Embed Size (px)
DESCRIPTION
Digital Forensic
Citation preview
Game-Theoretic Approach
to
Digital Forensics Investigation
Ali Dehghantanha
Senior Lecturer- University Putra Malaysia
A Seminar for UCD on 24th Aug 2012
About Me
• Ph.D and M.Sc in “Security in Computing”
• CISSP, ISMS L.A, C|EI, E|CSA, C|EH, C|HFI,…
• Relevant research projects: Linear Temporal Formal Privacy Models: My Ph.D!
A Formal Rule-Based Privacy Respecting Forensics Investigation: Invited Speech EC-SPRIDE- Germany.
Cyber Warfare Investigation Techniques; Past, Present and Future: Keynote DEIS2012- Czech Republic.
And several real-case investigations
A Happy Investigator Until…
• Airport X investigation!!
Complex
Limited resources
All sorts of devices that you can
think of!!
How can I deploy my limited resources to
maximize investigation efficiency?!!!
What is the Main Cause for Following?!
Estonia- 27 Apr 2007
Iran- 01 Jun 2010
Siberia- 1982
Brazil- 2007
Am I the Only One?!
• Clouds
• Enterprise networks
• IH in heterogeneous networks
• Nationwide investigations
limited resources + maximum effectiveness
Not Far Investigation Cases?!
Game-Theory are you Kidding?!
“G.T provides sound mathematical
approach for deploying limited resources to
maximize their effectiveness”
Cyberwar G.T- Penn university
GUARDS - Game Theoretic Security Allocation
on a National Scale- USC
ARMOR: Assistant for
Randomized Monitoring Over
Routes- USC
1. Optimizes crime monitoring
systems
2. Provides best responses to
Cyberwar
3. Assists in patrolling systems
1. Provides best possible evidence
locations!
2. Best incident response!
3. Maximizes resource efficiency in
I.H and digital forensics
Elements of our Game!
A repetitive continuous actions
strategic game between
multiple possibly irrational hackers
and multiple investigators with
multiple strategies for both parties!
It is a leader (hacker)- follower
(investigator) game with
incomplete information
While hackers payoff is to maximize
the damage and minimize tracks and
investigators payoff is to contain
incident and find more evidences.
Research Stages
1- Non-repetitive, rational hackers with finite actions
2- Rational hackers, finite actions but with learning
3- Irrational hackers, continuous actions
Expected Contributions
1. Modeling real-world attack strategies.
2. A solution for efficient investigation and incident
handling in heterogeneous networks.
3. Computational algorithms to find exact or approximate
equilibriums.
4. Formally defining new area in game-theory known as
“Digital Forensics Games”
Potential Applications
1. For investigators as an efficient solution for enterprise
investigation!
2. For incident handlers to find most probable cause of
incidents and best containment strategies.
3. For security defenders to find efficient protection
solutions that bring them needed equilibrium.
4. Assisting cyber-warriors in their strategic modeling
More Details of 1st Stage (limited information + multiple parties + multiple strategies) - (finite actions +
non-repetitive + rational)
So 1. Non-Zer0 Sum Bayesian Stackelberg game!
2. Looking for exact SSE such that “Not-Attacking” would
be the best attackers choice for the asset!
3. Based-on evidences and finite strategies finding current
approximate SSE!
4. Advice on not sufficiently protected assets that caused
current SSE!
Thanks!
And Sun Tzu old rules still working!! One who knows the enemy and knows himself
will not be endangered in a hundred engagements
One who knows neither the enemy nor himself will invariably be defeated in every engagement
One who does not know the enemy but knows himself will sometimes be victorious
Ali Dehghantanha
