ArticlePDF Available

Abstract and Figures

Logging information about the activities that placed in a computer is essential for understanding its behavior. In Homeland Security, the reliability of the computers used in their activities is of paramount importance. However, attackers can delete logs to hide evidence of their activities. Additionally, various problems may result in logs being lost. These problems decrease the dependability of Homeland Security. To address these problems, we previously proposed a secure logging scheme using a virtual machine monitor (VMM). The scheme collects logs and isolates them from the monitored OS. However, the scheme cannot store them automatically. Thus, logs in memory are lost when the computer is shutdown. Further, if the logs are not stored, it is impossible to detect incidents of tampering by comparing the logs of the monitored OS with those of the logging OS. To address these additional problems, this paper proposes a log-storing module and a tamper detection scheme. The log-storing module automatically stores logs collected by the logging module, and tamper detection is realized by comparing these stored log files with those of the monitored OS. We implemented the log-storing module and realized the tamper detection scheme. Evaluations reveal the effectiveness of the tamper detection scheme.
Content may be subject to copyright.
VMM-Based Log-Tampering and Loss Detection Scheme
Masaya Sato and Toshihiro Yamauchi
Graduate School of Natural Science and Technology
Okayama University
Japan
m-sato@swlab.cs.okayama-u.ac.jp, yamauchi@cs.okayama-u.ac.jp
Abstract
Logging information about the activities that placed in a
computer is essential for understanding its behavior. In
Homeland Security, the reliability of the computers used in
their activities is of paramount importance. However,
attackers can delete logs to hide evidence of their activities.
Additionally, various problems may result in logs being
lost. These problems decrease the dependability of
Homeland Security. To address these problems, we
previously proposed a secure logging scheme using a
virtual machine monitor (VMM). The scheme collects logs
and isolates them from the monitored OS. However, the
scheme cannot store them automatically. Thus, logs in
memory are lost when the computer is shutdown. Further,
if the logs are not stored, it is impossible to detect incidents
of tampering by comparing the logs of the monitored OS
with those of the logging OS. To address these additional
problems, this paper proposes a log-storing module and a
tamper detection scheme. The log-storing module
automatically stores logs collected by the logging module,
and tamper detection is realized by comparing these
stored log files with those of the monitored OS. We
implemented the log-storing module and realized the
tamper detection scheme. Evaluations reveal the
effectiveness of the tamper detection scheme.
Keywords: Log protection, detecting log tampering,
syslog, digital forensics, virtualization technology
1 Introduction
The countermeasure for terrorism is one important topic in
Homeland Security. In the field of counter-terrorism,
enormous quantity of data is gathered and analyzed for the
planning of countermeasures. Computers and networks are
used to gather and analyze data, computer science is
deeply committed to homeland defense and security. In the
field of computer science, countermeasures are considered
for cyber terrorism as an activity in Homeland Security.
Recently, information technology is used as a tool to
control infrastructures. Cyber terrorism is able to cause
critical damage on infrastructures in low cost. Thus, the
countermeasure for cyber terrorism has been discussed.
However, the countermeasures might be weakened by
attacking on the data gathered for Homeland Security.
Therefore, the protection of the data is important. The
protection of the logs of the APs is also necessary to ensure
the validity of gathered information.
The computer terrorism has two characters: anonymity
and the lack of evidences of attacks. In computer terrorism,
it is difficult to acquire the information that specifies the
attacker. Because there are no evidences left on attacks
using network, the logs that records the behavior of the
systems are important. For this reason, the protection of
the information is necessary for the prevention and
investigation of computer terrorism.
Insider threat study is important issue in the field of
Homeland Security [1]. The purpose of insider threat study
is to help understand, detect, and prevent bad insider
activities. Log protection is one of the most important
techniques of insider threat study because logs that contain
records of system are necessary for forensics to specify
attacker's activities [2, 3].
Digital forensics is a method or technology for
addressing these problems. This is a scientific method or
research technology for court actions, which allows us to
explain the validity of the electronic records. Many
researchers are working in this area of the protection of
logging information [4-8].
Furthermore, in the United States, the federal chief
information officer announced that the government starts
using cloud computing in the federal government in
September 2009 [9]. The privacy office of the department
of Homeland Security is deeply involved in the initiative
from the beginning. From these reasons, in the field of
Homeland Security, it is strongly required for security
mechanisms to adapt to the cloud computing environment.
A firewall is efficient solution for security of the cloud
computing environment because the users need to connect
to it via network. However, the importance of logs is
remaining because server and network logs are used to
validate or confirm firewall rules [10].
Syslog is commonly used as a logging program in Linux.
In this case, the logging information generated by the AP
(user log) and kernel (kernel log) is collected by syslog.
Syslog writes logs to file according to the policy, so
attackers can tamper with logs by modifying the policy.
Moreover, if the syslog program itself is attacked, the log
files written are not reliable. In addition, the kernel log is
stored in a ring buffer, and therefore, since the kernel log is
collected on a regular schedule, if many logs are generated
and stored in the ring buffer before the next collecting time,
old logs may be overwritten by new logs. As described
above, the user log and kernel log can be tampered with or
lost.
To address these problems, we proposed a logging
system to prevent tampering and loss of logs with the
virtual machine monitor (VMM) [11]. In this system, the
OS that should be monitored (the monitored OS) works on
the virtual machine (VM). Logs in the monitored OS are
collected by the VMM without any modification of the
monitored OS’s kernel source codes. Because the system
collects logs just after the output of logs, any possibilities
for tampering are excluded. In addition, no kernel logs are
lost through the buffer being overwritten by new kernel
logs.
Because the proposed system uses virtualization
technology, it is compatible with cloud computing
environment. Thus, the proposed system is suitable for
providing the federal cloud computing environment with
higher security.
Our previously proposed system has two problems.
(1) Loss of logged information when the machine is
powered-off or restarted.
(2) Difficulty in detecting incidents of log tampering by
comparing logs.
The system that we proposed earlier keeps logs of the
monitored OS in the memory region of the VMM. As a
result, logs in the memory are lost when the machine is
powered-off or rebooted. Thus, if loss does occur, it is
unable to detect loss and tampering of logging information.
To solve these problems, this paper proposes a log-storing
module that stores logs collected by the logging module to
files. The log-storing module copies logs to the logging OS
in as soon as they are collected from the monitored OS.
The logging OS receives the logs and stores them in files
via the syslog daemon.
The logging module in our previously proposed system
also cannot compare logs directly. Consequently, it is
unable to detect log tampering immediately. This paper
also proposes a log-tampering detection function. The
function compares the logs of the monitored OS with those
of the logging OS. By comparing these log files, we can
detect incidents of log tampering in the monitored OS.
Moreover, if the logs in the monitored OS are tampered
with, our proposed function can detect exactly where and
how the logs were tampered with.
The contributions made in this paper are as follows:
(1) A log-storing module that enables the VMM to store
logs in files in a separate VM is proposed. The
logging module previously proposed in [11] is not
able to store logs to the VM automatically.
Consequently, accidental shutting down of a
computer before the log-storing command execution
may result in the logs currently in the memory being
lost. The log-storing module enhances the logging
mechanism by ensuring that log files are preserved.
(2) A scheme that detects incidents of log tampering and
loss by comparing logs is proposed. The scheme
enables us to detect incidents of changed or deleted
logs. In addition, the scheme can identify the area
where the change occurred. The results of
experiments confirm that this scheme enables the
detection of incidents of log tampering carried out by
real malware.
