Identification of File Integrity Requirement through Severity Analysis

Transcription

1 Identification of File Integrity Requirement through Severity Analysis Zul Hilmi Abdullah a, Shaharudin Ismail a, Nur Izura Udzir b a Fakulti Sains dan Teknologi, Universiti Sains Islam Malaysia, Bandar Baru Nilai, Nilai, Negeri Sembilan, Malaysia. b Fakulti Sains Komputer dan Teknologi Maklumat, Universiti Putra Malaysia, Serdang, Selangor, Malaysia. zulhilmi.a@usim.edu.my Abstract. File integrity monitoring (FIM) tool is used to mitigate integrity violation risk in an operating system and storage environment. The main challenge is to ensure the modification of related files can be detected as soon as the event occurs as fast detection can be vital to prevent further damage. However, issues on FIM is about the performance penalty result of real time monitoring. In order to minimize performance overhead, identification of file integrity requirement is proposed. Integrity requirement is important for determining the file monitoring approaches either in real time or offline. Although some of the FIM tools provide a hybrid approach of integrity monitoring, there have still required manual intervention of system administrator for system configuration in identification of specific files with its specific monitoring approach. This practice is a difficult task for system administrators and may be exposed to human error. This paper proposes the model of file integrity requirement based on file metadata information (file attributes) to assist system administrators in setting up monitoring approaches for specific files within the application system environment. The proposed model can be applied to the FIM tool and other file protection tool like anti-malware, backup and restore solution as part of the defence in depth strategy. Keywords: File Integrity, Severity Analysis, Integrity Requirement, System Security. INTRODUCTION Integrity violation for the information system assets become a major concern. Threats from viruses and other malware that has a capability in modifying the system and application files increases the risk of integrity violation [1]. Increasing numbers of new malware every day also exposed the information system assets into the integrity violation. Therefore, well known information security related standard and guideline recommends that each organization should deploy the system integrity verification for their information asset protection. The security standard council recommends that system integrity becomes part of Payment Card Industry (PCI) Data Security Standard (DSS) requirement. The requirement is very important to ensure business can be operates effectively and as intended. Requirement implementing the file integrity monitoring is part of monitoring of security controls which also included the firewalls, anti-virus, IDS and IPS have been 355

2 stated in PCI DSS document version 2.0 and version 3.0 [2]. Other well-established compliance standards that recommend the system integrity monitoring is NIST in System and Information Integrity (SI) Guidelines which stated in two main sections (SI-4 and SI-7) of the standards [9]. In NIST Special Publication Revision 4 documents, SI-7 represents an enhancement of integrity control towards software, firmware and information integrity. There are several file integrity monitoring or verification tools that provide the integrity protection services for the system and application security, such as Tripwire [3], XenFIT [4], and OSSEC [5]. There is no big issue in the detection capability of most of the establish file integrity monitoring tools since they used standard and reliable detection mechanism. Issues arise more on the monitoring approach which involve real time or periodic monitoring approach for the system file. Although highly critical applications are developed with security concern by the developer, new security vulnerabilities still cannot be predicted on the development phase. Thus, the application software remains vulnerable to security flaws and needs to be protected. It is impossible to monitor every single application file in real-time due to the high cost needed in terms of resource consumption and processing time [6]. Therefore, a proper technique and approach should be initiated to ensure only required files are monitored in real time and let other file monitored with periodic time. This scenario is very crucial to ensure only integrity critical files should be protected in real time to ensure the performance impact of the system operation is minimal. Real time integrity protection may cause a performance penalty if the implementation is not properly configured. In order to ensure effective scheduling of file integrity monitoring, we proposed file integrity requirement identification based on severity analysis. FILE INTEGRITY REQUIREMENT (FIR) IDENTIFICATION File integrity requirement (FIR) is proposed to accommodate a file integrity monitor (FIM) tools in determining specific file with their specific monitoring approaches. In this paper, we focus on the file in Windows based operating system environment. Each setup and configuration included the virtual host also based on the Windows operating system. Identify related issues in file integrity monitoring analyzed previous techniques and practices Formulate a new pattern of file integrity requirement identification Evaluate formulated pattern FIGURE 1: Important steps for the research. Figure 1 shows the important steps in this research. This research begins with identification of related issues in the file integrity monitoring through an intensive review of related works. After specific issues have been discovered, several tools related to the file security monitoring such as FIM tools, anti-viruses tools, host-based intrusion 356

