Journal of Emerging Technologies in Web Intelligence Contents

More documents

Recommendations

Info

110 JOURNAL OF EMERGING TECHNOLOGIES IN WEB INTELLIGENCE, VOL. 2, NO. 2, MAY 2010Recovery Based Architecture To Protect HidsLog Files Using Time StampsSurinder S. KhuranaPunjab Engg. College, Chandigarh, Indiasurindersingh.cs07@pec.edu.inDivya Bansal , Prof. Sanjeev SofatPunjab Engg. College, Chandigarh, IndiaAbstract – After the great revolution in the field ofInformation Technology, many applications made necessityto run computer systems (either servers or client machines)all the time. Along with improvements and new inventionsin technology, the threat of attacks through computernetworks becomes a large issue. Host Based IntrusionDetection is a part of security system that protects hostsfrom various kinds of attacks. It also provides a greatdegree of visibility (of system activities). It is quite widestthat HIDS are vulnerable to attacks. An adversary, ifsuccessfully enters in a system can disable HIDS or modifyHIDS rules to hide its existence. One can easily evade HIDS.In [7] we propose a new architecture that protects HIDSfrom such attacks. In this paper, we have proposed a newmechanism to check integrity of log files. We have discussedits affects on performance of system.I. INTRODUCTIONIntrusion Detection System [5] is an imperativeingredient in network computer security which plays avital role in detecting the intrusive activities before theyoccur. Intrusion Detection is usually done throughscanning network traffic and/or hosts data and activities.These intrusive activities can be defined as - activitiesperformed by some adversary for gaining unlawfulbenefits. The adverse affects of such intrusion activitiesare in terms of loss of confidentiality, integrity andavailability of resources or services.IDSs can be classified under various categories.Figure-1 illustrates the various classifications of IntrusionDetection Systems.Response BasedDomain OfDetection BasedUnderlyingDetectionTechniqueBased• Active IDS• Passive IDS• HIDS• NIDS• Anomaly based IDS• Signature based IDSFigure-1: IDS ClassificationAn IDS can be active or passive. Passive IDS detectthe attacks and logs information or raise alarms. ActiveIDS takes action in response to an already detectedattack. Active IDSs are also known as IntrusionPrevention System.Section 2 discusses Detection and Recovery basedArchitecture to protect HIDS. Section 3 describes timestamping based protocol to check integrity of log files. Insection 4 and 5, we discuss implementation details.Affects of our architecture on system performance hasdescribed in section 6. In section 7, we discuss somerelated works. We present directions for future work in 6and our conclusion in section 8.II. OVERVIEW OF DETECTION AND RECOVERYBASED ARCHITECTUREIn [1], architecture has proposed to detect attacks onHIDS and recover HIDS to its previous healthy state. Thearchitecture protects HIDS from two type of attacks: firstis that it does not allow adversary to kill the HIDSprocess. And the other is it does not allow unauthorizedmodification of rule or signature database. The basic ideabehind the architecture is to allow the adversary toperform attack on HIDS and then recover the HIDS to itsprevious healthy state. A new process called MonitorIDShas been introduced in the proposed architecture.MonitorIDS is a lightweight system process whichdetects the attacks that affects HIDS and takes requiredactions to recover HIDS from affects of that attack.MonitorIDS takes care of both HIDS process andintegrity of HIDS related information. However, thisarchitecture does not consider underlying technique usedby HIDS to detect intrusions. It can be used with eithersignature based or anomaly based IDS.Figure 2 depicts working of proposed architecture. Asshown in figure 2, a backup of HIDS related files hasbeen created immediately after the installation.MonitorIDS process is embedded with HIDS. Thisprocess regularly monitors the HIDS process and filesafter a small fraction of time gap. If MonitorIDS foundHIDS process dead (detect unauthorized kill of HIDS) itimmediately restarts the HIDS. It also monitors integrityof files related to HIDS. These files may include rule orsignature database. If it found any unauthorizedmodification of HIDS files it replace the modified files© 2010 ACADEMY PUBLISHERdoi:10.4304/jetwi.2.2.110-114
JOURNAL OF EMERGING TECHNOLOGIES IN WEB INTELLIGENCE, VOL. 2, NO. 2, MAY 2010 111Create Backpup Directory During InstallationRun HIDS and Monitor IDS processMonitor for Attack on HIDSMonitor for Attack on MonitorIDSAttack performedAttack performedHIDS ProcessTerminatedHIDS FilesChangedMonitorIDS ProcessTerminatedMonitorIDS relatedFiles ChangedRestart The HIDSRestore Files FromBackup DirectoryRestart MonitorIDSProcessRestore Files FromBackup DirectoryCreate Log For Attack and inform the Administartor.Figure 2 : Block Diagram of proposed architecturewith files from backup directory. It also logs the attackinformation and informs the administrator.The architecture also takes care of backup directoryand MonitorIDS process related information, so that thesecannot be modified by some adversary. One importantpoint to note about MonitorIDS is that it is a Systemprocess. To run this process as system process an entrylabeled with respawn has made in /etc/inittab file. Thatcannot be stopped. If some adversary makes attempt tokill this process, operating system kernel automaticallyrestarts it. MonitorIDS process also takes care of/etc/inittab file so that entry related to it cannot beremoved.III. TIME STAMPING BASED MECHANISM TOCHECK INTEGRITY OF LOG FILESCompares Last ModificationTime of Log FileWith stored valueWrite log entry in log fileandin backup copy of log file.Encrypt Last ModificationTime of log fileandIts backup copyReplace Log File WithBackup coopyThe main goal is to detect and recover unauthorizedmodification of log files by any process that is not relatedto HIDS. Such detection is made based on the lastmodification time (a file attribute, changed when the filewas modified) of the log file.As shown in Figure-3, when HIDS is running underthis mechanism it should follow the below givensequence of steps to write an entry in a file.1. Write log entry in log file and in backup copy oflog file.2. Encrypt Last Modification Time of log file and itsbackup copy.3. Write encrypted version of last Modification timeof log file and its backup copy into a file.Save Encrypt Last ModificationTimes in a FileFigure - 3: Sequence of Steps to Write Entry in Log FileBefore writing any entry IDS process compares thecurrent last modification time of log file and lastmodification time that was stored in a file as specified instep 3 given above. A mismatch between these twovalues represents that any other process changed the logfile means unauthorized modification of log file. In sucha case log file is replaced with its backup copy or ifunauthorized access to the backup file is detected, it willbe replaced with log file.© 2010 ACADEMY PUBLISHER
Page 1 and 2: Journal of Emerging Technologies in
Page 3 and 4: JOURNAL OF EMERGING TECHNOLOGIES IN
Page 6 and 7: 82 JOURNAL OF EMERGING TECHNOLOGIES
Page 24 and 25: 100 JOURNAL OF EMERGING TECHNOLOGIE
Page 81 and 82: Aims and ScopeCall for Papers and S

Journal of Emerging Technologies in Web Intelligence Contents

Create successful ePaper yourself

Delete template?

Save as template?