Real-Time Remote Log Collect-Monitoring System with Characteristic of Cyber Forensics

Transcription

1 Real-Time Remote Log Collect-Monitoring System with Characteristic of Cyber Forensics Tung-Ming Koo, Chih-Chang Shen, Hong-Jie Chen Abstract--The science of computer forensics is often used to judge computer crime. However, if the evidences are lack of reliability, these digital evidences will not be accepted by the court. Therefore, Digital evidence must satisfy two cyber forensics requirements in order to be valid in the court. First of all, evidence acquired must be original; avoid any human intervention or fabrication. Secondly, the evidence should be coherent with its analyzed output. This research proposes an advanced mechanism which enables remote log monitoring and real-time evidence acquisition while ensuring data reliability, integrity and validity. This mechanism can be integrated into SOC framework to further guarantee enterprise security system. Index Terms-- Computer Forensics, SOC, Log, Digital Evidences, Computer Crime. I. INTRODUCTION he internet network which has great influence on people s T life nowadays, because of its borderless characteristic, leaping time and space, make people be engaged in all kinds of activity on the internet, for example, Trading of the goods, searching the materials, exchange information and viewing the video. Although the internet lets our life be more convenient, if it is utilized its characteristic by the criminals of some intentions against the law, looking for loophole and waiting for an opportunity to attack, will cause greatest losses. In recent years, the intrusions on the internet keep pouring in and the governments and enterprises of various countries have already begun to face this question, making relevant decrees and safeguard procedures of taking online security. The purpose is checking and hindering these criminals, decreasing the arising of information security events. Safeguard procedures or the security system at present improve continuously too to renovate with crime, this is an attacking and defending war to both sides, attack on the internet just like tidewater perhaps will cause the consequence that can't be retrieved. And Protect system can collect and monitor these network message effectively, when abnormality happen, can address the alert and take the corresponding emergency measure immediately. But in fact it is difficult to Tung-Ming Koo is Professor of information management department and chief of Computer Center in National Yunlin University of Science & Technology.( koo@yuntech.edu.tw). Chih-Chang Shen is at National Yunlin University of Science & Technology, Ph.D. graduate student of department of Information Management ( g @yuntech.edu.tw). Hong-Jie Chen is at National Yunlin University of Science & Technology, graduate student of department of Information Management ( g @yuntech.edu.tw). stop up all attacks effectively. For this reason, Computer Forensics is spring up. The theory of computer forensics is a new developing research field in recent years. The purposes are looking for the evidence of invading from the electronic medium. It is divided into two steps of searching evidence live and lab analysis. Electronic information has characteristics: easy to carry and revise, so how to obtain the most representative materials effectively, it is one of the focal points collecting the materials in this field. Although there is a science of computer forensics science to help, show a fact from the historical materials and every case, namely user's historical information which have already been destroyed, even has not set up initially, will cause information that can be use too little and unable to analyze. Therefore, we will lose the best evidence to declare guilty and this is difficulty on computer forensics. Maintaining the computer is a system administrator's daily most important affair, however, complexity and efficiency of system management is closely related to range of management, the amount of computer and the computer s type. However, the host computer is one close system and a lot of cases are pointed out, the system which makes a mistake, even influence the operation of organization seriously, unable to check and what happens effectively, the greatest reason is not recording. So, the concept of record of an incident (LOGs) is widely used on system management. Through the mechanism of LOGs, the operation of host computer system can be effectively recorded and enable the system administrator to follow the mark to find out the problem too, for systematic administrator, the existence of log file is definitely essential. [1] SOC (security operation center), the structure has offered the characteristic which controlled wholly. SOC focuses on pinpointing the problems and handling problems in time. However, the follow-up procedure after intrusion is still weak. So this Research s purpose lies in combining structure of SOC and setting up a real-time remote log collect-monitoring system with characteristic of cyber forensics. Through real-time remote log collect-monitoring system, we can is make sure reliability of collecting log data and these data can stand for the original data completely. They can be regarded as the crime evidence on the court. II. LITERATURE REVIEW A. Computer Forensics Computer forensics is considered as an important link in crime judgment. The purpose is getting several electronic 35

