Entwicklung von Methoden zur dynamischen Erkennung von Schadcode mit Techniken des maschinellen Lernens.

Antragsteller Professor Dr.-Ing. Felix Freiling; Professor Dr. Klaus-Robert Müller
Fachliche Zuordnung Sicherheit und Verlässlichkeit, Betriebs-, Kommunikations- und verteilte Systeme
Förderung Förderung von 2011 bis 2014
Projektkennung Deutsche Forschungsgemeinschaft (DFG) - Projektnummer 198804171


Erstellungsjahr 2015

Zusammenfassung der Projektergebnisse

Within the project, we have analyzed different approaches for generic event reconstruction in the field of forensic computing. For this purpose, we have set up a private-cloud infrastructure that provides sufficient computing power and enables scalability and load balancing. Moreover, we have implemented a forensic fingerprinting framework that is not only server-client based but also fully automated. The framework is capable of automatically performing interactions with a computer system, just the way a normal user would. This enables us to observe and extract the timestamp modification patterns that arise in the file system whenever an action on a computer system is executed. Installing and uninstalling software, startup of an application, sending e-mails and instant messages as well as deleting the web browser’s history are all examples of such actions. Based on those timestamp modification patterns, we implemented three different approaches to extract characteristic evidence as digital fingerprints using techniques from machine learning. In order to do that, the input data must first be represented in a way amenable to mathematical methods, i.e. the data has to be mapped to a vector space where different learning algorithms, such as Support Vector Machines can be used to train a classifier. Additionally, we implemented and evaluated four different approaches to match the data of an unknown hard disk to the database of fingerprints. Moreover, we analyzed the possibility of skipping the creation of fingerprints by clustering the timestamps of a file system along its timeline to individual events. Our evaluation has shown that it is possible to reconstruct events on a computer system based on fingerprints generated from timestamp metadata. However, the comparison of different approaches has also shown that the application of machine learning techniques could not yield significant enhancements for the procedure of generating fingerprints or the matching of the foresaid fingerprints.