The remainder of this paper is organized as follows:
Section 2 describes the problems of logging with syslog
and gives an overview of the previously proposed log
User
Process sysklogd
klogd
Store Logs
Load Policy
Remote
sysklogd
Kernel Log
Buffer
Kernel
Logging
Function
User Space
Kernel Space
syslog.conf Log File
Figure 1 Architecture of syslog.
collecting scheme, the problems it addresses, and the
problems it did not resolve. Section 3 describes our
proposed log-storing scheme. Section 4 describes our
proposed method for detecting log tampering. Section 5
discusses the evaluations carried out on our proposed
schemes. Section 6 discusses related work, and section 7
concludes this paper.
2 The Logging Module and Its
Problems
In this section, we describe the architecture of syslog. We
also look at the previously proposed logging scheme based
on the VMM, along with its problems.
2.1 Syslog's Problems and Requirements for
Addressing Problems
Syslog is a protocol for system management and security
monitoring. Syslog consists of a library and a daemon.
Figure 1 shows the architecture of syslog. User and kernel
logs are collected as follows.
The syslog library provides functions for user program
to send log messages to the syslog daemon. The syslog
function sends messages to /dev/log with the send or write
system call, and the syslog daemon collects logs from
/dev/log with the read system call.
The kernel accumulates logs in internal buffer (kernel
log buffer). The kernel logging daemon (klogd) gathers
logs from the kernel log buffer, and afterwards, klogd
similarly sends logs to the syslog daemon.
Syslog also has a filtering function. Its policies are
described in the configuration file (syslog.conf).
Syslog has the following problems:
(1) The behavior of the syslog daemon can be modified
by tampering with the configuration file. In addition,
if the syslog daemon itself is tampered with, its output
can be unreliable.
(2) Users who have permission to access logs can tamper
with them intentionally.
(3) Kernel logs in Linux are accumulated in the ring
buffer and are collected at fixed intervals. Thus, if the
logs are not collected for a long time, old logs can be
overwritten by new ones. Old logs will also be
overwritten if many logs are accumulated in a time
that is shorter than the collecting interval.
New syslog daemons have been developed with the aim
of achieving greater security [12, 13]. A number of current
research projects are also geared towards the protection of
the logs. These include protection of log files [4-6],
protection of syslog programs [7], and other original
logging method that independent of syslog [8]. However,
no method has yet addressed all of the above problems.
To address the problems outlined above, we proposed
and implemented a logging mechanism with virtualization
technology that fulfills the following requirements:
(1) Detection of all outputs of log (user and kernel log).
(2) Isolation of log.
(3) Security of logging mechanism.
Our implemented system is OS independent, adaptable
to various environments, and easy to adapt to newer OS
kernel versions. Although it is necessary for protection of
the log, OS (and version) independence had until this point
proven to be an insurmountable obstacle in the
implementation of this kind of system.
2.2 The Logging Module
2.2.1 Overview of the Logging Module
Figure 2 depicts the architecture of the logging module.
The monitored OS runs in the VM, while the logging
module operates in the VMM (the details are described
below). Here, we use Xen as the VMM [14]. The logging
module collects logs generated by a user process works in
the monitored OS. After that, the collected logs are copied
by the xend daemon, which operates in Domain0.
Domain0 has privileged controls of the VMM. The xend
daemon controls the VMM. It copies the accumulated logs
from the VMM to Domain0 and stores them in files. Our
previous paper [11] details the implementation of this
mechanism.
2.2.2 The User Log Collector
The collector acquires logs when the requirement for
sending user logs occurs. As shown in Figure 2, the
logging module in the VMM hooks the system call that
was invoked for sending logs from the user process to the
syslog daemon.
To hook system calls in the VM, it is necessary that the
mechanism enable the VMM to detect invocation of
system calls in the VM. Therefore, in the logging module,
we applied a mechanism that causes a page fault when a
system call is invoked [15]. In a fully virtualized
environment, if a page fault occurs on the VM, then the
VMM is raised (VM exit) [16]. After the VMM has been
raised, the logging module acquires the user logs and hides
the occurrence of the page fault. Finally, the VMM raises
the guest OS, which works as if no event has occurred.
In this method, to cause a page fault, we modified some
registers of the monitored OS. A system call using the
sysenter (fast system call) refers the value in
sysenter_eip_msr and jumps to its address to execute the
Monitored OS
VMM
Log File
Kernel
Space
User
Space
Kernel Logging
Function
User
Process rsyslogdklogd
Kernel Log
Buffer
Domain0
xend
Log File
Logging Module
User Log CollectorKernel Log Collector
Figure 2 Architecture of the logging module.
system call function (sysenter_eip_msr is one of the
machine-specific register (MSR)). Through modification
of this value to another address to which access is not
permitted from the monitored OS, a page fault is made to
occur when a system call is invoked.
2.2.3 The Kernel Log Collector
The collector acquires logs when the kernel logging
function is called in a guest OS. Normally, the VMM
cannot detect a function call in a guest OS. To solve this
problem, the system sets a breakpoint in the guest OS, a
breakpoint exception occurs when some process reaches
this breakpoint. In our previously proposed system, since
the guest OSs are fully virtualized, breakpoint exception is
handled by the VMM. Using the exception as an
opportunity to acquire logs, the VMM can collect kernel
logs.
When the processing is brought to the VMM, the
logging module checks the state of the kernel log buffer of
the monitored OS. If new logs have accumulated in the
buffer, the logging module collects them. After that, the
VMM returns the processing to the guest OS. Since these
processes have no effect on the state of the guest OS, the
guest OS can continue to write to the kernel log.
In this method, since kernel logs are collected when a
kernel logging function is called, newer ones never
overwrite old logs.
2.3 Logging Module Problems
The logs collected by the logging module are stored in the
memory region managed by the VMM, logs are never
copied without a request from Domain0. In this situation,
logs in the memory will be lost when the machine is
powered off or rebooted.
In addition, if the machine is powered off without the logs
being saved to a file, the system loses the resources needed
for log comparison and the detection of tampering.
3 The Log-Storing Module
3.1 Requirements
To address the problems outlined at Section 2.3, this paper
proposes a log-storing module that automatically stores
VMM
Logging OS
Logging
AP
Log File
Logging Module
Modified
rsyslogd
Log-Storing Module
Monitored OS
Log File
Kernel
Space
User
Space
Kernel Logging
Function
User
Process rsyslogdklogd
Kernel Log
Buffer
Figure 3 Architecture of the log-storing Module.
logs to disks. The module automatically transfers logs
from the VMM to the logging OS, and the logging AP
operating in the logging OS saves the logs to disks. This
module enhances the logging mechanism by ensuring that
log files are preserved.
There are two requirements that need to be met in order
for the log-storing module to address the problems
outlined in Section 2.3. These requirements as follows:
(1) Assured reception and storing of the logs from the
VMM to files in the logging OS.
(2) Keeping the overheads that arise in the log-storing
module at a minimum.
Requirement (1) is necessary for ensuring that the logs are
indeed preserved, while requirement (2) is necessary
because the overheads that arise in the log-storing module
affect the performance of the monitored OS.
3.2 Overview of the Log-Storing Module
Figure 3 depicts the architecture of the log-storing module.
