Hardware-Assisted Intrusion Detection by Preserving Reference Information Integrity

  • Junghee Lee
  • Chrysostomos Nicopoulos
  • Gi Hwan Oh
  • Sang-Won Lee
  • Jongman Kim
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8285)


Malware detectors and integrity checkers detect malicious activities by comparing against reference data. To ensure their trustworthy operation, it is crucial to protect the reference data from unauthorized modification. This paper proposes the Soteria Security Card (SSC), an append-only storage. To the best of our knowledge, this work is the first to introduce the concept of an append-only storage and its application to information security. The SSC framework allows only read and append operations, and forbids over-write and erase operations. By exploiting this trait, we can protect the reference data that must be updated constantly. It is demonstrated how SSC facilitates log protection and file integrity checking.


log hardware protection security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Verison: 2013 data breach investigations report (2013)Google Scholar
  2. 2.
    Chung, H.: Barefoot SSD controller technical reference manual (2011)Google Scholar
  3. 3.
    Takada, T., Koike, H.: NIGELOG: protecting logging information by hiding multiple backups in directories. In: Proceedings of Tenth International Workshop on Database and Expert Systems Applications, pp. 874–878 (1999)Google Scholar
  4. 4.
    Waters, B., Waters, B.R., Balfanz, D., Balfanz, D., Durfee, G., Durfee, G., Smetters, D.K., Smetters, D.K.: Building an encrypted and searchable audit log. In: The 11th Annual Network and Distributed System Security Symposium (2004)Google Scholar
  5. 5.
    Schneier, B., Kelsey, J.: Secure audit logs to support computer forensics. ACM Trans. Inf. Syst. Secur. 2(2), 159–176 (1999)CrossRefGoogle Scholar
  6. 6.
    Kawaguchi, N., Ueda, S., Obata, N., Miyaji, R., Kaneko, S., Shigeno, H., Okada, K.: A secure logging scheme for forensic computing. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, pp. 386–393 (2004)Google Scholar
  7. 7.
    Foundation, A.S.: Apache HTTP serverGoogle Scholar
  8. 8.
    Butler, J.M.: Benchmarking security information event management (SIEM) (2009)Google Scholar
  9. 9.
    Group, T.C.: Trusted platform module (TPM) specifications (2011)Google Scholar
  10. 10.
    Ruhrmair, U., van Dijk, M.: Pufs in security protocols: Attack models and security evaluations. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 286–300 (2013)Google Scholar
  11. 11.
    Brzuska, C., Fischlin, M., Schröder, H., Katzenbeisser, S.: Physically uncloneable functions in the universal composition framework. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 51–70. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  12. 12.
    ARM: ARM security technology (2009)Google Scholar
  13. 13.
    Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of the 13th Conference on USENIX Security Symposium, vol. 13 (2004)Google Scholar
  14. 14.
    Grover, S., Khosravi, H., Kolar, D., Moffat, S., Kounavis, M.: Rkrd: Runtime kernel rootkit detection 48, 224–236 (2009)Google Scholar
  15. 15.
    Lee, H., Moon, H., Jang, D., Kim, K., Lee, J., Paek, Y., ByungHoon, K.B.: KI-Mon: a hardware-assisted event-triggered monitoring platform for mutable kernel object. In: Proceedings of 22nd USENIX Security Symposium (2013)Google Scholar
  16. 16.
    Boeck, B., Huemer, D., Tjoa, A.M.: Towards more trustable log files for digital forensics by means of “trusted computing”. In: 24th IEEE International Conference on Advanced Information Networking and Applications, pp. 1020–1027 (2010)Google Scholar
  17. 17.
    Zhang, X., van Doorn, L., Jaeger, T., Perez, R., Sailer, R.: Secure coprocessor-based intrusion detection. In: Proceedings of the 10th Workshop on ACM SIGOPS European Workshop, EW 2010, pp. 239–242. ACM, New York (2002)Google Scholar
  18. 18.
    Quynh, N.A., Takefuji, Y.: A novel approach for a file-system integrity monitor tool of xen virtual machine. In: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, pp. 194–202 (2007)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2013

Authors and Affiliations

  • Junghee Lee
    • 1
  • Chrysostomos Nicopoulos
    • 2
  • Gi Hwan Oh
    • 3
  • Sang-Won Lee
    • 3
  • Jongman Kim
    • 1
  1. 1.Georgia Institute of TechnologyAtlantaUSA
  2. 2.University of CyprusNicosiaCyprus
  3. 3.Sungkyunkwan UniversitySuwonSouth Korea

Personalised recommendations