3 detection systems and files utilities tools are collected. All related tools are tested and observed in order to obtain patterns of existing practices in file protection. Result from the observation is analyzed. From the analyzed result, new pattern of file integrity requirement (FIR) identification is formulated. Lastly, the proposed FIR is evaluated in to test the accuracy of formulated pattern. Observation of Existing File Protection Practices In order to collect information and practices of existing file protection tools, five different virtual hosts are used. Each virtual host are installed with difference type of services such as web server, database server, print server, server and file sharing service. Related file protection tools are installed and tested in each virtual host to observe their practices in protecting the files. Figure 2 represents the steps involved in FIR identification. Run file protection tools Collect information used by related tools Analyze collected information FIGURE 2: File integrity requirement (FIR) identification. Firstly, data of the related file which monitored in real time are collected for each virtual host and file protection tools. Next, we analyzed the collected data by comparing and classify the pattern of file monitoring based on their attributes similarities. In practice, these steps are time consuming and complicated. It is assumed that existing file protection tools are monitored sensitive or important file in real time monitoring mode. Violation of the integrity After obtaining the pattern of file protection, we formulate a new file integrity requirement (FIR) in order to accommodate file integrity monitoring tool in determining monitoring mode for specific files. In this paper, FIR is formulated based on privilege security attributes (PSA) which each file is classified into five different FIR levels (system, high, medium, low and unprotected). Our FIR utilized five attributes of PSA, which obtained from the observed pattern of existing file protection tools. Evaluation In order to evaluate the accuracy of formulated FIR, data mining classifier is used. Figure 3 shows the steps involved to evaluate the proposed FIR. 357

4 Scan file attributes Capture and record identified attributes Analyze and interpret classification result Transform attributes information into nominal format Test dataset with specific classifiers FIGURE 3: FIR evaluation steps. In the evaluation phase of FIR data set are collected using file attributes scanner (FAS) tool. FAS tool was developed previously for our attributes based file integrity identification [7, 8]. The file attributes scanner (FAS) is customized accordingly in order to support the data collection process which based on the privilege security attributes (PSA). Five identified attributes are collected for each file. The data set will be transformed into a nominal format in order to accommodate the evaluation process. Data preprocessing done in this phase to minimize the noise. In this paper, Multilayer Perceptron (MLP) classifier is used to test our FIR based on five integrity level and five attributes. Lastly result from the classification is analyzed and interpreted based on research objectives. For initial result, our FIR score 92.5% of correctly classified instances based on 400 samples of the files which each file represents by five attributes. The score shows the impressive output from the FIR identification and formulation. However, there are still need some improvement in order to optimize the effectiveness of FIM monitoring mode for specific files. CONCLUSION Identification of file integrity requirement (FIR) becomes goods start to accommodates file integrity monitoring tools since there are increased of information security threats and attacks especially involved the unauthorized system modification. In addition, increases of operating system and application complexity due to highly sophisticated demands for the information services also required more effective file integrity monitoring without compromised the system performance. The evaluation result shows the promises future for the FIR identification. Currently we are working to formulate a new FIR that based on different type of file attributes. In addition, the formulated FIR will be incorporated into the prototype of file integrity monitoring system for testing in the real environment.. 358

5 REFERENCES Proceeding of IC-ITS 2015 e-isbn: McKosky, R. A. & Shiva, S. G. A file integrity checking system to detect and recover from program modification attacks in multi-user computer systems Computers & Security, 1990, 9, LLC, P. S. S. C. Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.0 PCI Security Standards Council LLC, Kim, G. H. & Spafford, E. H. The design and implementation of tripwire: a file system integrity checker CCS '94: Proceedings of the 2nd ACM Conference on Computer and Communications Security, ACM, 1994, Quynh, N. A. & Takefuji, Y. A novel approach for a file-system integrity monitor tool of Xen virtual machine ASIACCS '07: Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security, ACM, 2007, Hay, A.; Cid, D.; Bary, R. & Northcutt, S. System Integrity Check and Rootkit Detection OSSEC Host-Based Intrusion Detection Guide, Syngress, 2008, Zhao, F.; Jiang, Y.; Xiang, G.; Jin, H. & Jiang, W. VRFPS: A Novel Virtual Machine-Based Real-time File Protection System ACIS 2009: International Conference on Software Engineering Research, Management and Applications, IEEE Computer Society, 2009, 0, Abdullah, Z. H.; Udzir, N. I.; Mahmod, R. & Samsudin, K. Towards a Dynamic File Integrity Monitor through a Security Classification International Journal of New Computer Architectures and their Applications (IJNCAA), The Society of Digital Information and Wireless Communication, 2011, 1, Abdullah, Z. H.; Udzir, N. I.; Mahmod, R. & Samsudin, K. File Integrity Monitor Scheduling Based on File Security Level Classification. Software Engineering and Computer Systems, Springer Berlin Heidelberg, 2011, 180, Locke, G. & Gallagher, P. D. Recommended Security Controls for Federal Information Systems and Organizations National Institute of Standards and Technology (NIST),