Our experimental results show that our proposed location matching method achieves practical accuracy compared with the conventional location history matching method. Furthermore, our template-protected location authentication has comparable accuracy to unprotected matching.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114199116","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Chaotic Pseudo Random Number Generators have been seen as a promising candidate for secure random number generation. Using the logistic map as state transition function, we perform number generation experiments that illustrate the challenges when trying to do a replication study. Those challenges range from uncertainties about the rounding mode in arithmetic hardware over chosen number representations for variables to compiler or programmer decisions on evaluation order for arithmetic expressions. We find that different decisions lead to different streams with different security properties, where we focus on period length, but descriptions in articles often are not detailed enough to deduce all decisions unambiguously. Similar problems might, to some extent, appear in other types of replication studies for security applications. Therefore we propose recommendations for descriptions of numerical experiments on security applications to avoid the above challenges.
{"title":"Chaotic Pseudo Random Number Generators: A Case Study on Replication Study Challenges","authors":"J. Keller","doi":"10.1145/3465481.3470062","DOIUrl":"https://doi.org/10.1145/3465481.3470062","url":null,"abstract":"Chaotic Pseudo Random Number Generators have been seen as a promising candidate for secure random number generation. Using the logistic map as state transition function, we perform number generation experiments that illustrate the challenges when trying to do a replication study. Those challenges range from uncertainties about the rounding mode in arithmetic hardware over chosen number representations for variables to compiler or programmer decisions on evaluation order for arithmetic expressions. We find that different decisions lead to different streams with different security properties, where we focus on period length, but descriptions in articles often are not detailed enough to deduce all decisions unambiguously. Similar problems might, to some extent, appear in other types of replication studies for security applications. Therefore we propose recommendations for descriptions of numerical experiments on security applications to avoid the above challenges.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121677606","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Philip D. . Kuehn, Markus Bayer, Marc Wendelborn, Christian A. Reuter
Vulnerability databases are one of the main information sources for IT security experts. Hence, the quality of their information is of utmost importance for anyone working in this area. Previous work has shown that machine readable information is either missing, incorrect, or inconsistent with other data sources. In this paper, we introduce a system called Overt Vulnerability source ANAlysis (OVANA), which analyzes the information quality of vulnerability databases utilizing state-of-the-art machine learning (ML) and natural language processing (NLP) techniques, searches the free-form description for relevant information missing from structured fields, and updates it accordingly. Our paper exemplifies that on the National Vulnerability Database, showing that OVANA is able to improve the information quality by 51.23% based on the indicators of accuracy, completeness, and uniqueness. Moreover, we present information which should be incorporated into the structured fields to increase the uniqueness of vulnerability entries and improve the discriminability of different vulnerability entries. The identified information from OVANA enables a more targeted vulnerability search and provides guidance for IT security experts in finding relevant information in vulnerability descriptions for severity assessment.
{"title":"OVANA: An Approach to Analyze and Improve the Information Quality of Vulnerability Databases","authors":"Philip D. . Kuehn, Markus Bayer, Marc Wendelborn, Christian A. Reuter","doi":"10.1145/3465481.3465744","DOIUrl":"https://doi.org/10.1145/3465481.3465744","url":null,"abstract":"Vulnerability databases are one of the main information sources for IT security experts. Hence, the quality of their information is of utmost importance for anyone working in this area. Previous work has shown that machine readable information is either missing, incorrect, or inconsistent with other data sources. In this paper, we introduce a system called Overt Vulnerability source ANAlysis (OVANA), which analyzes the information quality of vulnerability databases utilizing state-of-the-art machine learning (ML) and natural language processing (NLP) techniques, searches the free-form description for relevant information missing from structured fields, and updates it accordingly. Our paper exemplifies that on the National Vulnerability Database, showing that OVANA is able to improve the information quality by 51.23% based on the indicators of accuracy, completeness, and uniqueness. Moreover, we present information which should be incorporated into the structured fields to increase the uniqueness of vulnerability entries and improve the discriminability of different vulnerability entries. The identified information from OVANA enables a more targeted vulnerability search and provides guidance for IT security experts in finding relevant information in vulnerability descriptions for severity assessment.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"359 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115899599","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
P. Lohar, Guodong Xie, Malika Bendechache, Rob Brennan, Edoardo Celeste, R. Trestian, Irina Tal
Contact tracing apps used in tracing and mitigating the spread of COVID-19 have sparked discussions and controversies worldwide. The major concerns in relation to these apps are around privacy. Ireland was in general praised for the design of its COVID tracker app, and the transparency through which privacy issues were addressed. However, the ”voice” of the Irish public was not really heard or analysed. This study aimed to analyse the Irish public sentiment towards privacy and COVID tracker app. For this purpose we have conducted sentiment analysis on Twitter data collected from public Twitter accounts from Republic of Ireland. We collected COVID-19 related tweets generated in Ireland over a period of time from January 1, 2020 up to December 31, 2020 in order to perform sentiment analysis on this data set. Moreover, the study performed sentiment analysis on the feedback received from a national survey on privacy conducted in Republic of Ireland. The findings of the study reveal a significant criticism towards the app that relate to privacy concerns, but other aspects of the app as well. The findings also reveal some positive attitude towards the fight against COVID-19, but these are not necessarily related to the technological solutions employed for this purpose. The findings of the study contributed to the formulation of useful recommendations communicated to the relevant Irish actors.