In the Figure 3, arrows indicate the path of the logs as they
are collected by the proposed system. The arrows with the
closely spaced broken lines (black) indicate the
conventional logging path used by the syslog daemon. The
arrow with the more widely spaced broken line (light blue)
indicates the collaboration between the logging AP and the
log-storing module.
Figure 4 depicts the flow of the log storing. The flow
divided into two parts: the accumulating part and the
storing part. In the accumulating part, when the logging
module detects system call invocation in the monitored OS,
the logging module copies logs from the monitored OS to
the VMM. The log-storing module then notifies the
logging AP that logs has been collected. The Detail of the
notification is described in Section 3.3. After the
notification, the logging module returns processing to the
monitored OS. In the storing part, the logging AP requests
a copy of the logs. To respond to the request, the VMM
copies logs to the logging AP and the AP transfers the logs
to the modified syslog daemon, which stores them to files.
Here, the syslog daemon in the logging OS uses the
same logging policy as that used by the syslog daemon in
the monitored OS. In storing the logs to files, the logs are
compressed and the messages sorted based on this syslog
daemon policy. If the logging AP had directly stored the
logs to files, it would have been difficult to compare them
to the logs in the monitored OS. Using the same policy in
(A) The accumulating part
begin
end
Detect an invoking of system
call in the monitored OS
Copy logs from the
monitored OS to the VMM
Send a event to
the logging OS for
notification
Fix register’s value
Return processing to the
monitored OS
Is it send or
write?
The target is
the syslog?
Yes
Yes
No
No
Already sent
event?
Yes
No
begin
end
Receive an event from the
logging OS
Copy logs from the buffer to
the VMCS for the logging OS
VM Enter to the logging OS
(Logs contained is the VMCS
are automatically copied to
the logging OS)
The logging AP sends logs to
the syslog daemon works on
the logging OS
The syslog daemon stores
logs to the file
Log copying
is required?
Logs are left
in the VMM?
Yes
Yes
No
No
(B) The storing part
Figure 4 The flow of log storing.
the logging OS as the monitored OS enables us to compare
logs easily.
3.3 Communication between the VMM and the
Logging AP
An event channel is used for communication between the
VMM and the logging AP. Events are the standard
mechanism for delivering notifications from the
hypervisor to guests, or between guests. Events fall into
three categories; inter-VM events, physical IRQ, and
virtual IRQs. We use the inter-VM events in
communication between the logging AP and the VMM.
Communications between the VMM and the logging OS
consists of the VMM notifying the logging OS that logs
have been collected by the logging module. In this case,
there are two types of events that the logging AP can be
made aware of. In the first type of event, a notification is
given for each logs collected, while the other type of event
is triggered when the size of the accumulated logs exceeds
a specified limit. The latter has little overheads than the
former because the number of copy is less than that of the
former. However, the latter has a risk for losing large
amounts of logs. If the machine is powered off without the
logs being stored to the files in the logging OS, all of the
logs in the VMM are lost. This situation largely affects the
latter more than the former. Thus, from the viewpoint of
log preservation assurance, the former is better than the
latter.
Further, the latter requires that a large amount of
memory be reserved in the VMM region. This
over-reservation of memory in the VMM reduces the
space available for VMs.
For these reasons, we selected the former notification
technique for use with the logging AP.
3.4 Copying Logs to the Logging AP
3.4.1 Timing of Event Delivery
The event is not delivered instantaneously. An event is
first queued to the target OS, after which the target OS is
scheduled and queued events delivered. Thus, some
amounts of delay in event delivery should be taken into
consideration in log collection notification.
To compensate the delay of event delivering, the
log-storing module should buffers logs in the memory. In
contrast to buffering, our module sends an event
immediately as each log is collected from the monitored
OS because we need to store the logs as quickly as possible.
Therefore, as soon as a notification reaches to the logging
OS, the logging AP copies the logs from the VMM to its
own memory region.
3.4.2 Reducing Copy Overheads
To fulfill the requirement (2), the overheads that arise
during the copying of the logs must be kept to a minimum.
Until the request hypercall reaches to the VMM, logs are
buffered in the VMM. When the hypercall is invoked by
the logging OS, all buffered logs are copied to the logging
OS.
Currently, our proposed method buffers logs only when
many events are queued to the logging OS. The logging
module sends an event when the module detects log
sending on the monitored OS. An event is asynchronously
reaches to a guest OS. Thus, logs are copied from the
VMM to the logging OS when the logging OS invokes
hypercall to require log copying. In this case, if the logging
module sends an event in every time of detection of log
sending on the monitored OS, the logging OS may invoke
hypercalls in every event. However, the log-storing
module copies all logs accumulated in the VMM at one
time. Thus, the logging OS invokes unnecessary
hypercalls. The transition between a guest OS and the
VMM takes about two microseconds. Thus, unnecessary
hypercall invocation degrades performance.
To address this problem, the logging module reduces
sending of unnecessary event. The logging module does
not send an event if logs are accumulated in the VMM’s
memory region and the logging module already sent an
event. With this mechanism, the VMM can copy logs to
the logging OS with an event and a hypercall. Thus, there
are only necessary event and hypercall exist. Figure 5
shows the reduction of unnecessary events. Incidentally,
the reduction of unnecessary events does not degrade the
log preservation assurance referred in Section 3.3.
To reduce the overheads, it is effective to minimize
the number of copy. To minimize the copy overheads,
log-buffering mechanism referred in Section 3.3 is
effective. However, it is a challenging problem and not
implemented in current our proposed system.
3.5 Log-Storing in the Logging OS
Figure 6 depicts the overview of the log storing procedure
in the logging OS. To store logs to files, the logging AP
and the modified syslog daemon are works on the logging
OS. The logging AP receives logs of the monitored OS via
the storing module works in the VMM. The modified
VMM The Logging OS
event
event
event
hypercall
log copy
hypercall
(unnecessary)
hypercall
(unnecessary)
Do not care about
unnecessary events
VMM The Logging OS
event
event
event
hypercall
log copy
Reducing
unnecessary events
Reduced action
Action
Time
Figure 5 Reducing unnecessary events.
Figure 6 Log-storing with modified syslog daemon.
syslog daemon stores logs to files. The reason why we
modified the syslog daemon in the logging OS is to avoid
mixing of logs between the monitored OS and the logging
OS. Normal syslog daemon receives logs via the /dev/log
socket file. Meanwhile, the modified syslog daemon
receives logs via the /dev/xllog socket file. The logging AP
sends the collected logs to the /dev/xllog socket file and
the modified syslog daemon receives logs via the socket
file. In this method, the collected logs from the VMM are
stored separately from the log files stored by the normal
syslog daemon. In this situation, two syslog daemons
(normal one and modified one) are running in the logging
OS. Furthermore, for ease of comparison, the modified
daemon loads the policy of the syslog daemon operates in
the monitored OS. At this time, if the policy loads by the
modified syslog daemon is completely same as the policy
loads by the normal one, the log files stored in the logging
OS contains both logs of the monitored OS and those of the
logging OS. If both logs are stored together, it is difficult to
find out the logs collected by the logging AP.
For these reasons, we change the directory used for
storing the logs collected by the logging AP. For example,
we change the policy as stores the logs that are originally
stored to the /var/log/messages to the
/var/log/monitored_OS/var/log/messages. In this case, the
modified syslog daemon in the logging OS assumes the
root directory as the /var/log/monitored_OS. With this
change, we can compare log files in the monitored OS with
those in the logging OS easily.
