Evidence of log integrity in policy-based security monitoring

Mirko Montanari; Jun Ho Huh; Derek Dagit; Rakesh B. Bobba; Roy H. Campbell

doi:10.1109/DSNW.2012.6264693

Evidence of log integrity in policy-based security monitoring

Mirko Montanari, Jun Ho Huh, Derek Dagit, Rakesh B. Bobba, Roy H. Campbell

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Monitoring systems are commonly used by many organizations to collect information about their system and network operations. Typically, SNMP, IDS, or software agents generate log data and store them in a centralized monitoring system for analysis. However, malicious employees, attackers, or even organizations themselves can modify such data to hide malicious activities or to avoid expensive non-compliance fines. This paper proposes a cloud-based framework for verifying the trustworthiness of the logs based on a small amount of evidence data. A simple Cloud Security Monitoring (CSM) API, made available on the cloud services, allows organizations operating on the cloud to collect additional 'evidence' about their systems. Such evidence is used to verify system compliance against the policies set by security managers or regulatory authorities. We present a strategy for randomly auditing and verifying resource compliance, and propose an architecture that allows the organizations to prove compliance to an external auditing agency.

Original language	English (US)
Title of host publication	2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012
DOIs	https://doi.org/10.1109/DSNW.2012.6264693
State	Published - Dec 1 2012
Event	2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012 - Boston, MA, United States Duration: Jun 25 2012 → Jun 28 2012

Publication series

Name	Proceedings of the International Conference on Dependable Systems and Networks

Other

Other	2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012
Country	United States
City	Boston, MA
Period	6/25/12 → 6/28/12

Fingerprint

ASJC Scopus subject areas

Software
Hardware and Architecture
Computer Networks and Communications

Cite this

Montanari, M., Huh, J. H., Dagit, D., Bobba, R. B., & Campbell, R. H. (2012). Evidence of log integrity in policy-based security monitoring. In 2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012 [6264693] (Proceedings of the International Conference on Dependable Systems and Networks). https://doi.org/10.1109/DSNW.2012.6264693

Evidence of log integrity in policy-based security monitoring. / Montanari, Mirko; Huh, Jun Ho; Dagit, Derek; Bobba, Rakesh B.; Campbell, Roy H.

2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012. 2012. 6264693 (Proceedings of the International Conference on Dependable Systems and Networks).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Montanari, M, Huh, JH, Dagit, D, Bobba, RB & Campbell, RH 2012, Evidence of log integrity in policy-based security monitoring. in 2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012., 6264693, Proceedings of the International Conference on Dependable Systems and Networks, 2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012, Boston, MA, United States, 6/25/12. https://doi.org/10.1109/DSNW.2012.6264693

@inproceedings{e9f81cc5626e4ba0a050c6636233620c,

title = "Evidence of log integrity in policy-based security monitoring",

abstract = "Monitoring systems are commonly used by many organizations to collect information about their system and network operations. Typically, SNMP, IDS, or software agents generate log data and store them in a centralized monitoring system for analysis. However, malicious employees, attackers, or even organizations themselves can modify such data to hide malicious activities or to avoid expensive non-compliance fines. This paper proposes a cloud-based framework for verifying the trustworthiness of the logs based on a small amount of evidence data. A simple Cloud Security Monitoring (CSM) API, made available on the cloud services, allows organizations operating on the cloud to collect additional 'evidence' about their systems. Such evidence is used to verify system compliance against the policies set by security managers or regulatory authorities. We present a strategy for randomly auditing and verifying resource compliance, and propose an architecture that allows the organizations to prove compliance to an external auditing agency.",

author = "Mirko Montanari and Huh, {Jun Ho} and Derek Dagit and Bobba, {Rakesh B.} and Campbell, {Roy H.}",

year = "2012",

month = dec

day = "1",

doi = "10.1109/DSNW.2012.6264693",

language = "English (US)",

isbn = "9781467322645",

series = "Proceedings of the International Conference on Dependable Systems and Networks",

booktitle = "2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012",

note = "2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012 ; Conference date: 25-06-2012 Through 28-06-2012",

}

TY - GEN

T1 - Evidence of log integrity in policy-based security monitoring

AU - Montanari, Mirko

AU - Huh, Jun Ho

AU - Dagit, Derek

AU - Bobba, Rakesh B.

AU - Campbell, Roy H.

PY - 2012/12/1

Y1 - 2012/12/1

N2 - Monitoring systems are commonly used by many organizations to collect information about their system and network operations. Typically, SNMP, IDS, or software agents generate log data and store them in a centralized monitoring system for analysis. However, malicious employees, attackers, or even organizations themselves can modify such data to hide malicious activities or to avoid expensive non-compliance fines. This paper proposes a cloud-based framework for verifying the trustworthiness of the logs based on a small amount of evidence data. A simple Cloud Security Monitoring (CSM) API, made available on the cloud services, allows organizations operating on the cloud to collect additional 'evidence' about their systems. Such evidence is used to verify system compliance against the policies set by security managers or regulatory authorities. We present a strategy for randomly auditing and verifying resource compliance, and propose an architecture that allows the organizations to prove compliance to an external auditing agency.

AB - Monitoring systems are commonly used by many organizations to collect information about their system and network operations. Typically, SNMP, IDS, or software agents generate log data and store them in a centralized monitoring system for analysis. However, malicious employees, attackers, or even organizations themselves can modify such data to hide malicious activities or to avoid expensive non-compliance fines. This paper proposes a cloud-based framework for verifying the trustworthiness of the logs based on a small amount of evidence data. A simple Cloud Security Monitoring (CSM) API, made available on the cloud services, allows organizations operating on the cloud to collect additional 'evidence' about their systems. Such evidence is used to verify system compliance against the policies set by security managers or regulatory authorities. We present a strategy for randomly auditing and verifying resource compliance, and propose an architecture that allows the organizations to prove compliance to an external auditing agency.

UR - http://www.scopus.com/inward/record.url?scp=84880910442&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84880910442&partnerID=8YFLogxK

U2 - 10.1109/DSNW.2012.6264693

DO - 10.1109/DSNW.2012.6264693

M3 - Conference contribution

AN - SCOPUS:84880910442

SN - 9781467322645

T3 - Proceedings of the International Conference on Dependable Systems and Networks

BT - 2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012

T2 - 2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012

Y2 - 25 June 2012 through 28 June 2012

ER -

Access to Document

10.1109/DSNW.2012.6264693