Game-theoretic defensive approaches for forensic investigators against anti-forensics

dc.contributor.advisorGhorbani, Ali
dc.contributor.advisorLashkari, Arash Habibi
dc.contributor.authorShafiee Hasanabadi, Saeed
dc.date.accessioned2023-03-01T16:20:39Z
dc.date.available2023-03-01T16:20:39Z
dc.date.issued2021
dc.date.updated2023-03-01T15:01:45Z
dc.description.abstractForensic investigators employ methods, procedures and tools of digital forensics to identify and present reliable evidence in court against attackers' crime. However, the attackers employ a set of malicious methods and tools as anti-forensics to impact results of digital forensics and even mislead a forensic investigation. Therefore, regarding the challenging threat of anti-forensics in the forensic investigation, to detect anti-forensics, the investigators employ counter anti-forensics. The review of previous studies in digital forensics shows that existing shortcomings are related to the evaluation of forensic tools; accelerating forensic methods; and the lack of additional research for understanding the attacker's behaviour. The review also shows the existing shortcomings in the area of anti-forensics as the necessity of additional research on anti-forensics; understanding the attacker's behaviour when he/she employs anti-forensics and the evaluation of forensic tools against anti-forensics. In a forensic environment, the attacker and the investigator interact rationally and competitively to increase their payoff. The simulation of their interactions can provide beneficent knowledge for the investigator. However, the simulation of their interactions in the real-world requires enormous financial and human resources. Game theory provides a capability for simulating their interactions. However, the employment of game-theoretic algorithms to simulate their interactions in the forensic environment requires dealing with some shortcomings. The shortcomings are 1) a need for addressing the players' capability to expand their action spaces in the forensic environment; 2) the necessity of constructing a beneficiary model regarding the attacker's behaviour when he/she employs anti-forensics; 3) a need for a criterion to compare the performance of game-theoretic algorithms, and 4) a need for addressing the acceleration for current memory mechanisms. Therefore, in this thesis, we propose a memory-based game-theoretic defensive approach. The proposed approach is for forensic investigators against anti-forensics. The approach lets us simulate interactions between an attacker and an investigator (players) in the forensic environment when the attacker employs anti-forensics, while the investigator uses counter-anti-forensics. The approach enables the investigator to identify the most stable and desired defensive strategies against the attacker's most stable and desired offensive strategy. The investigator can assess the existing counter-anti-forensics using the approach. We identify a set of comprehensive characteristics regarding the players' interactions in the forensic environment to profile potential game-theoretic algorithms and models. Next, we evaluate them using a set of criteria to choose the most coordinated game-theoretic algorithms and models for the simulation of interactions. We consider anti-forensics (i.e. rootkits, backdoors, and Trojans) to define the attacker's action spaces and counter-anti-forensics (i.e. anti-rootkits, anti-backdoors, and Anti-Trojans) to determine the investigator's action spaces, and we build three datasets. We formulate the players' payoff functions and calculate their payoff matrices. Finally, the fictitious and gradient play algorithms are selected as the most coordinated game-theoretic algorithms. Furthermore, to introduce a capability for the players to expand their action spaces in the forensic environment and examine Nash equilibrium of the game without a need for re-simulating the game since the beginning, we propose a memory component and introduce an extended game-theoretic algorithm. We identify the fictitious play algorithm as the best game-theoretic algorithm and introduce assistive rules for the investigator.
dc.description.copyright©Saeed Shafiee Hasanabadi, 2021
dc.description.noteElectronic Only.
dc.formattext/xml
dc.format.extentxiv, 180 pages
dc.format.mediumelectronic
dc.identifier.urihttps://unbscholar.lib.unb.ca/handle/1882/13581
dc.language.isoen_CA
dc.publisherUniversity of New Brunswick
dc.rightshttp://purl.org/coar/access_right/c_abf2
dc.subject.disciplineComputer Science
dc.titleGame-theoretic defensive approaches for forensic investigators against anti-forensics
dc.typedoctoral thesis
thesis.degree.disciplineComputer Science
thesis.degree.fullnameDoctor of Philosophy
thesis.degree.grantorUniversity of New Brunswick
thesis.degree.leveldoctoral
thesis.degree.namePh.D.

Files

Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
item.pdf
Size:
4.26 MB
Format:
Adobe Portable Document Format

Collections