Abstract
When prosecuting crimes, the main question to
answer is often who had a motive and the possibility to commit
the crime. When investigating cyber crimes, the question of
possibility is often hard to answer, as in a networked system
almost any location can be accessed from almost anywhere.
The most common tool to answer this question, analysis of log
files, faces the problem that the amount of logged data may
be overwhelming. This problems gets even worse in the case
of insider attacks, where the attacker’s actions usually will be
logged as permissible, standard actions—if they are logged at all.
Recent events have revealed intimate knowledge of surveillance
and control systems on the side of the attacker, making it
often impossible to deduce the identity of an inside attacker
from logged data. In this work we present an approach that
analyses the access control configuration to identify the set of
credentials needed to reach a certain location in a system. This
knowledge allows to identify a set of (inside) actors who have
the possibility to commit an insider attack at that location. This
has immediate applications in analysing log files, but also nontechnical
applications such as identifying possible suspects, or,
beyond cyber crimes, picking the “best” actor for a certain task.
We also sketch an online analysis that identifies where an actor
can be located based on observed actions.
Original language | English |
---|---|
Title of host publication | Proceedings of the Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering |
Publisher | IEEE |
Publication date | 2009 |
ISBN (Print) | 978-0-7695-3792-4 |
DOIs | |
Publication status | Published - 2009 |
Event | 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering - Berkeley, United States Duration: 21 May 2009 → 21 May 2009 https://ieeexplore.ieee.org/xpl/conhome/5341543/proceeding |
Workshop
Workshop | 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering |
---|---|
Country/Territory | United States |
City | Berkeley |
Period | 21/05/2009 → 21/05/2009 |
Internet address |