Browse > Article

Real-Time File Integrity Checker for Intrusion Recovery and Response System  

Jeun Sanghoon ((주)엠엠씨테크놀로지 연구원)
Hur Jinyoung ((주)엠엠씨테크놀로지 연구원)
Choi Jongsun (숭실대학교 컴퓨터학과)
Choi Jaeyoung (숭실대학교 컴퓨터학부)
Publication Information
Journal of KIISE:Computer Systems and Theory / v.32, no.6, 2005 , pp. 279-287 More about this Journal
Abstract
File integrity checking is the most reliable method to examine integrity and stability of system resources. It is required to examine the whole data whenever auditing system's integrity, and its process and result depends on administrator's experience and ability. Therefore the existing method is not appropriate to intrusion response and recovery systems, which require a fast response time. Moreover file integrity checking is able to collect information about the damaged resources, without information about the person who generated the action, which would be very useful for intrusion isolation. In this paper, we propose rtIntegrit, which combines system call auditing functions, it is called Syswatcher, with file integrity checking. The rtlntegrit can detect many activities on files or file system in real-time by combining with Syswatcher. The Syswatcher audit file I/O relative system call that is specified on configuration. And it can be easily cooperated with intrusion response and recovery systems since it generates assessment data in the standard IDMEF format.
Keywords
Intrusion Recovery; Intrusion Recovery; Intrusion Auditing; File Integrity;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 D. Curry and H. Debar, 'Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition,' http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-10.txt, 2003
2 Common Intrusion Detection Framework, http://www.isi.edu/gost/cidf
3 Curtis A. Carver, Jr., Udo W. Pooch, 'An Intrusion Response Taxonomy and its Role in Automatic Intrusion Response,' Proceedings of the 2000 IEEE Workshop on Information Assurance and Security, 2000
4 LMBench, http://www.bitmover.com/lmbench/, 1998
5 Active Networks Intrusion Detection and Response (AN-IDR), http://www.isso.sparta.com/research/documents/anidr.pdf
6 Dan Schnackenberg, Kelly Djahandari and Dan Sterne, 'Infrastructure for Intrusion Detection and Response,' Proceedings of the DARPA Information Survivability Conference and Exposition(DISCEX-I) 2000, 2000   DOI
7 Kenneth R. van Wyk & Richard Forno, Incident Response, O'Reilly & Associates, Inc., 2001
8 해킹바이러스 통계 및 분석 월보, http://www.certcc.or.kr/statistics/2003/0308_statistics.pdf, 2003. 8
9 CERT/CC Statistics 1988-2004, http://www.cert.org/stat/cert_stat.html
10 Pragmatic/THC, (nearly) Complete Linux Loadable Kernel Modules, http://www.thehackerschoice.com/papers/LKM_HACKING.html, 1999
11 C. Wright, C. Cowan, J. Morris, S. Smalley, G. Kroah-Hartman, 'Linux Security Modules: General Security Support for the Linux Kernel,' USENIX Security Symposium, 2002
12 B. Feinstein, G. Matthews, J. White, 'The Intrusion Detection Exchange Protocol (IDXP),' http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt, 2002
13 전상훈, 최재영, 김세환, 심원태, 'LxBSM: C2 수준의 감사 자료 생성을 위한 리눅스 기반 동적 커널 모듈의 설계 및 구현', 정보과학회논문지: 컴퓨팅의 실제, 제10권 제2호, pp.146-155, 2004. 4   과학기술학회마을
14 Snare, http://www.intersectalliance.com/projects/Snare/. 2001
15 Steven A. Hofmeyr, Stephanie Forrest, Anil Somayaji, 'Intrusion Detection using Sequences of System Calls,' University of New Mexico, 1998
16 Sun Microsystems, SunShield Basic Security Module Guide, Sun Microsystems, 1998
17 NeoGuard ESM, http://www.inzen.com/kor/products/neoguard/intor.asp
18 Gene H. Kim, Eugene H. Spafford, 'The Design and Implementation of Tripwire: A File System Integrity Checker,' COAST Laboratory, Purdue University, 1994
19 Integrit, http://integrit.sourceforge.net/
20 Intrusion Detection Working Group, http://www.ietf.org/html.chaters/idwg-charter.html
21 Suhoshin IDS, http://www.securesoft.co.kr/english/product/idc_02.html
22 D. Schnackengerg and K Djahandari, 'Cooperative Intrusion Traceback and Response Architecture,' Proceedings of the $2^{nd}$ DARPA Information Survivability Conference and Exposition (DISCEX II), pp.56-68, June, 200l   DOI