Apparatus and method for protecting against data tampering in an audit subsystem

US 6,725,240 B1
Filed: 08/08/2000
Issued: 04/20/2004
Est. Priority Date: 08/08/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method for protecting against data tampering in a audit subsystem in a data processing system, comprising:

creating an audit log data structure and a system data structure;

assigning a unique serial number to each record in the audit log data structure, the unique serial number increasing monotonically with each new audit record;

storing in the system data structure a first serial number value corresponding to the serial number of the first audit record and a next serial number value corresponding to the next serial number to be assigned in the audit log data structure;

calculating a system integrity value for the system data structure; and

storing the system integrity value in the system data structure.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data processing system and method stores a relational database in which audit records are stored without compromising the ability to detect data tampering. The technique provides for detection of unauthorized row modification, row deletion, and row insertion. Extra measures are incorporated to protect from administrator attacks. In addition, the technique enables integrity checking and audit log archiving without having to suspend or bring down the audit subsystem. These on-line capabilities are especially important in mission critical applications which must satisfy the requirement that the application be disabled if the audit subsystem is not functioning properly.

153 Citations

58 Claims

1. A method for protecting against data tampering in a audit subsystem in a data processing system, comprising:
- creating an audit log data structure and a system data structure;
  
  assigning a unique serial number to each record in the audit log data structure, the unique serial number increasing monotonically with each new audit record;
  
  storing in the system data structure a first serial number value corresponding to the serial number of the first audit record and a next serial number value corresponding to the next serial number to be assigned in the audit log data structure;
  
  calculating a system integrity value for the system data structure; and
  
  storing the system integrity value in the system data structure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, wherein the system integrity value comprises a system message authentication code computed for at least one other data item in the system data structure.
  - 3. The method of claim 1, further comprising:
4. The method of claim 3, wherein the keystore has associated therewith a password and the integrity information is encrypted using a key derived from the password.
5. The method of claim 3, wherein the integrity information includes a key.
6. The method of claim 5, further comprising:
- wherein the system integrity value for the system data structure is calculated using the key system.
7. The method of claim 6, wherein the step of storing integrity information in the keystore comprises storing the system integrity in the keystore.
8. The method of claim 6, wherein the system integrity value comprises a system message authentication code computed for at least one other data item in the system data structure.
9. The method of claim 5, further comprising:
- computing for each record in the audit data structure an audit record integrity value using the key.
10. The method of claim 9, wherein the audit record integrity value comprises an audit record message authentication code computed for at least one other data item in the audit record.
11. The method of claim 3, wherein the integrity information includes the first serial number value and the next serial number value.
12. The method of claim 3, wherein the audit log structure and the system data structure are stored as tables in an audit database.
13. The method of claim 12, wherein the integrity information includes database credentials for the audit database.
14. The method of claim 3, wherein the keystore determines whether calling code is trusted code.
15. The method of claim 14, wherein the keystore allows access to the contents of the keystore in response to a determination that the calling code is trusted code.
16. The method of claim 1, further comprises:
- computing for each record in the audit log data structure an audit record integrity value; and
  
  storing each audit record integrity value in the corresponding audit record.
17. The method of claim 16, wherein the audit record integrity value comprises an audit record message authentication code computed for at least one other data item in the audit record.
18. The method of claim 1, wherein the audit log data structure and the system data structure are stored as tables in an audit database.
19. The method of claim 18, wherein the audit database is a relational database.
20. The method of claim 18, wherein the audit database further comprises at least one auxiliary table and the system table stores an integrity value for each of the at least one auxiliary table.

21. A method for creating an event record in an audit subsystem in a data processing system, comprising:
- creating a new record in an audit log data structure;
  
  receiving a next serial number value from a system data structure;
  
  storing the next serial number value in the new record of the audit log data structure;
  
  incrementing the next serial number value in the system data structure;
  
  calculating an integrity value for the new record of the audit data structure; and
  
  storing the integrity value in the new record of the audit log data structure;
  
  calculating a system integrity value for the system data structure; and
  
  storing the system integrity value in the system data structure.
- View Dependent Claims (22, 23, 24)
- - 22. The method of claim 21, further comprising updating the next serial number value and system integrity value in a keystore.
  - 23. The method of claim 21, wherein the audit log structure and the system data structure are stored as tables in the audit structure.
  - 24. The method of claim 23, wherein the audit database is a relational database.

25. A method for performing an on-line integrity check of an audit subsystem in a data processing system, comprising:
- logging into a keystore;
  
  receiving database credentials from the keystore;
  
  accessing an audit database using the database credentials, wherein the audit database includes an audit log table;
  
  querying the audit log table for a range of serial numbers;
  
  receiving a results table of audit records in response to the query; and
  
  performing an integrity check on the audit records in the results table.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The method of claim 25, wherein the step of performing an integrity check on the results table comprises determining whether an audit record has been modified.
  - 27. The method of claim 26, wherein the step of determining whether an audit record has been modified comprises:
28. The method of claim 25, wherein the step of performing an integrity check on the results table comprises determining whether an audit record has been deleted.
29. The method of claim 28, wherein the step of determining whether an audit record has been deleted comprises:
- examining the serial numbers of the audit records in the results table; and
  
  identifying a pair of successive audit records that do not have monotonically increasing serial numbers.
30. The method of claim 28, wherein the step of determining whether an audit records has been deleted comprises:
- determining whether an audit record is missing at the end of the audit log table.
31. The method of claim 25, wherein the step of querying the audit log table for a range of serial numbers comprises querying the audit log table for records outside the range and wherein the step of performing an integrity check on the results table comprises identifying each record in the results table as an extraneous record.
32. The method of claim 25, wherein the audit database includes a system table that stores integrity information for the audit log table, the method further comprising determining whether the system table has been modified.
33. The method of claim 32, wherein the step of determining whether the system table has been modified comprises:
- receiving an integrity value for the system table;
  
  recomputing the integrity value; and
  
  comparing the received integrity value and the recomputed integrity value.
34. The method of claim 32, wherein the integrity information includes an integrity value for the system table and the integrity information is stored in the keystore, the step of determining whether the system table has been modified comprises:
- receiving the integrity information form the keystore;
  
  receiving the integrity information from the system table; and
  
  comparing the integrity information received from the keystore with the integrity information received from the system table.
35. The method of claim 25, wherein a system table stores integrity information for an auxiliary table, the method further comprising determining whether the auxiliary table has been modified.
36. The method of claim 35, wherein the step of determining whether the auxiliary table has been modified comprises:
- receiving an integrity value for the auxiliary table from the system table;
  
  recomputing the integrity value; and
  
  comparing the received integrity value and the recomputed integrity value.

37. An apparatus for protecting against data tampering in an audit subsystem in a data processing system, comprising:
- means for creating an audit log data structure and a system data structure;
  
  means for assigning a unique serial number to each record in the audit log data structure, the unique serial number increasing monotonically with each new audit record; and
  
  means for storing in the system data structure the first serial number and the next serial to be assigned;
  
  means for calculating a system integrity value for the system data structure; and
  
  means for storing the system integrity value in the system data structure.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45)
- - 38. The method of claim 37, further comprising:
39. The method of claim 38, wherein the integrity information includes the system integrity value.
40. The method of claim 38, wherein the system integrity value comprises a system message authentication code computed for at least one other data item in the system data structure.
41. The method of claim 37, further comprising:
- means for computing for each record in the audit log data structure an audit record integrity value; and
  
  means for storing each audit record integrity value in the corresponding audit record.
42. The method of claim 41, wherein the audit record integrity value comprises an audit message authentication code computed for at least one other data structure are stored as tables in an audit database.
43. The method of claim 37, wherein the audit log data structure and the system data structure are stored as tables in an audit database.
44. The method of claim 43, wherein the audit database is a relational database.
45. The apparatus of claim 43, wherein the audit database further comprises at least one auxiliary table and the system table stores an integrity value for each of the at least one auxiliary table.

46. An apparatus comprising:
- a processor; and
  
  a memory electrically connected to the processor, the memory having stored therein a program to be executed on the processor for performing the following steps;
  
  creating a new record in an audit log data structure;
  
  receiving a next serial number value from a system data structure;
  
  storing the next serial number value in the new record of the audit log data structure;
  
  increasing the next serial number value in the system data structure;
  
  calculating an integrity value for the new record of the audit log data structure;
  
  storing the integrity value in the new record of the audit data structure;
  
  calculating a system integrity value for the system data structure; and
  
  storing the system integrity value in the system data structure.

47. An apparatus comprising:
- a processor; and
  
  a memory electrically connected to the processor, the memory having stored therein a program to be executed on the processor for performing the following steps;
  
  logging into a keystore;
  
  receiving database credentials from the database credentials, wherein the audit database includes an audit log table;
  
  querying the audit log table for a range of serial numbers;
  
  receiving a results table of audit records in response to the query; and
  
  performing an integrity check on the audit records in the results table.
- View Dependent Claims (48, 49, 50, 51, 52)
- - 48. The apparatus of claim 47, wherein the step of performing an integrity check in the results table comprises determining whether an audit record has been modified.
  - 49. The apparatus of claim 48, wherein the step of determining whether an audit record has been modified comprises:
50. The apparatus of claim 47, wherein the step of performing an integrity check on the results table comprises determining whether an audit record has been deleted.
51. The apparatus of claim 50, wherein the step of determining whether an audit record has been deleted comprises:
- examining the serial numbers of the audit records in the results table; and
  
  identifying a pair of successive audit records that do not have monotonically increasing serial numbers.
52. The apparatus of claim 47, wherein the step of querying the audit log table for a range of serial numbers comprises querying the audit log table for records outside the range and wherein the step of performing an integrity check on the results table comprises identifying each record in the results table as an extraneous record.

53. An audit system comprising:
- an audit client; and
  
  an audit server for receiving audit events from the audit client, the audit server having an audit database, wherein the audit database includes an audit log table for storing an audit event record for each received audit event and a system table for storing integrity information for the audit database, and a keystore, wherein the keystore stores database credentials for the audit database.

54. A data structure embodied on a computer readable medium comprising:
- an audit database comprising an audit log table for storing audit event records, at least one auxiliary table, and a system table for storing integrity information for the audit database; and
  
  a keystore for storing integrity information for the system table, wherein the keystore includes application program interface logic for accessing the keystore.
- View Dependent Claims (55, 56)
- - 55. The data structure of claim 54, wherein the audit database is a relational database.
  - 56. The data structure of claim 54, wherein the system table stores an integrity value for each of the at least one auxiliary database.

57. A computer program in a computer readable medium for creating an event record in an audit subsystem in a data processing system, comprising:
- instructions for creating a new record in an audit data structure;
  
  instructions for receiving a new serial number value from a system data structure;
  
  instructions for storing the next serial number value in the new record of the audit log data structure;
  
  instructions for incrementing the next serial number value in the system data structure;
  
  instructions for calculating an integrity value for the new record of the audit log data structure;
  
  instructions for storing the integrity value in the new record of the audit log data structure;
  
  instructions for calculating a system integrity value for the system data structure; and
  
  instructions for storing the system integrity value in the system data structure.

58. A computer program product in a computer readable medium for creating an on-line integrity check of an audit subsystem in a data processing system, comprising:
- instructions for ogging into a keystore;
  
  instructions for receiving database credentials from the keystore;
  
  instructions for accessing an audit database using the database credentials, wherein the audit database includes an audit log table;
  
  instructions for querying the audit log table for a range of serial numbers;
  
  instructions for receiving a results table or audit records in response to the query; and
  
  instructions for performing an integrity check on the audit records in the results table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Samuel, Subodh A., Asad, Khalid A.
Primary Examiner(s)
Choules, Jack M.

Application Number

US09/634,030
Time in Patent Office

1,351 Days
Field of Search

707/201-204, 714/20
US Class Current

1/1
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 21/64   Protecting data integrity, ...

G06F 2221/2101   Auditing as a secondary aspect

Y10S 707/99953   Recoverability

Apparatus and method for protecting against data tampering in an audit subsystem

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

153 Citations

58 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for protecting against data tampering in an audit subsystem

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

153 Citations

58 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links