Heuristic Security-Testing Methods

This is the first of two papers that deal with the development of running state requirements for functional testing of security software and hardware systems. It outlines the need to adopt paradigms that reflect typical usage patterns, prevalent infection methods, and proper security tool use and configurations that are grounded in real-world scenarios. This paper outlines a practical set of such test tools based on attack infection techniques designed to evaluate the efficacy and utility of signature as well as knowledge-based security systems, including those found in forensic toolkits. Signature-based testing of security solutions is complicated by the continuing increase in the number of attack signatures. Likewise, realistic behavioral testing methods for the same suffer from the increasing numbers of combinations and permutations for attack infection methods that quickly become outdated as new attack categories emerge. However, the usage patterns and base attack infection techniques have remained largely stable over the past 4 years. Thus, the heuristics associated with a recognizable set of security principles presents an opportunity and a challenge to construct forensic analysis test solutions based on the use of a security-pattern database (SPD) and the concept of adaptive event logging. The author proposes such a mechanism in this paper using three domains for the SPD and trigger requirements for ensuring that application, security, system, and network logging are enabled for selected events. These domains represent the normal usage patterns of PCs, the basic attack infection method categories, and the security tool capabilities and their configurations necessary for optimum computer protection. This paper also shows a heuristic security checklist formed from the decomposition of 50 Trojans, worms, and spyware and used as the basis of prevalent attack infection techniques currently in the wild. The purpose of this exercise is to assist digital forensic practitioners with a decision support tool during evidence gathering and analysis phases of an investigation. Recommendations are provided that show effective signature and behavioral heuristics for further refining sub-problems in the three domains. The most effective security test techniques are also shown to provide a common set of principles for the SPD.

KEYWORDS

• adaptive event logging,
• forensic expert system,
• forensic tool integration,
• security pattern database