Using runtime verification to generate intrusion timelines from memory images

Abstract

Every action carried out in a system is recorded and logged in memory. These are known as events and consists of various types for example opening a file, downloading a file, and accessing a network. Analysing such events is useful to detect security breaches and computer misuse. However, the events stored in memory are not always analysed; there are various steps needed to put them into a timeline for easier analysis. Manual checking for any intrusion is impractical since it will take a lot of time to go through all the events which occur continuously. Therefore, automated tools are important and are much needed in this scenario. In this project, patterns of insiders intrusion threats are generated. The first step is to create a memory image out of a system memory. The next step is extracting events from memory images and construct the timeline using the ready-made tool Volatility. For testing, different scenarios are created to see how patterns of insider threats can be detected through the timeline. The main part involves Runtime verification for going through these timelines to see if any insider threats are found. Larva is used for the analysis and timelines will have rules that need to be followed, in the form of transitions. These transitions represent the moves between the states of the timelines. An output file is generated while checking for timelines and if any intrusion is found it will be reported.