4 Detection of Log Tampering
To detect incidents of log tampering, we compares the logs
in the monitored OS with those of the logging OS. For
fine-grained analysis, a file comparing method is useful. In
this section, we describe the method to detect incidents of
log tampering and loss by comparing log files.
Figure 7 depicts the flow of tampering detection. First,
we replace hostname column of the log file in the logging
OS as the hostname of the monitored OS because the file
contains the hostname of the logging OS. Second, we
mount the disk image of the monitored OS. Then, we
extract log entries that we want to compare, and finally,
compare log files between the monitored OS and the
logging OS. In this process, if a difference is detected, that
is the part tampered with.
4.1 Requirements for Detection of Log Tampering
To detect tampering by means of log file comparison, the
following entries are required.
(1) Hostname.
(2) Timestamp.
(3) Username.
(4) Log message.
The reason is as follows. A hostname is needed in order to
determine the source of log. A timestamp, a username, and
a log message are necessary to ascertain the veracity of the
environment containing the log. Attackers tamper with
logs to hide the time of command execution and the
identity of the who executed the command. A log message
is needed in order to determine what changes were caused
by attacks.
By comparing these entries between the monitored OS
and the logging OS, we can detect what and how those
entries were tampered with.
4.2 Comparing Logs
Acquire log files in the monitored OS and compare them
with log files those are stored by logging AP. To get the
logs in the monitored OS, we mounted the disk image that
the monitored OS currently using. Thus, the comparison
can be done even if the monitored OS is working on.
In comparing log files, diff is useful tool. However, it is
difficult to compare logs in untouched format because the
difference between logs in the monitored OS and the
logging OS. If there are many differences in each log file,
diff cannot give us efficient information. Thus we
modified the syslog daemon in the logging OS to use the
policy in the monitored OS. If the syslog daemon loads and
uses the policy in the monitored OS, we can easily detect
begin
end
Replace hostname column
Mount disk image of the monitored OS
Compare log files between the
monitored OS and the logging OS
Extract log entries what we want to
compare
Figure 7 The flow of tampering detection.
/bin
boot
var cache
lib
log dmesg
lastlog
messages
user.log
var log
monitored_OS
mail.log
messages
user.log
kern.log
Logging OS
/bin
boot
var cache
lib
log mail.log
messages
user.log
kern.log
Monitored OS
Figure 8 Directory tree in each OS.
tampering by comparing log files in each OS.
Figure 8 depicts the directory trees in each OS. As
shown in Figure 8, to detect tampering, we just compare
log files in each OS. The /var/log/monitored_OS/var/log/
directory in the logging OS corresponds to the /var/log/
directory in the monitored OS.
4.3 Log Formatting
The logs stored by the modified syslog daemon contain the
hostname of the logging OS (not the hostname of the
monitored OS), while other required entries are correctly
stored. To address this problem, we format the logs in the
logging OS collected by the logging AP to replace the
hostname of the logging OS to that of the monitored OS.
4.4 Advantage
Incidents of log tampering are detected by comparing log
files. If a log in the monitored OS is tampered with, the
comparison enables us to detect this occurrence. The
comparison also enables us to detect exactly where and
how the log was tampered with.
Tripwire [17] can detect any changes in a designated set
of files and directories. However, Tripwires detection
mechanism uses signature comparison. As a result, it is
unable to indicate what part of the file has changed. In
Figure 9 Result of diff command applied to auth.log in the monitored OS and the logging OS.
Table 1 Software used for evaluation.
OS
(Debian 5.0.3)
Domain0
Linux 2.6.18-xen
HVM domain
Linux 2.6.26
Not virtualized
VMM
Xen 3.4.1
Syslog daemon
rsyslogd 3.18.6
order to achieve this, a method such as content comparison
is needed. Our proposed detection method incorporates
content comparison to detect file changes.
Our proposed method, however, is not suitable for
instantaneous tamper detection. Thus, we recommend that
our method be combined with a method that
instantaneously detects file changes to provide
comprehensive, efficient means of detecting and analyzing
properties changes.
5 Evaluation
5.1 Purpose
We evaluated the system from three points of view:
completeness of the collected logs, ability to detect
tampering, and the overheads that arise in our proposed
system. Table 1 indicates software used for evaluation.
5.2 Completeness of Collected Logs
To confirm the ability of the log-storing module to store
logs completely, we used ApacheBench benchmark tool.
With the tool, we requested a file 500 times in a short time.
Here, the concurrency of the connection by the tool is 1
and the length of each log entry is 104, total length of these
lines is 52,000. The web server outputs logs in each access
and the log-storing module attempts to store logs in each
output of log.
After the experiment, we checked the log file stored in
the logging OS. The file contains all of log entries and it
indicates the total time consumed by the experiment is less
than 1 second. With this result, it is considered that the
proposed log-storing module have enough ability to store
logs with no loss of logs even in high-load situation.
5.3 Detection of Log Tampering
To detect log tampering by our proposed logging module
and the log-storing module, we tamper with logs by a log
wiper program. After that, comparing each log to detect
tampering and file changes.
We use Vanish as a log wiper written for educational
purpose. Vanish remove a log entry that contains a
designated username, hostname and IP address.
For detection of log tampering, we delete log entries in
the auth.log log file in the monitored OS with Vanish. We
add a new user thief in the monitored OS. Here, we
assume that the user thief can use sudo command. After
logged in as thief, we use sudo. The execution of sudo is
logged to auth.log. Finally, we tampered with logs by
Vanish to delete log entries that contain thief. To detect
this file change, we compared the auth.log in the
monitored OS and that in the logging OS.
Figure 9 shows the output of diff command applied to
the auth.log in the monitored OS and the logging OS. Log
entries shown in Figure 9 are not appeared in the auth.log
in the monitored OS because those are deleted by Vanish.
From the result, our proposed logging scheme
prevented tampering of log files by isolating logs from the
monitored OS. Moreover, the scheme can detect the file
changes in the log files in the monitored OS.
5.4 Security of the Logging Path
To guarantee the integrity of a log, it is necessary to ensure
the security of the logging path. Here, we compare the
security of the logging paths of the existing and the
proposed system.
First, we analyze the logging path of a user log. A user
log might be attacked at the following points:
(1) The time when a user process generates a log.
(2) The time between the sending of a log and its receipt
by the syslog daemon.
(3) The time between the reception by the syslog daemon
and storing it to a file.
(4) After the output of a log.
The existing system cannot detect and prevent
tampering or the loss of logs at any time. In contrast, in the
proposed system, time (1) is the only possible time when
attacks might be suffered. To protect the logs in the time
(1), it is necessary to ensure the integrity of all programs
that generate logs. In this case, DigSig [18] is suitable but
this method does not satisfy our demand because it
modifies the kernel codes. Moreover, this method cases a
large overhead.
Second, we analyze the logging path of a kernel log. A
kernel log might be attacked at the following moments:
(1) The time to generate a kernel log in a kernel.
(2) The time to output the log to a kernel log buffer.
(3) While stored in the kernel log buffer.
(4) The time during which a kernel logging daemon
gathers a log.
(5) While the kernel logging daemon sends the log to
syslog.
(6) While syslog stores the log to a file.
(7) After the output of a log.
