Detection of tampering with software installed on a processing device

US 8,938,805 B1
Filed: 09/24/2012
Issued: 01/20/2015
Est. Priority Date: 09/24/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

at least one processing device comprising a processor coupled to a memory;

the processing device implementing a host-based intrusion detection system configured to permit detection of tampering with at least one software component installed on the processing device;

the host-based intrusion detection system comprising a forward-secure logging module configured to record information characterizing a plurality of events occurring in the device in such a manner that modification of the recorded information characterizing the events is indicative of a tampering attack and can be detected by an authority;

wherein the forward-secure logging module is configured to perform said recording in a concealed manner that cannot be directly correlated with occurrence of at least one of the plurality of events; and

wherein the host-based instruction detection system is configured to send, in response to randomly-timed requests, respective different portions of the forward-secure logging records to the authority such that the forward-secure logging records cannot be directly correlated with occurrence of the corresponding events.

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A processing device comprises a processor coupled to a memory and implements a host-based intrusion detection system configured to permit detection of tampering with at least one software component installed on the processing device. The host-based intrusion detection system comprises a forward-secure logging module configured to record information characterizing a plurality of events occurring in the device in such a manner that modification of the recorded information characterizing the events is indicative of a tampering attack and can be detected by an authority. For example, the recorded information may comprise at least one forward-secure logging record R having entries r₁. . . r_ncorresponding to respective ones of the events wherein any erasure or other modification of a particular pre-existing entry r_iin R by an attacker is detectable by the authority upon inspection of R.

Citations

18 Claims

1. An apparatus comprising:
- at least one processing device comprising a processor coupled to a memory;
  
  the processing device implementing a host-based intrusion detection system configured to permit detection of tampering with at least one software component installed on the processing device;
  
  the host-based intrusion detection system comprising a forward-secure logging module configured to record information characterizing a plurality of events occurring in the device in such a manner that modification of the recorded information characterizing the events is indicative of a tampering attack and can be detected by an authority;
  
  wherein the forward-secure logging module is configured to perform said recording in a concealed manner that cannot be directly correlated with occurrence of at least one of the plurality of events; and
  
  wherein the host-based instruction detection system is configured to send, in response to randomly-timed requests, respective different portions of the forward-secure logging records to the authority such that the forward-secure logging records cannot be directly correlated with occurrence of the corresponding events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 18)
- - 2. The apparatus of claim 1 wherein the forward-secure logging module is configured to record said information without requiring any connection between the processing device and a network.
  - 3. The apparatus of claim 1 wherein the forward-secure logging module is configured to record said information even if an entity carrying out the tampering attack has physical possession of the processing device.
  - 4. The apparatus of claim 1 wherein the forward-secure logging module is configured to record the information characterizing the plurality of events in the form of at least one forward-secure logging record R having entries r₁. . . r_ncorresponding to respective ones of the events wherein any erasure or other modification of a particular pre-existing entry r_iin R by an attacker is detectable by the authority upon inspection of R, where i is an index that can take on integer values from 1 to n.
  - 5. The apparatus of claim 1 wherein:
    - the forward-secure logging module is instrumented with one or more predetermined signatures each indicative of one or more events likely to occur in conjunction with a particular type of tampering attack; and
      
      the forward-secure logging module is configured, responsive to detecting one or more events likely to occur in conjunction with a given one of the particular types of tampering attack, to record the one or more events as a given one of the predetermined signatures indicative of the given particular type of tampering attack.
  - 6. The apparatus of claim 1 wherein the host-based intrusion detection system is configured to communicate the respective different portions of the forward-secure logging records to the authority over a network.
  - 7. The apparatus of claim 4 wherein said modification indicative of a tampering attack can be detected by an authority through comparison of the forward-secure logging record R to one or more attack-specific templates stored by the authority.
  - 8. The apparatus of claim 1 wherein the host-based intrusion detection system comprises a plurality of intrusion detection sensors implemented in an operating system layer or a lower layer of an executable software stack of the processing device with each such sensor configured to detect events of a particular type.
  - 9. The apparatus of claim 1 wherein the events are behaviorally related to compromise of a running software kernel of the processing device.
  - 10. The apparatus of claim 1 wherein the processing device is configured to communicate with a server of said authority and wherein said server generates an alert based on detection of the tampering attack.
  - 11. The apparatus of claim 1 wherein the recorded information comprises an indication of placement of the processing device into a maintenance mode at a time when the processing device would not normally be placed into the maintenance mode absent a tampering attack.
  - 18. The apparatus of claim 11 wherein the maintenance mode comprises a device firmware updated (DFU) mode.

12. A method comprising the steps of:
- recording information characterizing a plurality of events occurring in a processing device using a forward-secure logging module of the processing device; and
  
  providing the recorded information to an authority;
  
  wherein the recording step comprises recording the information characterizing the events in such a manner that modification of the recorded information is indicative of a tampering attack and can be detected by the authority;
  
  wherein the recording step comprises using the forward-secure logging module to perform said recording in a concealed manner that cannot be directly correlated with occurrence of at least one of the plurality of events; and
  
  wherein the providing step comprises sending, in response to randomly-timed requests, respective different portions of the recorded information to the authority such that the recorded information cannot be directly correlated with occurrence of the corresponding events.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12 wherein the recording step comprises recording the information characterizing the plurality of events in the form of at least one forward-secure logging record R having entries r₁. . . r_ncorresponding to respective ones of the events wherein any erasure or other modification of a particular pre-existing entry r_iin R by an attacker is detectable by the authority upon inspection of R, where i is an index that can take on integer values from 1 to n.
  - 14. The method of claim 12 wherein:
    - the forward-secure logging module is instrumented with one or more predetermined signatures each indicative of one or more events likely to occur in conjunction with a particular type of tampering attack; and
      
      the recording step comprises, responsive to detecting the one or more events likely to occur in conjunction with a given one of the particular types of tampering attack, recording the one or more events as a given one of the predetermined signatures indicative of the given particular type of tampering attack.
  - 15. A computer program product comprising a non-transitory processor-readable storage medium having encoded therein executable code of one or more software programs, wherein the one or more software programs when executed by said processing device cause the steps of the method of claim 12 to be performed.

16. An information processing system comprising:
- at least one processing device; and
  
  an authority adapted for communication with the processing device;
  
  the processing device implementing a host-based intrusion detection system configured to permit detection of tampering with at least one software component installed on the processing device;
  
  the host-based intrusion detection system comprising a forward-secure logging module configured to record information characterizing a plurality of events occurring in the device in such a manner that modification of the recorded information characterizing the events is indicative of a tampering attack and can be detected by the authority;
  
  wherein the forward-secure logging module is configured to perform said recording in a concealed manner that cannot be directly correlated with occurrence of at least one of the plurality of events; and
  
  wherein the host-based instruction detection system is configured to send, in response to randomly-timed requests, respective different portions of the forward-secure logging records to the authority such that the forward-secure logging records cannot be directly correlated with occurrence of the corresponding events.
- View Dependent Claims (17)
- - 17. The information processing system of claim 16 wherein the authority comprises at least one server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RSA Security LLC (Symphony Technology Group LLC)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Juels, Ari, Hart, Catherine V.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US13/625,497
Time in Patent Office

848 Days
Field of Search

726/23, 726/24, 726/21, 380/44, 380/247, 380/248, 380/278, 713/155
US Class Current

726/23
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04W 12/128 Anti-malware arrangements, ...

Detection of tampering with software installed on a processing device

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of tampering with software installed on a processing device

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links