2 evidences and offers the court as evidence, so we must focus on the usability and uniqueness of the evidence. Therefore the evidence can be recognized as standing for the condition at that time. [2] And its methods and basic principles are [3]: (1)Obtain the primitive evidence in case of not changing or destroying the evidence. (2) Prove the evidence collected from the proof that is detained. (3) Analyze the evidence in case of not changing the proof. B. One-Way Hash Function with Public Key One-way hash function with public key is also calling message authentication code (MAC) [4]. MAC has a lot of the same characteristics as general one-way hash functions, what s different is adding the public key into MAC; In other words, only the people who have the key can verify MAC. And this kind of MAC based on the cipher theory is called HMAC. MAC is usually used in the information verification among different users, or is used for looking over whether the file is revised. While looking over whether the file is altered, the user can get MAC from the file and store the output value of MAC. When the file is altered, we can find the difference between old and new MAC. In this situation, if we only use general hash function, we can not find if this file is altered. In case of adopting HMAC, unless the key is cracked, anyone without authorization is unable to make correct HMAC value. C. Digital Evidence Digital evidence is to utilize computer or network to produce binary type of data as evidences that can be stored or transmitted. In addition, digital evidences have characteristics of difficult obtaining, easy duplicating, and easy eliminating and easily altered. If you want to get relevant digit evidences after the incident of information safety happens, there must be a perfect method of collection, pick fetching, analyzing and keeping the evidence. Usually enterprise will monitor and audit the system by inside network equipment or protecting software like network servers, proxy servers, fire walls or intrusion detection systems. And the most common checking way is that let meaningful system or network incidents, log files store in the place the enterprise appoints to. For the administrator, these records that collect at ordinary times can also be the digit evidence which assert the crime of the network. D. Mechanism of Analyzing Incident Records The concept of record of an incident (LOGs) is widely used on system management. Through the mechanism of LOGs, the operation of host computer system can be effectively recorded and enable the system administrator to follow the mark to find out the problem too, for systematic administrator, the existence of log file is definitely essential. The concept of information security is more and more important nowadays. Log files are necessary to system and can write down all operational step effectively. We can trace what happened at that time through log mechanism. This is the greatest advantage of log, however, the problem that exits for a long time is how to store effectively. In enterprises, except for saving important files, the saving of system log files is beginning to be paid attention to too. We can see this trend from BS7799 norm. The supplier who focuses on the network service and computer service especially pay attention to the system log files. When you proceed to analyze of invading, the existence of incident records is the key to computer forensics. How to perfectly save incident records has been the important affair of information security. E. The Problem of Log Analysis The existence of log files can offer administrators a tool that can track back to what happened at that moment. However, the log analysis is a quite huge burden, the reason is as follows: There are too many kinds of log files. The content of the record is too huge. The record only reflects the state at that time. It is difficult to keep the record. Moreover, although log files can write down the systematic state loyally, the judging and reading of what is a unusual incident and finding out what s the problem quickly are not every system manager can be competent, especially with numbers of the log files. So filtering the log file and appearing the content of the log file effectively become key factors whether the mechanism of log analysis success. F. Security Operation Center (SOC) Security Operation Center (SOC) is an integrated security control mechanism. The purpose lies in managing and monitoring many computers with different platforms and making a response when detecting the behavior of intrusion. A SOC will include following five subsystems: event generations, collection system, formatted messages database, analysis system and reaction system. Through the cooperation of five systems, we can monitor remote computers in center and make the correct response while encountering the information security incident at any time. [5] SOC can no doubt offer a complete mechanism in security management, but the structure of SOC is too huge. Moreover, for the systematic