Information Flow Monitoring: Model, Policy, and Analysis

Author

Lempereur, Brett ; Merabti, Madjid ; Shi, Qi

Author_Institution

Sch. of Comput. & Math. Sci., Liverpool John Moores Univ., Liverpool, UK

fYear

2011

fDate

6-8 Dec. 2011

Firstpage

227

Lastpage

232

Abstract

Live digital forensic techniques that capture a snapshot of operational state at the time of seizure are helpful, but only provide information about the current state. Attempting to audit every interaction on a system will yield records that are difficult to even store, with a low ratio of useful information to noise. In this paper we propose a distributed trace based monitoring platform that applies a user-specified policy to isolate interesting sequences of actions that may potentially involve multiple processes, files, and span network connections. The primary contribution of this paper is an efficient method for composing and monitoring system behaviour at runtime both within and between hosts. Through experimentation, we show that our system accurately identifies policy violations, and that we can place reasonable bounds on its operational complexity.

Keywords

computer forensics; data flow analysis; system monitoring; distributed trace based monitoring; information flow monitoring; interesting action sequence isolation; live digital forensic technique; network connection; operational complexity; policy violation; runtime system behaviour composition; runtime system behaviour monitoring; system interaction auditing; user-specified policy; Automata; Complexity theory; Computers; Digital forensics; Monitoring; Security; digital forensics; execution monitor; system monitoring;

fLanguage

English

Publisher

ieee

Conference_Titel

Developments in E-systems Engineering (DeSE), 2011

Conference_Location

Dubai

Print_ISBN

978-1-4577-2186-1

Type

conf

DOI

10.1109/DeSE.2011.108

Filename

6149944