File Integrity Monitoring Research Articles

Securing Systems using SIEM and FIM Tools

Today, computer networks are heavily documented security issues, making it impractical to manage them without Security Event Management (SIEM). A SIEM solution sets the controls everywhere, enhances information security, recording data from various devices and applications through agents or networks Protects data by aggregating and aggregating Provides filtering, normalization of redundant information it is proprietary, and they use context to analyze it. The SIEM solution provides threat detection and real-time system activity analysis, alerting operators in the event of an attack. Although there are high-quality SIEM solutions, success cannot be guaranteed. Instead, organizations should focus on a variety of use cases to effectively implement their SIEM solutions. Care must be taken with respect to the integrity of the operating system components. They are controlled to optimize system security. Attackers will always try to manipulate or alter these relevant resources to achieve their goals. System files are common targets for attackers. File integrity monitoring tools are often used to detect any malicious changes to these important files. In this project we developed a comprehensive security solution that combines a Security Information Event Management (SIEM) framework with a File Integrity Monitoring (FIM) tool to optimize the security posture of IT projects. Our SIEM project uses Azure Monitoring Agent to collect data from virtual machine and inject it into the Log Analytics Workspace. The FIM component is implemented by a Python script designed to scan multiple directories and files. The script initially stores the hashes of all monitored files in a baseline file named “baseline.txt” and creates backups of the original files. These backups are periodically updated, with old backups being deleted.

UNALTERED: A FILE INTEGRATION MANAGEMENT SYSTEM

In today's interconnected world, where digital data underpins nearly every aspect of modern life, ensuring the integrity and security of files is paramount. This abstract provides a concise yet comprehensive overview of the multifaceted domain of file integrity and security. File integrity is the assurance that data remains unchanged and reliable, essential for maintaining trust and accountability. However, achieving and maintaining file integrity poses numerous challenges, including the ever-evolving threat landscape, complex IT infrastructures, and regulatory compliance mandates. To address these challenges, organizations employ a variety of strategies and technologies. Encryption, access controls, and digital signatures are deployed to protect files from unauthorized access and tampering, while file integrity monitoring (FIM) solutions continuously scrutinize files for any alterations. Moreover, robust security policies, employee training programs, and incident response plans are integral components of a proactive approach to file integrity and security. By fostering a culture of security awareness and investing in advanced technologies, organizations can effectively mitigate risks and safeguard their digital assets. Keywords: Encryption, Fostering, Integrity, Monitoring, tampering, Unauthorized.

Comparing two cryptographic hash algorithms: SHA-512 and whirlpool- a case study on file integrity monitoring

SHA-512 and Whirlpool are two distinct hashing algorithms in the cryptography domain. Although they are different, these methods share some characteristics; such as both of them produce secure digests of the same size. In addition, being increasingly used for sustaining the integrity of confidential files. As a result, it is crucial to explore a method to contrast and compare their performance. This paper presents a comparative analysis of SHA-512 and Whirlpool, in terms of: time consumption, avalanche effect, and resistance to collision. It also investigates their suitability in the context of File Integrity Monitoring. Our results reveal that Whirlpool outperforms SHA-512 in the avalanche effect scenario, whereas a comparable resistance to the collision behavior is exhibited. Regarding time consumption, it is slower than SHA-512. However, this positively reflects its resistance to brute force attacks.

File integrity monitoring tools: Issues, challenges, and solutions

SummaryEnsuring integrity of sensitive files in file systems is imperative to computer systems. The vast majority of attacks work through unapproved or unauthorized access to sensitive files to take secret data like secret keys, passwords, credit card numbers, and so on. After that, attackers generally conceal their traces by subverting critical files like system logs. File system integrity monitoring is a well‐known way to deal with ensuring integrity of sensitive and critical files. The file system is at the heart of any computing system as it stores the data and executable programs. Malicious users or malwares might change the content of a sensitive data file or insert malicious payload in an executable. Hence, monitoring the integrity of the files in the file system is of utmost importance. Significant research work has been done on file integrity monitoring tools. This article presents the currently available tools for file integrity monitoring and their underlying approaches.