complexity, we should have SOC made to order to fit every enterprise s requirements and cost a large amount of money buying software, hardware and training people. So it is necessary to set up Light-SOC. III. PROPOSED ARCHITECTURE Our research will develop a real-time remote log collect-monitoring system with characteristic of cyber forensics [6] and the administrator can manage and monitor remote computers on the website. Based on computer forensics, it not only can offer the reliability of data transmission and the usability of information but hasten dealing with the procedure of computer forensics. To the influenced computer, it can be recovered with higher speed without shutting down when searching for the evidence. Under the normal situation, Light-SOC system will continue monitoring and can notify the 36

3 administrator by the way of setting up many kinds of early warning notices. Our research will combine the advantage of SOC and computer forensics to develop the Light SOC with characteristic of cyber forensics. A. Real Time Collection of Log That there are many kinds of methods can be used in data synchronization. For example, the backup of different places is often used rsync package through the method of synchronization, and it obtains the data of remote host in order to prevent missing of data. However, the feature of log is produced reports to original log file anytime (such as linux, it will be produced at /var/log/message). Therefore, the traditional regular synchronization transmission is not suitable for this framework which we propose. Fortunately, the syslogd[7] provides the mode of remote synchronization and remote record to users to obtain data. Through setting command (syslogd -r -m 0 is the command which used to start remote record host up), it can be achieved a collecting host which could record log data of many monitoring host. Remote Log Collection-Monitoring mechanism use UDP protocol to send data. Normally, UDP is not a reliable protocol because it can not ensure the reliability of the log data. Log data miss may be result in the judgment will be overruled in the cyber forensics. So all log data can be ensured that correctly received by client and real-time synchronization. It is the key point of this research. This research will use Syslog-ng[8] to replace syslog. Syslog-ng can use its syslog protocol that can confirm transmission method or TCP protocol to transfer remote record. It can solve the program that syslog use UDP to transfer data. B. The Structure of Light SOC The purpose of SOC is setting up the monitor center of network node on a large scale and collects the information extensively from all computers in the monitoring range. Information collected includes the information of the package, checking system state of the host computer, A perfect security centre must consider every situation that properly happens, however, the enterprise limited to the funds, can not set up so perfect monitoring structure. If we only focus on log information of the network equipment and monitoring hosts, we can still achieve the goal of making alerts and informing the administrator immediately when something wrong. Therefore, our research proposes a structure of Light SOC that can be installed easily and monitor remote computers effectively. The structure of Light SOC is as fig. 1. C. Remote Host Information Agent subsystem (RHIA) Remote host information agent subsystem (RHIA) which combines with the mechanism of log collection in time offers users to set up collection mechanism on remote host, remote host computers that are monitored must be set up this agent in these computers. RHIA will offer the dependability of transmission and will transmit the log information which remote monitored host produce to the central host computer immediately. Therefore, RHIA is the first subsystem of this structure that can offer the necessary information controlled in the range. D. Event Log Collection Subsystem (ELC) The main purpose of event log collection subsystem (ELC) is receiving log information form the RHIA. RHIA will turn primitive Log data into the hash code and finish transmission through TCP. And ELC will classify the service depending on the type of transmission data and separate the log messages adding to the hash code from the original log messages. The log information from RHIA will be received by ELC. Fig. 1. The Structure of Light SOC E. Data Formatting (DF) Data formatting (DF) offers the function of cutting log messages mainly. Except that the log type is complicated via collecting the log information from remote hosts, how to classify and store effectively influences the judgment of abnormal state and the inference result. Therefore, the purpose of the DF lies in utilizing formatting rule that is designed to format the log messages. While storing in the conclusion database after formatting, those log information will be handled by the inference engine subsystem. DF makes use of the database to preserve the log data and the database is used for preserving log messages and its hash code. This database is no longer changed after being once preserved and you can use the secondary facility to backup these data. The purpose lies in offering complete information about monitored host and can solve the problem of collecting the evidence incompletely in the procedure of traditional computer forensics. Moreover, we can verify the uniqueness log data. F. Inference Engine Subsystem (IE) The inference engine subsystem (IE) can offer the inference result about the unusual state to the center host. Log information will reflect the state of remote monitored host at present, however, too much log information users are unable to 37