{"title":"Irish Attitudes Toward COVID Tracker App & Privacy: Sentiment Analysis on Twitter and Survey Data","authors":"P. Lohar, Guodong Xie, Malika Bendechache, Rob Brennan, Edoardo Celeste, R. Trestian, Irina Tal","doi":"10.1145/3465481.3469193","DOIUrl":"https://doi.org/10.1145/3465481.3469193","url":null,"abstract":"Contact tracing apps used in tracing and mitigating the spread of COVID-19 have sparked discussions and controversies worldwide. The major concerns in relation to these apps are around privacy. Ireland was in general praised for the design of its COVID tracker app, and the transparency through which privacy issues were addressed. However, the ”voice” of the Irish public was not really heard or analysed. This study aimed to analyse the Irish public sentiment towards privacy and COVID tracker app. For this purpose we have conducted sentiment analysis on Twitter data collected from public Twitter accounts from Republic of Ireland. We collected COVID-19 related tweets generated in Ireland over a period of time from January 1, 2020 up to December 31, 2020 in order to perform sentiment analysis on this data set. Moreover, the study performed sentiment analysis on the feedback received from a national survey on privacy conducted in Republic of Ireland. The findings of the study reveal a significant criticism towards the app that relate to privacy concerns, but other aspects of the app as well. The findings also reveal some positive attitude towards the fight against COVID-19, but these are not necessarily related to the technological solutions employed for this purpose. The findings of the study contributed to the formulation of useful recommendations communicated to the relevant Irish actors.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"44 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132522573","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Timeline forgery a widely employed technique in computer anti-forensics. Numerous freely available and easy-to-use tampering tools make it difficult for forensic scientists to collect legally valid evidence and reconstruct a credible timeline. At the same time, the large number of possible file operations performed by a genuine user can result in a wide variety of timestamp patterns that pose a challenge when reconstructing a chain of events, especially since application-specific discrepancies are often disregarded. In this paper, we investigate timestamp patterns resulting from common user operations in NTFS, providing a much needed update to the Windows time rules derived from older experiments. We show that specific applications can cause deviations from expected behavior and provide analysts with a comprehensive set of behavioral rules for all permissible NTFS file operations. Finally, we analyze the effect and efficacy of 7 third party timestamp forgery tools as well as a custom PowerShell solution, and highlight forensic artifacts pointing at data falsification.
{"title":"Time for Truth: Forensic Analysis of NTFS Timestamps","authors":"Michael Galhuber, R. Luh","doi":"10.1145/3465481.3470016","DOIUrl":"https://doi.org/10.1145/3465481.3470016","url":null,"abstract":"Timeline forgery a widely employed technique in computer anti-forensics. Numerous freely available and easy-to-use tampering tools make it difficult for forensic scientists to collect legally valid evidence and reconstruct a credible timeline. At the same time, the large number of possible file operations performed by a genuine user can result in a wide variety of timestamp patterns that pose a challenge when reconstructing a chain of events, especially since application-specific discrepancies are often disregarded. In this paper, we investigate timestamp patterns resulting from common user operations in NTFS, providing a much needed update to the Windows time rules derived from older experiments. We show that specific applications can cause deviations from expected behavior and provide analysts with a comprehensive set of behavioral rules for all permissible NTFS file operations. Finally, we analyze the effect and efficacy of 7 third party timestamp forgery tools as well as a custom PowerShell solution, and highlight forensic artifacts pointing at data falsification.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130073782","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: