Incident Detection, Response, and Investigation
![[topcap]](/images/floating_sidebar_topcap.png){kind=small}
Research Areas
![[bottomcap]](/images/floating_sidebar_bottomcap.png){kind=small}
Systems are attacked, and sometimes attacks succeed. This area of our expertise includes intrusion and misuse detection, integrity management issues, audit and logging analysis, sensor and alarm design, strike-back mechanisms, dynamic reconfiguration, honeypots and "jails", cyberforensics, hacker profiling, deception and psychological operations, information warfare, cyberterrorism, criminal law and computer crime.
Printer and Sensor Forensics
This research addresses the need for a means to assure the authenticity of digital media consisting of image content. The work investigates both intrinsic signatures that are an inherent characteristic of the imaging device and extrinsic signatures that can be introduced by the manufacturer with the possibility including additional user-controlled information. The intrinsic signature represents artifacts that are due to optical, electrical, or mechanical limitations of the imaging device. The extrinsic signature is generated by modulating parameters that control the intrinsic signature of the device. The same algorithms that detect the intrinsic signature will form the basis for detecting and decoding the extrinsic signature.
This research will result in a new understanding of the relation between imaging devices and artifacts produced by those devices. It will lead to new knowledge regarding image analysis for feature extraction and the design of classifiers based on those features. In calculating error control codes and channel capacities for extrinsic signatures, it will extend the application of classical communications theory to a new domain. This work will be of direct benefit to society by providing law enforcement and government agents new tools for combating counterfeiting, forgery, and other criminal and terrorist activities.
Remote Examination and Manipulation of Electric and Electronic Devices Using Inverse Evaluation of Scattering (Remedies)
Process Coloring: an Information Flow-Preserving Approach to Malware Investigation
Cyberinfrastructures are facing increasingly stealthy and sophisticated malware threats. For example, recent reports have suggested that new computer worms and viruses deliberately avoid fast massive propagation. Instead, they lurk in infected machines and inflict contaminations over time, such as rootkit and backdoor installation, botnet creation, and private data theft. Current methods for detection and investigation do not fully exploit the use of information flows tracked at the operating system level. We argue that OS-level information flow is currently an under-utilized tool for malware investigation. We will use operating system information flows to propagate malware break-in provenance information to demonstrate that provenance preservation can help achieve more efficient and effective malware investigation. We will also show that this technique can be used to produce live alerts for malware that existing tools are unable to provide.
Rural Law Enforcement Technology Center
Research into Abnormal Malicious Remote Control Detection
File Hound: a Law Enforcement Contraband Images Investigative Tool
FREEK: Forensic Rapid Evidence Extraction and Analysis Kit
The Use of HDTV for In Vehicle Cameras
Cyber Forensics Investigative Services for State of Indiana Office
Cooperative Computer Incident Response (CCIR)
Created by the NW3C and CERT, and hosted by the Purdue University College of Technology, these workshops bring together members of the business, information technology, and law enforcement communities to initiate dialogue on computer security issues. Working together, participants identify the barriers to effective cooperation and investigate the ways to overcome those barriers.
In groups, participants define computer-related incidents, learn appropriate levels of response, and share effective solutions for dealing with computer incidents and crimes. Starting in single community teams (i.e., business, information technology, law enforcement), they analyze sample incidents. Then, teams reform into cross-community teams to simulate a task force and make recommendations about how to proceed. Discussion documents guide attendees through the process, with checklists for each professional role.