Monitoring File Integrity Using Blockchain and Smart Contracts

The adoption of cloud computing solutions is an established reality in government agencies and in small, medium, and large companies due to procurement easiness and the variety of available services, as well as its low cost compared to the acquisition and management of own infrastructures. Among the most used services is cloud file storage, and the security of this storage has been an essential subject of recent research, particularly customer data integrity. Thus, this article proposes a solution for the monitoring of the integrity of files stored in the cloud, based on the use of smart contracts in Blockchain Networks, symmetric encryption, and computational trust. The proposed solution consists of a protocol that provides confidentiality, decentralization, audit availability, and the secure sharing of file integrity monitoring results, without overloading the services involved, as well as an unabridged reference implementation which was used to validate the proposal. The results obtained during the validation tests have shown that the solution is feasible and faultless in detecting corrupted files. These tests also confirmed that the sharing of integrity monitoring results, coupled with the application of computational trust techniques, significantly increased the efficiency of the proposed solution.

Vanguard: A Cache-Level Sensitive File Integrity Monitoring System in Virtual Machine Environment

Sensitive files in computer systems such as executable programs, configuration, and authorization information have a great importance of their own, in terms of both confidentiality and functionality. To protect sensitive files, an effective approach named as file integrity monitoring is proposed to detect aggressive behaviors by verifying all the actions on these sensitive files. However, due to semantic gap problems, current file integrity monitoring tools are incapable of monitoring files in memory, so that an illegal modification of a file may bypass the detection by deliberately hiding itself inside the cache without actually committing to the disk. In this paper, we propose a runtime sensitive file integrity monitoring system named Vanguard, to satisfy the requirement of cache-level file protection. It can monitor both IO operations and cache operations, thereby deterring the illegal file accesses. To achieve the cache-level monitoring, we explore the techniques to detect when sensitive files are loaded into and swapped out from the operating system page cache. Vanguard is isolated from the monitored system so it is hard to be subverted. We implement Vanguard on QEMU/KVM platform, and both Linux and Windows guest operating systems are supported. We conduct several experiments, and the experimental results show the effectiveness of Vanguard and imply that our method incurs acceptable overhead.

Getting smarter about alerts

Most organisations of any appreciable size are now equipped with layers of information security, including firewalls, intrusion detection and prevention systems, file integrity monitoring and security incident and event management. These systems log massive amounts of data about network activity and frequently raise alarms. So why do breaches still happen? We spoke with Mark Kedgley, CTO of New Net Technologies. Most organisations of any appreciable size are now equipped with layers of information security that log massive amounts of data about network activity and frequently raise alarms. This means network intrusions are often lost in the noise. Perhaps we need to get smarter about how we manage alerts. In this interview, Mark Kedgley of New Net Technologies talks about ‘closed-loop intelligent control’, based on file integrity monitoring, that can help to tune out the noise and make it easier to spot the threats.

Security breaches – hiding in plain sight

However strong the perimeter security, in the vast majority of organisations there are far too many opportunities for hackers or malware attacks to slide in undetected. Forensic-level monitoring of system changes provides a means whereby subtle breach activity can be exposed, but just having the means to detect changes is only part of the solution. Change control provides a procedural means to compartmentalise expected change activity and isolate unexpected changes including breach activity. Mark Kedgley of New Net Technologies explains how to automate intelligent change control using file integrity monitoring to cut down the noise, distinguish the unexpected from the planned and, finally, close the change control loop.

Use of Diffie Hellman Key Exchange for Information Transmission and File Integrity Monitoring in Cloud

today's computing era,there has arisen an immense requirement for secure and trusted security frameworks/models in cloud computing.These models allow the cloud service provider to establish a trusted bond among clients,which is the prime requisite for cloud e-businesses nowadays. Keeping this orientation in mind,we have proposed a comprehensive security framework which provides extra layer of security to the information transmitted among client and server ends & also sustains the information integrity at both terminals.It provides the data security during storage at cloud server . This incorporates confidentiality,authentication and integrity of the involved information among client-server terminals.Numerous cryptographic algorithms have been used to apply in the implemented tool. Diffie- Hellman key exchange scheme has been applied in this research work.

Change detection technology has changed – for the better

Few experts would argue against the importance of real-time file integrity monitoring (FIM) in an era of fast-changing and sophisticated security threats. It is literally impossible to second guess the method of a breach and therefore the ‘last line of defence’ detection offered by FIM has never been more critical. The worldwide coverage of the recent breach at US retail giant Target shows how vital cyber-security is, and how high the stakes are if your defences are breached. Little wonder that leaders in security best practices – such as NIST, the PCI Security Standards Council and the SANS organisation – all advocate FIM as an essential security defence. File Integrity Monitoring (FIM) is a fundamental factor in the overall fabric of security. That said, having a poorly configured and misused FIM solution is more dangerous than not having one at all. The sad reality is that many organisations are simply flushing away their multi-million dollar investments – and at the same time putting data security and system compromise at risk. Mark Kedgley of New Net Technologies looks at how modern FIM systems can benefit the organisation if they are used correctly.