5,9d4
< Nov 27 22:56:22 debian
sudo
: user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/bin/login thief
< Nov 27 22:56:24 debian login[2626]:
pam_unix
(
login:session
): session opened for user thief by user(
uid
=0)
< Nov 27 22:56:51 debian
sudo
: thief : TTY=pts/0 ; PWD=/home/thief/vanish ; USER=root ; COMMAND=/bin/bash
< Nov 27 22:58:08 debian
sudo
: thief : TTY=pts/0 ; PWD=/home/thief/vanish ; USER=root ; COMMAND=./vanish
thief
thief
-
host thief
-
addr
Table 3 Performance comparison in each environment.
1 KB File
100 KB File
(A) Linux
(B) Xen
(C) The logging
module
(A) Linux
(B) Xen
(C) The logging
module
(1) Linux
1
1.88
1.97
1
1.24
1.27
(2) Xen
0.53
1
1.05
0.80
1
1.02
(3) The logging module
0.51
0.96
1
0.79
0.98
1
(4) The logging module
and the log-storing
module
0.37
0.69
0.72
0.70
0.86
0.88
Table 2 Environment used for measurement.
CPU
Server Machine
Client Machine
Core 2 Duo
(2.40 GHz)
Pentium 4
(3.00 GHz)
Memory
The Logging OS
1 GB
2 GB
1 GB
The Monitored OS
1 GB
Bandwidth
100 Mbps
100 Mbps
Software
thttpd 2.25b
ApacheBench 2.3
Requests
100
Concurrency
1
In the existing system, it is impossible to protect a log
from an attack by a rootkit at any time. Furthermore, there
is a possibility of attack similar to the logging of a user log
if the kernel is safe. The proposed system gathers a log at
time (2). We can consider tampering with the kernel
logging function as an example of an attack at time (2).
However, the log gathered by the proposed system is the
previous one. Therefore, the logs might be attacked at time
(3). Thus, the proposed system can address attacks on and
after time (4). The improvement of the proposed system
for gathering a log immediately after its output enables it
to address time (3) as well.
5.5 Overheads
We measured the overheads that arise in our proposed
system. To evaluate the effects for APs, we used thttpd
web server and ApacheBench benchmark tool for
measurement of throughputs of the web server. Since
thttpd uses syslog function for logging, it is suite for
evaluation of our proposed system.
Table 2 shows the environment used for measurement.
In the environment, thttpd operates on the monitored OS
and ApacheBench is executed on the client machine. The
concurrency of the connection is 1 and the number of total
requests is 100. We requested 1 KB and 100 KB files and
measured throughputs in both experiments.
Figure 10 shows the results of the measurement. Table 3
compares the performance in each environment. From the
comparison, the log-storing module causes large
overheads. The throughput of 1 KB transfer in the
environment (4) is about 37% to that in the environment
(1). The throughput of 100 KB file transfer of the
environment (4) is about 70% to that in the environment
(1). The relative performance in 100 KB file transfer is
better than that in 1 KB file transfer. It is considered that
the ratio of file transfer becomes greater in total workload
in the case of 100 KB file transfer. From these
measurements, it is found that reducing the overheads that
arise in our proposed system is a challenge for the future.
1897.32
109.23
1009.92
87.88
964.81
86.3
697.79
76
0
200
400
600
800
1000
1200
1400
1600
1800
2000
1KB File
100KB File
Linux
Xen
Logging Module
Logging Module + Log Storing Module
Figure 10 Throughputs of web server in each
environment (file size: 1 KB).
5.6 Case Study
Assuming the situation that an attacker intruded into the
virtual machine, which contains large amount of
information related to Homeland Security. In ordinary
circumstances, it is difficult to intrude into those virtual
machines. At this time, we assume insider threats. If the
insider intruded into the virtual machine, he firstly try to
terminate or fake the logging daemon to hide his activities.
In here, we assume the attacker alter the logging daemon
that are modified to do not output logs related to his
malicious activities. After successfully altered the daemon,
he operates some malicious work and delete their activities
related to the intrusion. Finally, he collects some important
information and restores the logging daemon.
In this case, if the administrator of the virtual machine
installed the tripwire, he can detect the modification of log
files but he cannot prevent modification of files.
If the proposed system is installed in the virtual
machine monitor lying under the virtual machine, he can
prevent tampering of the log files because the VMM
collects logs to the other virtual machine. Thus, the
administrator can also detect tampering with log files.
6 Related Work
In this section, we discuss work related our research
outlined in this paper. Section 6.1 describes a file integrity
checking method, while Sections 6.2 to 6.4 describe log
protection methods.
6.1 File Integrity Check
Tripwire [17] can detect changes in a designated set of
files and directories. However, because the detection is
carried out by comparing file signatures, it is unable to
detect where in a file the change occurred, or how the file
was changed. Kim and Spafford [17] state that the file
comparison method is better than signature comparison
and has fine detection capabilities. However, they also
allege that the file comparison method is resource and time
intensive. Our proposed tamper detection method detects
and copies only those logs used by syslog and kernel
logging function. Thus, there is no need to copy an entire
file. Moreover, the method detects and copies only new
logs-which require minimal overheads. For these reasons,
we believe that our proposed method includes none of
problems outlined in [17].
Our proposed method, however, is not suitable for
instantaneous tamper detection. Thus, we recommend that
our method be combined with a method that
instantaneously detects file changes to provide a
comprehensive, efficient means of detecting and analyzing
property changes.
6.2 Protection of Log File
Some research has been carried out on the protection of
files by the file system. The system NIGELOG has been
proposed for protecting log files [4]. This method has a
tolerance for file deletion. It produces multiple backups of
a log file, keeps them in the file system, and periodically
moves them to other directories. By comparing the original
file and the backups, any tampering with the log file can be
detected. Moreover, if any tampering is detected, the
information that has been tampered with can be restored
from these backups.
The protection of files with the file system is still
vulnerable to attacks that analyze the file system.
Therefore, a log-protection method using virtualization
has been proposed [5]. This method protects logs by
saving them to another VM, so it is impossible to tamper
with the logs from other VM. However, this method aims
to protect the log of a journaling file system, so the scope
of the protection target is different from that in our
research.
The hysteresis signature is used to achieve the integrity
of files. However, it is known that the algorithm of the
hysteresis signature has a critical weak point. Although the
hysteresis signature can detect the tampering and deletion
of files, it cannot prevent tampering and deletion.
Moreover, the manager of the signature generation
histories can tamper with the histories and files. Therefore,
a mechanism to solve this problem using a security device
has been proposed [6]. Because this method constructs a
trust chain from the data in the tamper-tolerant area of the
security device, the source of the trust chain is protected
from attackers. Nevertheless, this method is not versatile
because it uses the special device..
6.3 Protection of Syslog
The methods mentioned above are protecting log files.
However, they cannot protect logs before storing of them.
Thus, a method to guarantee syslog’s integrity has been
proposed [7], which uses a Trusted Platform Module
(TPM) and a late launch by a Secure Virtual Machine
(SVM) to ensure the validity of syslog. The validated
syslog receives logs and sends them to a remote syslog.
Table 4 Security comparison between the
proposed system and related works.
Prevention
of log-
tampering
Prevention
of log loss
Detection of
log-tampering
and loss
The proposed system
X
X
X
Tripwire [17]
X
NIGELOG [4]
X
(X)
X
Security device and
hysteresis signature [5]
(X)
X
Protect the log of a
journaling file system
using virtualization [6]
(X)
(X)
X
Protection of syslog with
TPM and SVM [7]
(X)
(X)
LSM-based secure
system monitoring [8]
X
X
6.4 Other Logging Method
An original logging method, independent of syslog, has
been proposed for audit [8]. This method uses Linux
Security Modules (LSM) to collect the logs, and
Mandatory Access Control (MAC) to ensure their validity.
The system also uses SecVisor [19], and DigSig [18].
SecVisor ensures the security of the logging framework,
and DigSig prevents rootkit from making modifications to
access permissions. DigSig adds a signature to a program,
and prevents the execution of an unknown program by
verifying its signature. This method collects logs in its own
way, but the method modifies the kernel source codes. In
general, kernel modification is difficult and complex, so
the method lacks versatility. In addition, the method uses
variety of mechanisms, the overheads arising from them
have large effect on daily operations on computers.
6.5 Comparison between the proposed system and
related works
Table 4 shows the comparison between our proposed
system and related works. The comparison noticed on
prevention of log tampering, prevention of log loss, and
detection of log tampering and loss.
The proposed system can prevent log tampering and
loss and detect them. Protection of the logs of journaling
file system [6] is secure than other methods. However, the
protection method only protects the log of journaling file
system. Other methods only prevent tampering or loss, and
many other methods aims to detect tampering and loss.
7 Conclusion
In this paper, we proposed and described a log-storing
module that stores logs collected by the logging module in
a separate VM. We also described our log tampering
detection technique, which is based on log comparison.
Evaluations of our proposed methods ability to detect
tampering by real malware were also described with the
results of the evaluations confirming that our
log-tampering detection function has enough ability to
detect this kind of tampering.
An evaluation of the impact of our proposed method on
the performance of the monitored OS was also concluded.
The evaluation shows that the proposed method decreases
the performance of thttpd web server to 37% of that
operates in not-virtualized environment in a worst case.
From the evaluation, it is found that reducing the
overheads that arise in our proposed system is a challenge
for the future.
Acknowledgment
This research was partially supported by Grant-in-Aid for
Scientific Research 21700034 and a grant from the
Telecommunications Advancement Foundation (TAF).
References
[1] Marisa Reddy Randazzo, Michelle Keeney, Eileen
Kowalski, Dawn M. Cappelli and Andrew P. Moore,
Insider Threat Study: Illicit Cyber Activity in the
Banking and Finance Sector, Carnegie Mellon
University Technical Report CMU/SEI-2004-TR-021,
2005.
[2] Karen Kent and Murugiah Souppaya, Guide to
Computer Security Log Management, NIST Special
Publication 800-92, 2006.
[3] Jeffrey Hunker and Christian W. Probst, Insiders and
Insider Threats - An Overview of Definitions and
Mitigation Techniques, Journal of Wireless Mobile
Networks, Ubiquitous Computing, and Dependable
Applications (JoWUA), 2011, pp.4-27.
[4] Tetsuji Takada and Hideki Koike, NIGELOG:
Protecting Logging Information by Hiding Multiple
Backups in Directories, International Workshop on
Database and Expert Systems Applications, 1999,
pp.874878.
[5] Siqin Zhao, Kang Chen and Weimin Zheng, Secure
Logging for Auditable File System using Separate
Virtual Machines, Proc. IEEE International
Symposium on Parallel and Distributed Processing
with Applications, 2009, pp.153 160.
[6] Yuki Ashino and Ryoichi Sasaki, Proposal of Digital
Forensic System using Security Device and
Hysteresis Signature, Proc. Third Inter-national
Conference on International Information Hiding and
Multimedia Signal Processing (IIH-MSP 2007) Vol.
02, 2007, pp.37.
[7] Benjamin Boeck, David Huemer, A Min Tjoa,
Towards More Trustable Log Files for Digital
Forensics by Means of “Trusted Computing”, Proc.
24th IEEE International Conference on Advanced
Information Networking and Applications (AINA),
2010, pp.10201027.
[8] Takamasa Isohara, Keisuke Takemori, Yutaka
Miyake, Ning Qu and Adrian Perrig, LSM-Based
Secure System Monitoring using Kernel Protection
Schemes, Proc. International Conference on
Availability, Reliability, and Security, 2010,
pp.591596.
[9] Vivek Kundra, Streaming at 1:00: In the Cloud,
http://www.whitehouse.gov/blog/Streaming-at-100-I
n-the-Cloud/, 2009.
[10] Muhammad Abedin, Syeda Nessa, Latifur Khan,
Ehab Al-Shaer and Mamoun Awad, Analysis of
firewall policy rules using traffic mining techniques,
International Journal of Internet Protocol
Technology (IJIPT), Vol.5, No.1/2, 2010, pp.322.
[11] Masaya Sato and Toshihiro Yamauchi, VMBLS:
Virtual Machine Based Logging Scheme for
Prevention of Tampering and Loss, 2011
International Workshop on Security and Cognitive
Informatics for Homeland Defense (SeCIHD'11),
Lecture Notes in Computer Science, Vol.6908, 2011,
pp.176190.
[12] Adiscon’s Rsyslog, The enhanced syslogd for Linux
and Unix rsyslog, http://www.rsyslog.com/
[13] The free software company BalaBit, Syslog Server |
syslog-ng Logging System,
http://www.balabit.com/network-security/syslog-ng/
[14] Paul Barham, Boris Dragovic, Keir Fraser, Steven
Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian
Pratt and Andrew Warfield, Xen and the Art of
Virtualization, Proc. 19th ACM Symposium on
Operating Systems Principles, 2003, pp.164177.
[15] Artem Dinaburg, Paul Royal, Monirul Sharif and
Wenke Lee, Ether: Malware Analysis via Hardware
Virtualization Extensions, Proc. 15th ACM
conference on Computer and Communications
Security, 2008, pp.5162.
[16] Intel, Intel 64 and IA-32 Architectures Software
Developer’s Manual Volume 3B: System
Programming Guide, Part 2,
http://www.intel.com/Assets/PDF/manual/253669.pd
f (2009).
[17] Gene H. Kim and Eugene Howard Spafford, The
Design and Implementation of Tripwire: A File
System Integrity Checker, Proc. 2nd ACM
Conference on Computer and Communications
Security, 1994, pp.1829.
[18] Axelle Apvrille, David Gordon, Serge Hallyn, Makan
Pourzandi and Vincent Roy, DigSig: Run-time
Authentication of Binaries at Kernel Level. Proc. 18th
USENIX Conference on System Administration, 2004,
pp.5966.
[19] Arvind Seshadri, Mark Luk, Ning Qu and Adrian
Perrig, SecVisor: A Tiny Hypervisor to Provide
Lifetime Kernel Code Integrity for Commodity OSes,
Proc. 21st ACM SIGOPS Symposium on Operating
Systems Principles, 2007, pp.335350.
... Log files can be used to detect anoma-20 lous user behavior or system activity (Corney et al., 2011;Studiawan et al., 2017). Accordingly, methods to maintain the integrity of logs and to detect any modification have previously been studied (Boeck et al., 2010;Sato and Yamauchi, 2012). In 25 general, log forensics have been investigated extensively and a rich volume of literature is available on this topic. ...
... In 2012, a study addressed secure methods for logging by employing a separate virtual machine to 480 store the OS logs (Sato and Yamauchi, 2012). The proposed mechanism compares the logs in a monitored host operating system and the virtual machine. ...
... No explanation how host and guest OS communicate securely Sato and Yamauchi (2012) Prevent both event log loss and tampering Produce a big overhead when sending logs Secure data structures Goodrich et al. (2005) Provide security in regular data structure ...
