Attacks for computer systems are highly technical and difficult to prevent. Our research purpose is to develop computer security technologies supposing attacks and intrusions. In addition, we develop computer security for emerging virtual machine environment.
Problem with log-tampering:
Logging information about the activities that placed in a computer is essential for understanding its behavior. However, attackers can delete logs to hide evidence of their activities. Additionally, various problems may result in logs being lost.
Prevention of log-tampering:
To prevent log-tampering and loss, we utilize a virtual machine monitor. In our scheme, a virtual machine monitor detects log production inside a virtual machine and copies it to another virtual machine. With this mechanism, chances for tampering are reduced and tampering of logs after the copy becomes difficult because of virtual machine-level isolation.
Advantage:
By copying and transferring logs to another virtual machine, log-tampering after log storing becomes difficult. In addition, we can detect log-tampering not only its occurrence but also the area where the tampering occurred by comparing logs inside the monitored virtual machine and the logging virtual machine. Further, our scheme is implemented with only modifying a virtual machine monitor, therefore, no modification to software inside a virtual machine is required. This enlarges adaptability of our scheme to various operating systems.
Attacks for security software:
As attacks to computers increase, protective software is developed. However, that software is still open to attacks by attackers that disable its functionality. If that software is stopped or disabled, the risk of damage to the computer increases.
Hiding process information for attack avoidance:
To decrease the risk and to address theses problems, we proposed an attack avoidance method that hides process from attackers who intend to terminate essential services, which include protective software. The proposed method complicates identification based on process information by dynamically replacing the information held by a kernel with dummy information. Replacing process information makes identifying the attack target difficult because attackers cannot find the attack target by seeking the process information.