Evidence of log integrity in policy-based security monitoring

Mirko Montanari, Jun Ho Huh, Derek Dagit, Rakesh B. Bobba, Roy H. Campbell

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Monitoring systems are commonly used by many organizations to collect information about their system and network operations. Typically, SNMP, IDS, or software agents generate log data and store them in a centralized monitoring system for analysis. However, malicious employees, attackers, or even organizations themselves can modify such data to hide malicious activities or to avoid expensive non-compliance fines. This paper proposes a cloud-based framework for verifying the trustworthiness of the logs based on a small amount of evidence data. A simple Cloud Security Monitoring (CSM) API, made available on the cloud services, allows organizations operating on the cloud to collect additional 'evidence' about their systems. Such evidence is used to verify system compliance against the policies set by security managers or regulatory authorities. We present a strategy for randomly auditing and verifying resource compliance, and propose an architecture that allows the organizations to prove compliance to an external auditing agency.

Original languageEnglish (US)
Title of host publication2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012
DOIs
StatePublished - Dec 1 2012
Event2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012 - Boston, MA, United States
Duration: Jun 25 2012Jun 28 2012

Publication series

NameProceedings of the International Conference on Dependable Systems and Networks

Other

Other2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012
CountryUnited States
CityBoston, MA
Period6/25/126/28/12

Fingerprint

Monitoring
Software agents
Application programming interfaces (API)
Managers
Personnel
Compliance

ASJC Scopus subject areas

  • Software
  • Hardware and Architecture
  • Computer Networks and Communications

Cite this

Montanari, M., Huh, J. H., Dagit, D., Bobba, R. B., & Campbell, R. H. (2012). Evidence of log integrity in policy-based security monitoring. In 2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012 [6264693] (Proceedings of the International Conference on Dependable Systems and Networks). https://doi.org/10.1109/DSNW.2012.6264693

Evidence of log integrity in policy-based security monitoring. / Montanari, Mirko; Huh, Jun Ho; Dagit, Derek; Bobba, Rakesh B.; Campbell, Roy H.

2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012. 2012. 6264693 (Proceedings of the International Conference on Dependable Systems and Networks).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Montanari, M, Huh, JH, Dagit, D, Bobba, RB & Campbell, RH 2012, Evidence of log integrity in policy-based security monitoring. in 2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012., 6264693, Proceedings of the International Conference on Dependable Systems and Networks, 2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012, Boston, MA, United States, 6/25/12. https://doi.org/10.1109/DSNW.2012.6264693
Montanari M, Huh JH, Dagit D, Bobba RB, Campbell RH. Evidence of log integrity in policy-based security monitoring. In 2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012. 2012. 6264693. (Proceedings of the International Conference on Dependable Systems and Networks). https://doi.org/10.1109/DSNW.2012.6264693
Montanari, Mirko ; Huh, Jun Ho ; Dagit, Derek ; Bobba, Rakesh B. ; Campbell, Roy H. / Evidence of log integrity in policy-based security monitoring. 2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012. 2012. (Proceedings of the International Conference on Dependable Systems and Networks).
@inproceedings{e9f81cc5626e4ba0a050c6636233620c,
title = "Evidence of log integrity in policy-based security monitoring",
abstract = "Monitoring systems are commonly used by many organizations to collect information about their system and network operations. Typically, SNMP, IDS, or software agents generate log data and store them in a centralized monitoring system for analysis. However, malicious employees, attackers, or even organizations themselves can modify such data to hide malicious activities or to avoid expensive non-compliance fines. This paper proposes a cloud-based framework for verifying the trustworthiness of the logs based on a small amount of evidence data. A simple Cloud Security Monitoring (CSM) API, made available on the cloud services, allows organizations operating on the cloud to collect additional 'evidence' about their systems. Such evidence is used to verify system compliance against the policies set by security managers or regulatory authorities. We present a strategy for randomly auditing and verifying resource compliance, and propose an architecture that allows the organizations to prove compliance to an external auditing agency.",
author = "Mirko Montanari and Huh, {Jun Ho} and Derek Dagit and Bobba, {Rakesh B.} and Campbell, {Roy H.}",
year = "2012",
month = "12",
day = "1",
doi = "10.1109/DSNW.2012.6264693",
language = "English (US)",
isbn = "9781467322645",
series = "Proceedings of the International Conference on Dependable Systems and Networks",
booktitle = "2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012",

}

TY - GEN

T1 - Evidence of log integrity in policy-based security monitoring

AU - Montanari, Mirko

AU - Huh, Jun Ho

AU - Dagit, Derek

AU - Bobba, Rakesh B.

AU - Campbell, Roy H.

PY - 2012/12/1

Y1 - 2012/12/1

N2 - Monitoring systems are commonly used by many organizations to collect information about their system and network operations. Typically, SNMP, IDS, or software agents generate log data and store them in a centralized monitoring system for analysis. However, malicious employees, attackers, or even organizations themselves can modify such data to hide malicious activities or to avoid expensive non-compliance fines. This paper proposes a cloud-based framework for verifying the trustworthiness of the logs based on a small amount of evidence data. A simple Cloud Security Monitoring (CSM) API, made available on the cloud services, allows organizations operating on the cloud to collect additional 'evidence' about their systems. Such evidence is used to verify system compliance against the policies set by security managers or regulatory authorities. We present a strategy for randomly auditing and verifying resource compliance, and propose an architecture that allows the organizations to prove compliance to an external auditing agency.

AB - Monitoring systems are commonly used by many organizations to collect information about their system and network operations. Typically, SNMP, IDS, or software agents generate log data and store them in a centralized monitoring system for analysis. However, malicious employees, attackers, or even organizations themselves can modify such data to hide malicious activities or to avoid expensive non-compliance fines. This paper proposes a cloud-based framework for verifying the trustworthiness of the logs based on a small amount of evidence data. A simple Cloud Security Monitoring (CSM) API, made available on the cloud services, allows organizations operating on the cloud to collect additional 'evidence' about their systems. Such evidence is used to verify system compliance against the policies set by security managers or regulatory authorities. We present a strategy for randomly auditing and verifying resource compliance, and propose an architecture that allows the organizations to prove compliance to an external auditing agency.

UR - http://www.scopus.com/inward/record.url?scp=84880910442&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84880910442&partnerID=8YFLogxK

U2 - 10.1109/DSNW.2012.6264693

DO - 10.1109/DSNW.2012.6264693

M3 - Conference contribution

AN - SCOPUS:84880910442

SN - 9781467322645

T3 - Proceedings of the International Conference on Dependable Systems and Networks

BT - 2012 IEEE/IFIP 42nd International Conference on Dependable Systems and Networks Workshops, DSN-W 2012

ER -