Article
Full-text available
Event logs are one of the most important sources of digital evidence for forensic investigation because they record essential activities on the system. In this paper, we present a comprehensive literature survey of the forensic analysis on operating system logs. We present a taxonomy of various techniques used in this area. Additionally, we discuss the tools that support the examination of the event logs. This survey also gives a review of the publicly available datasets that are used in operating system log forensics research. Finally, we suggest potential future directions on the topic of operating system log forensics.
... In addition, the log integrity is guaranteed by using mandatory access control. The method of [22,23] gathers the logging information generated by the OS and the APs working on the target VM by the VMM. To gather the logging information by the VMM, the VMM hooks the system call that was invoked for sending logs from the user process to the syslog daemon. ...
... Then, LISS verifies the integrity of the log files by comparing the hash value between the original file and the backup file. Similar to [22], the VMM-based tracing function ensures the reliability of the monitoring information by sheltering the tracing function from the target OS. Further, it seems that the reliability of the monitoring information can be improved by combining the VMM-based tracing function with the methods of [7,24,25]. ...
Article
Full-text available
Cases of classified information leakage have become increasingly common. To address this problem, we have proposed a function for tracing the diffusion of classified information within an operating system. However, this function suffers from the following two problems: first, in order to introduce the function, the operating system’s source code must be modified. Second, there is a risk that the function will be disabled when the operating system is attacked. Thus, we have designed a function for tracing the diffusion of classified information in a guest operating system by using a virtual machine monitor. By using a virtual machine monitor, we can introduce the proposed function in various environments without modifying the operating system’s source code. In addition, attacks aimed at the proposed function are made more difficult, because the virtual machine monitor is isolated from the operating system. In this paper, we describe the implementation of the proposed function for file operations and child process creation in the guest operating system with a kernel-based virtual machine. Further, we demonstrate the traceability of diffusing classified information by file operations and child process creation. We also report the logical lines of code required to introduce the proposed function and performance overheads.
... To conclude the above discussion, it is required to have a trusted, traceable, immutable and verifiable log system to maintain trust among Cloud service providers and their users. There are multiple solutions available for log tampering detection over the Cloud [3], [4] but merely tampering detection may not be enough hence we focus on immutable log storage using Blockchain technology. ...
Article
Data security is a very important and crucial part of Cloud storage. Day by day, thousands of operations function over the Cloud, verify logs generated from all transactions is very difficult. The attacker may temper or remove targeted logs or attack traces on the system with stealthy techniques. It is required to maintain the security of the log to trace back all the transactions to identify such tempering and loss of logs. Temper-proof log storage is a challenging issue on the Cloud. To overcome the issue, we propose strong and secure log storage using Blockchain technology and IPFS. Detecting log tempering and tracing is challenging due to large log volumes. We recommend the usage of Blockchain technology due to its inherent feature of immutability to address the issue of log tempering. We present LChain which provides immutable storage of logs with tracing. Blockchain technology helps yp create immutable logs but also offers non-repudiation and scalability. Smart contracts are used for efficient searching and enhancing computational power.
... Given the number of logs that are generated by the Cloud monitoring solutions, there are many tampering possibilities. While tamper detection solutions can be used to detect any changes in the logs [80,88], we argue that due to the critical nature of logs, tamper detection is not good enough; one should consider a storage option that offers immutability for all critical logs. ...
... The positive sides of cloud storage are the conveniences; synchronization, sharing, collaboration, accessibility and disaster recovery. There is also a negative side to cloud storage services which is that there is no guarantee of a security service provided to fend off cybercrime activities [10]. Cybercrime is any kind of act using computers and networks that violates the law, or causes harm or threat to an individual or group [11][12][13][14][15]. ...
Article
The best known software developers all offer cloud storage services. Microsoft offers Onedrive to its users, Apple offers iCloud Drive and Google offers Google Drive or GDrive. The battle between these software developers is ongoing and they will always strive to give the best services to their users. It is not only technology that is evolving, however, but also ways in which security can be breached and data abused. The security of information on the Internet is increasingly at risk and there are many threats to cloud storage platforms. This research used the mobile forensics approach to help in identifying and analyzing user behavior that may occur while using GDrive application for cybercrime. The novelty of comparison and analyzing methods performed in this research can help to find remnant data from all activities performed by GDrive users in Android smartphones. Hence, this proposed method can assist investigators in finding remnant data on GDrive client and can provide knowledge for legal practitioners.
... In other words, a traceable, verifiable, and immutable log system is required to establish trust among Cloud participants. Although a number of solutions for log tampering detection are available [5], [6], we argue that log tampering detection is not good enough and one should ensure that logs are tamper-proof, i.e., immutable. ...
... In other words, a traceable, verifiable, and immutable log system is required to establish trust among Cloud participants. Although a number of solutions for log tampering detection are available [5], [6], we argue that log tampering detection is not good enough and one should ensure that logs are tamper-proof, i.e., immutable. ...
Preprint
Full-text available
During the normal operation of a Cloud solution, no one usually pays attention to the logs except technical department, which may periodically check them to ensure that the performance of the platform conforms to the Service Level Agreements. However, the moment the status of a component changes from acceptable to unacceptable, or a customer complains about accessibility or performance of a platform, the importance of logs increases significantly. Depending on the scope of the issue, all departments, including management, customer support, and even the actual customer, may turn to logs to find out what has happened, how it has happened, and who is responsible for the issue. The party at fault may be motivated to tamper the logs to hide their fault. Given the number of logs that are generated by the Cloud solutions, there are many tampering possibilities. While tamper detection solution can be used to detect any changes in the logs, we argue that critical nature of logs calls for immutability. In this work, we propose a blockchain-based log system, called Logchain, that collects the logs from different providers and avoids log tampering by sealing the logs cryptographically and adding them to a hierarchical ledger, hence, providing an immutable platform for log storage.
... Other research on auth.log investigation 15 was proposed by Sato and Yamauchi [5]. They first provided an architecture for securing log files and then proposed tampering detection of system logs including auth.log. ...
Article
Full-text available
Attacks on operating system access control have become a significant and increasingly common problem. This type of security threat is recorded in a forensic artifact such as an authentication log. Forensic investigators will generally examine the log to analyze such incidents. An anomaly is highly correlated to an attacker's attempts to compromise the system. In this paper, we propose a novel method to automatically detect an anomaly in the access control log of an operating system. The logs will be first preprocessed and then clustered using an improved MajorClust algorithm to get a better cluster. This technique provides parameter-free clustering so that it automatically can produce an analysis report for the forensic investigators. The clustering results will be checked for anomalies based on a score that considers some factors such as the total members in a cluster, the frequency of the events in the log file, and the inter-arrival time of a specific activity. We also provide a graph-based visualization of logs to assist the investigators with easy analysis. Experimental results compiled on an open dataset of a Linux authentication log show that the proposed method achieved the accuracy of 83.14% in the authentication log dataset.
... The proposed method uses Trusted Platform Module (TPM) and AMD's Secure Virtual Machine (SVM) to ensure confidentiality, integrity, and non-repudiation of log information. To prevent tampering and deleting of logs by attackers, Virtual Machine Monitor (VMM) based logging scheme is proposed [18]. In the proposed scheme, a VMM has the responsibility to collect log messages generated by virtual machines running on the VMM. ...
