Forensic Analysis and Compliant Databases
In the Dragoon project we
couple τBerkeleyDB, our version of
BerkeleyDB with transaction-time support and auditing,
with facilities to validate a database to detect tampering and tools to
perform forensic analysis of such
tampering once it has been detected.
Transaction-time support in a database allows it to store all the information
that was ever entered into the system. Changed and deleted information
can be retrieved at a later stage to check for mistakes or malicious
act.
A transaction-time table can be
considered to be a particularly robust form of audit log. Audit logs are considered good practice for
business systems, and are required by federal regulations for secure
systems, drug approval data, medical information disclosure, financial
records, and electronic voting. Given the central role of audit logs, it is
critical that they are correct and inalterable. It is not sufficient to say,
"our data is correct, because we store all interactions in a separate audit
log." The integrity of the audit log itself must also be guaranteed.
We have developed mechanisms
within BerkeleyDB, based on
cryptographically strong one-way
hash functions, that prevent an
intruder, including an auditor or an
employee or even an unknown bug
within the DBMS itself, from silently
corrupting the audit log. The DBMS
stores additional information in the
database to enable a separate audit
log validator to examine the database
along with this extra information and
state conclusively whether the audit
log has been compromised. We have
shown with our implementation that
the overhead for auditing is low and that
the validator can efficiently and correctly
determine if the audit log has been compromised.
We also provide a systematic means of performing forensic analysis after
such tampering has been uncovered, to determine who, when, and what. We have
developed a schematic representation termed a "corruption diagram" that aids
in intrusion investigation. We have developed successively more
sophisticated forensic analysis algorithms: the monochromatic, RGB, RGBY, Tiled Bitmap, and
a3D algorithms, which can efficiently extract a good deal of
information concerning a corruption event.
Here is a simple graphic illustrating our approach, created by Cheryl
Ryan.
We are now broadening this research to complement the existing market
for compliance storage servers , which guarantee that data are not
overwritten before the end of their mandatory retention period. These
servers are intended for preserving unstructured and semi-structured data
at a file-level granularity---email, spreadsheets, reports, instant
messages.
With Radu Sion and
Marianne Winslett,
we are developing a DBMS architecture that supports a spectrum of
approaches to regulatory compliance, each appropriate for a particular
domain, and each with different tradeoffs between security and
efficiency. The key challenge of this work is to provide compliance
assurances for the DBMS, even against insiders with superuser powers,
while balancing the need for trustworthiness against the conflicting
requirements for high performance and low cost. To meet this need, our
architecture will provide tunable tradeoffs between security and
performance, through a spectrum of techniques ranging from tamper
detection to tamper prevention for data, indexes, logs, and metadata;
tunable vulnerability windows; tunable granularities of protection;
careful use of magnetic disk as a cache; judicious use of secure
coprocessors on the DBMS platform and compliance storage server platform;
a block-based compliance storage server; and judicious retargeting of an
on-disk encryption unit.
For more information please visit the Regulatory Compliance for DBMS Engines webpage.
Project Name
Dragoon is an acronym for "Database foRensic Analysis safeGuard Of
arizONa". The word "dragoon" refers to a member of a European military unit
formerly composed of heavily armed mounted troops. Dragoon regiments were
established in most European armies during the late 17th and early 18th
centuries. The name is derived from the French word for dragon.
Dragoon is also a transitive verb meaning to coerce (someone) into compliance.
Moreover, the Dragoon
Mountains are a range of mountains located to the southwest of
Tucson, Arizona.
We believe the name is a perfect descriptor of our prototype information accountability
system since its name has a connection to Arizona and alludes to both guards and fierce mythological
creatures.
The
Dragoon logo was designed by Yifeng Li.
People
Faculty:
Radu Sion
(Stony Brook University)
Richard T. Snodgrass
Marianne
Winslett (University of Illinois)
Graduate Students:
Kyriacos Pavlou (Chief Programmer)
Rui Zhang
Previous Faculty:
Christian S. Collberg
Previous Graduate Students:
Natasha Gaitonde
Qing Ju
Soumyadeb Mitra
Shilong (Stanley) Yao
Previous Undergraduate Students:
Yifeng Li
Melinda Malmgren
Michael Patterson
Funding
Publications
Kyriacos E. Pavlou and Richard T. Snodgrass.
