Abstract
Logging information about the activities that placed in a computer is essential for understanding its behavior. In Homeland Security, the reliability of the computers used in their activities is of paramount importance. However, attackers can delete logs to hide evidence of their activities. Additionally, various problems may result in logs being lost. These problems decrease the dependability of Homeland Security. To address these problems, we previously proposed a secure logging scheme using a virtual machine monitor (VMM). The scheme collects logs and isolates them from the monitored OS. However, the scheme cannot store them automatically. Thus, logs in memory are lost when the computer is shutdown. Further, if the logs are not stored, it is impossible to detect incidents of tampering by comparing the logs of the monitored OS with those of the logging OS. To address these additional problems, this paper proposes a log-storing module and a tamper detection scheme. The log-storing module automatically stores logs collected by the logging module, and tamper detection is realized by comparing these stored log files with those of the monitored OS. We implemented the log-storing module and realized the tamper detection scheme. Evaluations reveal the effectiveness of the tamper detection scheme.
| Original language | English |
|---|---|
| Pages (from-to) | 655-666 |
| Number of pages | 12 |
| Journal | Journal of Internet Technology |
| Volume | 13 |
| Issue number | 4 |
| Publication status | Published - 2012 |
Keywords
- Detecting log tampering
- Digital forensics
- Log protection
- Syslog
- Virtualization technology
ASJC Scopus subject areas
- Software
- Computer Networks and Communications