Conference Paper
Log messages are generated by operating systems and applications. These messages contain important information about the health and operation of the system. The messages are also of great significance for security management, audit-checks, and forensics in an intranet. So, a logging system that generates, relays, collects and archives log messages, must be monitored and managed just like all other components of the ICT infrastructure, to ensure that it is operating normally i.e., the logs are being collected and archived as desired. In the Internet, some progress has been made towards the standardization of the syslog protocol but, to date, the management aspect of syslog has been neglected, for all practical purposes. In this paper, we discuss the necessity and importance of monitoring and managing logging systems. We present the basic design of a Management Information Base module which will make it possible to monitor and manage a syslog system using standard management protocols. Then we discuss a prototype implementation of the MIB and demonstrate a syslog management application for managing the syslog configuration of an enterprise.
Article
Full-text available
In the realm of cloud server operations, where the sheer volume of daily transactions is immense, safeguarding data security is paramount. One of the significant challenges faced is the verification of transaction logs, as attackers may attempt to tamper with them. The current system, utilizing Proof of Work (PoW) for blockchain, falls short by lacking robust data encryption, thereby exposing a critical vulnerability. This proposed paper introduces an innovative solution by integrating the more secure and energy-efficient Proof of Stake (PoS) algorithm with Blowfish encryption. The combination of PoS and Blowfish addresses the identified weaknesses effectively. PoS introduces a novel approach by relying on validators who have a stake in the network, creating a powerful deterrent against log tampering. This not only enhances the integrity of the transaction logs but also reduces the risk of malicious activities. Additionally, the incorporation of Blowfish encryption ensures the confidentiality of log data, providing an extra layer of protection. Even if logs are accessed illicitly, the encryption prevents unauthorized individuals from deciphering sensitive information. Furthermore, the implementation of a smart contract for user registration adds another dimension to security, creating a comprehensive solution to fortify data security on Cloud servers. The proposed approach offers a promising solution to the critical cybersecurity challenge faced by cloud servers. By combining the security features of PoS and Blowfish encryption, along with the strategic use of smart contracts, the solution not only deters tampering but also safeguards sensitive information. This holistic approach contributes significantly to reinforcing the data security infrastructure of cloud servers in the face of evolving cyber threats.
Article
Full-text available
Current and former employees, contractors, and other organizational "insiders" pose a substantial threat by virtue of their knowledge of and access to their employers' systems and/or databases and their ability to bypass existing physical and electronic security measures through legitimate means. Previous efforts to study insider incidents have focused on narrow areas of industry and have not examined the incidents from both behavioral and technical perspectives simultaneously. These gaps in the literature have made it difficult for organizations to develop a comprehensive understanding of the insider threat and address the issue from an approach that draws on human resources, corporate security, and information security perspectives. The Secret Service National Threat Assessment Center and the CERT Coordination Center of Carnegie Mellon University's Software Engineering Institute joined efforts to conduct a unique study of insider incidents, the Insider Threat Study (ITS), examining actual cases identified through public reporting or as a computer fraud case investigated by the Secret Service. Each case was analyzed from a behavioral and a technical perspective to identify behaviors and communications in which the insiders engaged -- both online and offline -- prior to and including the insiders' harmful activities. The research focused on the following major topic areas: components of the incident, detection of the incident and identification of the insider, pre-incident planning and communication, nature of harm to the organization, law enforcement and organizational response, characteristics of the insider and the organization, insider background and history, and insider technical expertise and interests. Section 1 of this report presents an overview of the ITS, including its background, scope, and study methods. Section 2 reports the findings and implications specific to research conducted on insider threat cases in the banking and finance sector.
Article
Threats from the inside of an organization's perimeters are a significant problem, since it is difficult to distinguish them from benign activity. In this overview article we discuss defining properties of insiders and insider threats. After presenting definitions of these terms, we go on to discuss a number of approaches from the technological, the sociological, and the socio-technical domain. We draw two main conclusions. Tackling insider threats requires a combination of techniques from the technical, the sociological, and the socio-technical domain, to enable qualified detection of threats, and their mitigation. Another important observation is that the distinction between insiders and outsiders seems to loose significance as IT infrastructure is used in performing insider attacks.
Conference Paper
Trustable log data is essential in digital forensic investigations in order to allow reliable reconstruction of events. Existing solutions do not provide adequate protection, exposing the log-producing application to software-based attacks. In this paper we provide a solution based on Trusted Computing using a Trusted Platform Module (TPM) and AMD's Secure Virtual Machine technology (SVM). While current solutions only protect against manipulation of existing logs, we go one step further by establishing hardware-based trust in the log producing application. Our solution ensures confidentiality, integrity and non-repudiation during creation, storage and transmission of log data.
Conference Paper
Malware has become the centerpiece of most security threats on the Internet. Malware analysis is an essential technology that extracts the runtime behavior of malware, and supplies signatures to detection systems and provides evidence for re- covery and cleanup. The focal point in the malware analysis battle is how to detect versus how to hide a malware ana- lyzer from malware during runtime. State-of-the-art analyz- ers reside in or emulate part of the guest operating system and its underlying hardware, making them easy to detect and evade. In this paper, we propose a transparent and ex- ternal approach to malware analysis, which is motivated by the intuition that for a malware analyzer to be transparent, it must not induce any side-effects that are unconditionally detectable by malware. Our analyzer, Ether, is based on a novel application of hardware virtualization extensions such as Intel VT, and resides completely outside of the target OS environment. Thus, there are no in-guest software compo- nents vulnerable to detection, and there are no shortcomings that arise from incomplete or inaccurate system emulation. Our experiments are based on our study of obfuscation tech- niques used to create 25,000 recent malware samples. The results show that Ether remains transparent and defeats the obfuscation tools that evade existing approaches.
Conference Paper
Logging information is necessary in order to understand a computer’s behavior. However, there is a possibility that attackers will delete logs to hide the evidence of their attacking and cheating. Moreover, various problems might cause the loss of logging information. In homeland security, the plans for counter terrorism are based on data. The reliability of the data is depends on that of data collector. Because the reliability of the data collector is ensured by logs, the protection of it is important problem. To address these issues, we propose a system to prevent tampering and loss of logging information using a virtual machine monitor (VMM). In this system, logging information generated by the operating system (OS) and application program (AP) working on the target virtual machine (VM) is gathered by the VMM without any modification of the OS. The security of the logging information is ensured by its isolation from the VM. In addition, the isolation and multiple copying of logs can help in the detection of tampering.
Conference Paper
Auditable file system is used to track the usage of the file system including the operations like read and write. Auditable file system keeps the trails of userspsila action and the trails are kept faithfully for future auditing. However, as the logs are still kept within the same file system, it will be quite vulnerable to be exposed as malware penetrating the system. Even with the file system hiding the logs, the skillful attacker can still analyze the on-disk structure to get and modify the logs. Thus the logs should be kept separate from the working system. Virtual machines can provide such separation as virtual machines can hold the whole operating system while still keep the system apart from the metal hardware. We propose a method of secure logging for auditable file system using a logging virtual machine. The logs are kept in another virtual machine safely. Even the working virtual machine is broken; the logs are not exposed to the outside. By the isolation provided by virtual machines, the logs can be kept safe and valid. The high privileged user can not modify the logs contents, or forge the logs and data to keep consistency, or pretend to be another user for doing un-authorized actions. We have done several works as well as a prototype system to show the feasibility of such approach. Experiments show that the logging virtual machine will not bring too much overhead.