"Temporal Implications of Database Information Accountability," International Symposium on Temporal Representation and Reasoning (TIME), September 2012.
(Paper pdf, Presentation pdf)
Kyriacos E. Pavlou and Richard T. Snodgrass.
"Achieving Database Information Accountability in the Cloud," Short paper,
Data Management in the Cloud (DMC) Workshop, April 2012.
(pdf)
Kyriacos E. Pavlou and Richard T. Snodgrass.
"Dragoon: An Information Accountability System for High-Performance Databases,"
Demonstration,
International Conference on Data Engineering (ICDE), April 2012. (pdf)
Poster:
Kyriacos E. Pavlou.
"Database Forensics in the Service of Information Accountability,"
SIGMOD/PODS PhD Poster Session, June 2011.
(pdf) and poster presented
Kyriacos E. Pavlou and Richard T. Snodgrass, "The Tiled Bitmap Forensic
Analysis Algorithm," IEEE Transactions on Knowledge
and Data Engineering 22(4):590–601, 2010. (pdf)
Soumyadeb Mitra, Marianne Winslett, Richard T. Snodgrass, and Shashank
Yaduvanshi, "An Architecture for Regulatory Compliant Database
Management," in Proceedings of the International Conference on
Data Engineering (ICDE), pp. 162–173, Shanghai, China, 2009. (pdf)
Kyriacos Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database
Tampering," in ACM Transactions on Database Systems 33(4), 45+26
pages, December 2008. (pdf)
Melinda Malmgren, "An Infrastructure for Database Tamper Detection and
Forensic Analysis," Honors Thesis, University of Arizona, May 2007
(pdf).
Kyriacos Pavlou and Richard. T. Snodgrass, "The Pre-images of Bitwise AND
Functions in Forensic Analysis,'' TimeCenter TR 87, October, 2006.
(pdf)
Kyriacos Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database
Tampering," in Proceedings of the ACM SIGMOD International Conference on
Management of Data (SIGMOD), pages 109–120, Chicago, June, 2006. (pdf)
David Lomet, Richard T. Snodgrass, and Christian S. Jensen, "Exploiting the
Lock Manager for Timestamping," in Proceedings of the Ninth International
Database Engineering and Applications Symposium (IDEAS 2005),
pp. 357–368, Montreal,
Canada, July 2005. (pdf)
Richard T. Snodgrass, Stanley Yao and Christian Collberg, "Tamper Detection in Audit Logs," in Proceedings of the International Conference on Very Large Databases,
Toronto, Canada, August–September 2004, pp. 504–515. (pdf)
Mani Sethuraman, "Implementation and Evaluation of a Partitioned Store for
Transaction-Time Databases," TimeCenter TR-76,
December 2003. (pdf)
Corruption Event Taxonomy & Forensic Analysis Protocol
Corruption Event Taxonomy and Forensic Analysis Flowchart (pdf)
Implementation of Forensic Analysis Algorithms
The ForensicAnalysis.tar.gz
file contains a C implementation of four forensic analysis
algorithms we developed: Monochromatic, RGBY, Tiled Bitmap, and a3D.
ForensicAnalysis_v2.0.tar.gz
. This is v2.0 of the Forensic Analysis Algorithms Implementation in C.
The code has been restructured so it is easier to follow (especially
in the case of the Tiled Bitmap Algorithm).
News
"Keeping Your DBA Honest"
(article)
"UA Shares NSF Grant for Research on Securing Databases"
(news story)
The Dragoon Prototype Software
The following is the beta version of the Dragoon software
including the notarization and validation daemons, the database
audit GUIs for the DBA, Chief Security Officer (CSO),
and Crime Scene Investigator (CSI), along with setup
instructions and a complete demo of the system.
The instructions can be read
here.
The Dragoon system architecture diagram can be downloaded
here.
The Dragoon system can be downloaded
here.
Webmaster: Kyri Pavlou