Florian P. Buchholz

Learn More
The number of computer attacks has been growing dramatically as the Internet has grown. Attackers currently have little or no disincentive to conducting attacks because they are able to hide their location effectively by creating a chain of connections through a series of hosts. This method is effective because most current host audit systems do not(More)
Worms continue to be a leading security threat on the In-ternet. This paper analyzes several of the more widespread worms and develops a general life-cycle for them. The life-cycle, from the point of view of the victim host, consists of four stages: target selection, exploitation, infection, and propagation. While not all worms fall into this framework(More)
In this paper we describe the design and implementation of Zeitline. Zeitline is a graphical timeline editor that allows a forensic investigator to create a timeline of events that were gathered from different sources, such as host MAC times, system logs, and firewalls. We present some background information, discuss the design of the tool, describe its(More)
—To detect and investigate self-propagating worm attacks against networked servers, the following capabilities are desirable: 1) raising timely alerts to trigger a worm investigation, 2) determining the break-in point of a worm, i.e., the vulnerable service from which the worm infiltrates the victim, and 3) identifying all contaminations inflicted by the(More)
To investigate the exploitation and contamination by self-propagating Internet worms, a provenance-aware tracing mechanism is highly desirable. Provenance unawareness causes difficulties in fast and accurate identification of a worm's break-in point (namely, a remotely-accessible vulnerable service running in the infected host); and incurs significant log(More)
It is desirable to be able to gather more forensically valuable audit data from computing systems than is currently done or possible. This is useful for the reconstruction of events that took place on the system for the purpose of digital forensic investigations. In this paper, we propose a mechanism that allows arbitrary meta-information bound to(More)
  • 1