Strategies for Intrusion Monitoring in Cloud Services

TL;DR

The paper addresses the challenge of preserving credible log data in Cloud environments amid adversarial tampering and data deletion. It proposes an intrusion-monitoring approach that couples per-event MAC chaining with a $(k,n)$ threshold secret-sharing scheme to securely distribute log data across multiple nodes and a central server. This enables reconstruction of events from any subset of at least $k$ shares, even if some nodes or the central logger are compromised, thereby enhancing digital forensic readiness. The approach is designed for practical Cloud deployment, including secure boot, centralized and distributed logging, and has implications for regulatory compliance and incident response in cloud services.

Abstract

Effective activity and event monitoring is an essential aspect of digital forensic readiness. Techniques for capturing log and other event data are familiar from conventional networked hosts and transfer directly to the Cloud context. In both contexts, a major concern is the risk that monitoring systems may be targeted and impaired by intruders seeking to conceal their illicit presence and activities. We outline an approach to intrusion monitoring that aims (i)~to ensure the credibility of log data and (ii)~provide a means of data sharing that supports log reconstruction in the event that one or more logging systems is maliciously impaired.