Detection of tampering with software installed on a processing device
First Claim
1. An apparatus comprising:
- at least one processing device comprising a processor coupled to a memory;
the processing device implementing a host-based intrusion detection system configured to permit detection of tampering with at least one software component installed on the processing device;
the host-based intrusion detection system comprising a forward-secure logging module configured to record information characterizing a plurality of events occurring in the device in such a manner that modification of the recorded information characterizing the events is indicative of a tampering attack and can be detected by an authority;
wherein the forward-secure logging module is configured to perform said recording in a concealed manner that cannot be directly correlated with occurrence of at least one of the plurality of events; and
wherein the host-based instruction detection system is configured to send, in response to randomly-timed requests, respective different portions of the forward-secure logging records to the authority such that the forward-secure logging records cannot be directly correlated with occurrence of the corresponding events.
18 Assignments
0 Petitions
Accused Products
Abstract
A processing device comprises a processor coupled to a memory and implements a host-based intrusion detection system configured to permit detection of tampering with at least one software component installed on the processing device. The host-based intrusion detection system comprises a forward-secure logging module configured to record information characterizing a plurality of events occurring in the device in such a manner that modification of the recorded information characterizing the events is indicative of a tampering attack and can be detected by an authority. For example, the recorded information may comprise at least one forward-secure logging record R having entries r1 . . . rn corresponding to respective ones of the events wherein any erasure or other modification of a particular pre-existing entry ri in R by an attacker is detectable by the authority upon inspection of R.
-
Citations
18 Claims
-
1. An apparatus comprising:
-
at least one processing device comprising a processor coupled to a memory; the processing device implementing a host-based intrusion detection system configured to permit detection of tampering with at least one software component installed on the processing device; the host-based intrusion detection system comprising a forward-secure logging module configured to record information characterizing a plurality of events occurring in the device in such a manner that modification of the recorded information characterizing the events is indicative of a tampering attack and can be detected by an authority; wherein the forward-secure logging module is configured to perform said recording in a concealed manner that cannot be directly correlated with occurrence of at least one of the plurality of events; and wherein the host-based instruction detection system is configured to send, in response to randomly-timed requests, respective different portions of the forward-secure logging records to the authority such that the forward-secure logging records cannot be directly correlated with occurrence of the corresponding events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 18)
-
-
12. A method comprising the steps of:
-
recording information characterizing a plurality of events occurring in a processing device using a forward-secure logging module of the processing device; and providing the recorded information to an authority; wherein the recording step comprises recording the information characterizing the events in such a manner that modification of the recorded information is indicative of a tampering attack and can be detected by the authority; wherein the recording step comprises using the forward-secure logging module to perform said recording in a concealed manner that cannot be directly correlated with occurrence of at least one of the plurality of events; and wherein the providing step comprises sending, in response to randomly-timed requests, respective different portions of the recorded information to the authority such that the recorded information cannot be directly correlated with occurrence of the corresponding events. - View Dependent Claims (13, 14, 15)
-
-
16. An information processing system comprising:
-
at least one processing device; and an authority adapted for communication with the processing device; the processing device implementing a host-based intrusion detection system configured to permit detection of tampering with at least one software component installed on the processing device; the host-based intrusion detection system comprising a forward-secure logging module configured to record information characterizing a plurality of events occurring in the device in such a manner that modification of the recorded information characterizing the events is indicative of a tampering attack and can be detected by the authority; wherein the forward-secure logging module is configured to perform said recording in a concealed manner that cannot be directly correlated with occurrence of at least one of the plurality of events; and wherein the host-based instruction detection system is configured to send, in response to randomly-timed requests, respective different portions of the forward-secure logging records to the authority such that the forward-secure logging records cannot be directly correlated with occurrence of the corresponding events. - View Dependent Claims (17)
-
Specification