VMM-based log-tampering and loss detection scheme

Research output: Contribution to journalArticlepeer-review

10 Citations (Scopus)

Abstract

Logging information about the activities that placed in a computer is essential for understanding its behavior. In Homeland Security, the reliability of the computers used in their activities is of paramount importance. However, attackers can delete logs to hide evidence of their activities. Additionally, various problems may result in logs being lost. These problems decrease the dependability of Homeland Security. To address these problems, we previously proposed a secure logging scheme using a virtual machine monitor (VMM). The scheme collects logs and isolates them from the monitored OS. However, the scheme cannot store them automatically. Thus, logs in memory are lost when the computer is shutdown. Further, if the logs are not stored, it is impossible to detect incidents of tampering by comparing the logs of the monitored OS with those of the logging OS. To address these additional problems, this paper proposes a log-storing module and a tamper detection scheme. The log-storing module automatically stores logs collected by the logging module, and tamper detection is realized by comparing these stored log files with those of the monitored OS. We implemented the log-storing module and realized the tamper detection scheme. Evaluations reveal the effectiveness of the tamper detection scheme.

Original languageEnglish
Pages (from-to)655-666
Number of pages12
JournalJournal of Internet Technology
Volume13
Issue number4
Publication statusPublished - 2012

Keywords

  • Detecting log tampering
  • Digital forensics
  • Log protection
  • Syslog
  • Virtualization technology

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'VMM-based log-tampering and loss detection scheme'. Together they form a unique fingerprint.

Cite this