4 observe one and find out the problem. Therefore, IE utilizes the way of positive inference to filter out log information that reflect something wrong and adopt the way of negative inference to reduce the production of false alerts which confusing the administrator. False alerts will be ignored directly and real alerts will be recorded in the database to export the pre- warning alert by the log control monitor console. G. Log Monitor Console Subsystem (LMC) The log monitor console (LMC) is a management mechanism based on the web and the concept of global design is from the structure of SOC. And LMC can solve the problem of management across time and space, offer a integrated mechanism of management to a system manager too and deal with the problem efficiency. LMC has four functions including: Real time monitor: Real time monitors the log status in the system. Search log messages can also achieve the objective of find suspected event to prevent it and find it as quickly as possible. The analysis of risk in security: we can view the risk level at present of computer monitored in the form of statistical chart. It can express the purpose of a large number of information, make the administrator find out the degree of risk index and decide the opportunity to deal with. System status: Each monitored detailed status of host, include warning, attacked information, status at present, can aim at each host to proceed from further judgment of detailed information. The pre-warning depending on levels: Except instant monitoring system, it is a point that the notice of the incident. Through the notice of the pre-warning alert, the administrator can pinpoint the problems as soon as possible to solve the problem fast. Therefore, except for informing the administrator incidents in security, the administrator can decide the grade of notice of the pre-warning alert flexibly to reduce unnecessary information. H. Adding the Mechanism of HMAC HMAC often uses in different users message checking or whether the document is modified or not. If there is able a key to effectively manage, then HMAC is also able used to check the identity whether it is modified or not. (1) When Syslog-ng receive the log data from host, it will add the secret key(k) of the host in the front of the log messages and send to the Hash function to produce Digest value. Then the original log message and its Digest value will be saved to the database and use TCP protocol to send these data to remote central collection server. (2) Collection server will save log messages with(d) in its proposed database. Each host that in SOC monitor range will all have its secret key(k) and be managed by SOC manager to let log messages be checked if security event happen. Each host or server has independent (K), so it can be checked for which host or server send. Plus (K) and log messages that be saved in collection Server can be checked whether messages be falsified or not. Then check that saved in host s or server s original log messages will let it be the second confirm message to check whether falsified or not. (3) The log messages that will been monitored host or server produced log messages has been saved in the collection server database. The follow work will use the has been defined SOC analysis rule etc. to filter and show the event or information. Let SOC manager do real time monitor work. Fig. 2. Diagram of HMAC Framework IV. CONCLUSION This research brings up a Real-Time Remote Log Collect-Monitoring System with Characteristic of Cyber Forensics for organization that has not enough budget or facilities. It can monitor system and network node in proposed monitor range. If security event happens, the saved data can let analysis unit effective and usable to further cyber forensics works. Let the effect substantially reduced for cyber forensics process. ACKNOWLEDGEMENT This work was supported in part by TWISC@NCKU, National Science Council under the Grants NSC P Y and part by NSC E REFERENCES [1] S. Axelsson, U. Lindqvist, U. Gustafson, E. Jonsson, An Approach to UNIX Security Logging Proc. 21st NIST-NCSC National Information Systems Security Conference,1998 [2] Kruse, W. & Heiser, J. (2002). Computer forensics: Incident response essentials, Boston: Addison Wesley. 38

5 [3] G. Kruse II and J. G. Heiser, Computer Forensic: Incident Response Essentials, Addison Wesley, 2002, pp:2-8, [4] W. Stallings, Cryptography and Network Security: Principles and Practice, 3rd ed., Prentice Hall, August [5] R. Bidou, Security Operation Center Concepts & Implementation, Iv2 Technologies,. oncept.pdf [6] J. Marcella, S. Greenfield, Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, Auerbach Publications, [7] C. Lonvick, RFC The BSD syslog Protocol,, IETF Network Working Group, [8] Syslog-ng, 39