Finding a new approach to SIEM to suit the SME environment

While compliance requirements drive many small and medium businesses to Security Information and Event Management (SIEM) products, the complexity of traditional SIEM may frustrate many SMEs. SMEs invariably lack the large security staff (who are typically found in larger enterprises) needed for deployment, configuration, monitoring and reporting of SIEM solutions. And you need to add to that the fact that it's often not just a SIEM that is needed to meet compliance requirements – asset detection and inventory, intrusion detection systems (IDS), host IDS, file integrity monitoring and vulnerability scanning are also necessary. While compliance requirements drive many small and medium businesses to Security Information and Event Management (SIEM) products, the complexity of traditional SIEM may frustrate many SMEs. Patrick Bedwell of AlienVault looks at the technical underpinnings of SIEM and log management, highlighting the problems with traditional SIEM for SMEs, and explaining how unified security management can provide the security and compliance capabilities SMEs need, while keeping in mind the significant budgetary and resource constraints typical of these smaller organisations.

File integrity monitoring in the modern threat landscape

Anti-virus (AV) software, along with its firewall side-kick, has been the standard weapon against Internet-borne threats for the past two decades. But in a changing threat landscape, AV is fast beginning to look past its sell-by date. We now face stealthy exploits that can play havoc in our networks for months, even years. As Mark Kedgley of New Net Technologies, insists, AV is not just fallible – it is fighting the wrong battle; it is time to wake up to the new reality and implement a truly effective line of defence.

Virtualization-Based Security Monitoring

近年来,虚拟化技术成为计算机系统结构的发展趋势,并为安全监控提供了一种解决思路.由于虚拟机管理器具有更高的权限和更小的可信计算基,利用虚拟机管理器在单独的虚拟机中部署安全工具能够对目标虚拟机进行检测.这种方法能够保证监控工具的有效性和防攻击性.从技术实现的角度来看,现有的研究工作可以分为内部监控和外部监控.根据不同的监控目的,详细地介绍了基于虚拟化安全监控的相关工作,例如入侵检测、蜜罐、文件完整性监控、恶意代码检测与分析、安全监控架构和安全监控通用性.最后总结了现有研究工作的不足,并指出了未来的研究方向.这对于从事虚拟化研究和安全监控研究都具有重要意义.;In recent years, virtualization technology is the novel trendy of computer architecture, and it provides a solution for security monitoring. Due to the highest privilege and the smaller trusted computing base of virtual machine monitor, security tools, deployed in an isolated virtual machine, can inspect the target virtual machine with the help of virtual machine monitor. This approach can enhance the effectiveness and anti-attack ability of security tools. From the aspect of the implementation technologies, existing research works can be classified into internal monitoring and external monitoring. According to the different targets, the related works about virtualization-based monitoring are introduced in this paper in detail, such as intrusion detection, honeypot, file integrity monitoring, malware detection and analysis, security monitoring architecture and the generality of monitoring. Finally, this paper summarizes the shortcomings of existing works, and presents the future research directions. It is significant for virtualization research and security monitoring research.

A guest-transparent file integrity monitoring method in virtualization environment

The file system becomes the usual target of malicious attacks because it contains lots of sensitive data, such as executable programs, configuration and authorization information. File integrity monitoring is an effective approach to discover aggressive behavior by detecting modification actions on these sensitive files. Traditional real-time integrity monitoring tools, which insert hooks into the OS kernel, are easily controlled and disabled by malicious software. Such existing methods, which insert kernel module into OS, are hard to be compatible because of the diversity of OS. In this paper, we present a non-intrusive real-time file integrity monitoring method in virtual machine-based computing environment, which is transparent to the monitored system. The monitor is isolated from the monitored system, since it observes the state of the monitored system from the outside. This method brings two benefits: detecting file operations in real time and being invisible to malicious attackers in the monitored system. Furthermore, a kind of file classification algorithm based on file security level is proposed to improve efficiency in this paper. The proposed file integrity monitoring method is implemented in the full-virtualization mode supported by the Xen platform. The experimental results show that the method is effective with acceptable overhead.