| Title | Hybrid Logical Clocks for Database Forensics: Filling the Gap between Chain of Custody and Database Auditing |
| Publication Type | Conference Paper |
| Year of Publication | 2019 |
| Authors | Flores, Denys A., Jhumka, Arshad |
| Conference Name | 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE) |
| Keywords | action accountability, admissible audit records, auditing, auditing capabilities, causality, centralised vector-clock architecture, chain of custody, chain of custody properties, Clocks, CoC properties, commercial database systems, Computer architecture, data mining, database audit, database audit records, database forensics, database management systems, Database Security, digital evidence, digital forensics, Distributed databases, forensically-aware distributed database architecture, Forensics, Human Behavior, hybrid logical clocks, Proposals, Provenance, pubcrawl, Resiliency, role segregation, Scalability, security, Security Audits, third-party verification, transactional databases, user transactions |
| Abstract | Database audit records are important for investigating suspicious actions against transactional databases. Their admissibility as digital evidence depends on satisfying Chain of Custody (CoC) properties during their generation, collection and preservation in order to prevent their modification, guarantee action accountability, and allow third-party verification. However, their production has relied on auditing capabilities provided by commercial database systems which may not be effective if malicious users (or insiders) misuse their privileges to disable audit controls, and compromise their admissibility. Hence, in this paper, we propose a forensically-aware distributed database architecture that implements CoC properties as functional requirements to produce admissible audit records. The novelty of our proposal is the use of hybrid logical clocks, which compared with a previous centralised vector-clock architecture, has evident advantages as it (i) allows for more accurate provenance and causality tracking of insider actions, (ii) is more scalable in terms of system size, and (iii) although latency is higher (as expected in distributed environments), 70 per cent of user transactions are executed within acceptable latency intervals. |
| DOI | 10.1109/TrustCom/BigDataSE.2019.00038 |
| Citation Key | flores_hybrid_2019 |
Hybrid Logical Clocks for Database Forensics: Filling the Gap between Chain of Custody and Database Auditing