Trusted Detection of Unauthorized Filesystem Modifications to Combat Insider Tampering †

An insider-robust approach to file integrity verification is developed using interacting strata of mobile agents. Previous approaches relied upon monolithic architectures, or more recently, agent frameworks using a centralized control mechanism or common reporting repository. However, any such distinct tamperingpoint introduces vulnerabilities, especially from knowledgeable insiders capable of abusing security-critical resources. In the Collaborative Object Notification Framework for Insider Defense using Autonomous Network Transactions (CONFIDANT), the mechanisms for tampering detection, decision-making, and alert signaling are corroborated by autonomous agents. All capabilities are distributed and transactions are interlocked by tamper-evident handshaking protocols. Moreover, the agent dispatch policies and travel itineraries are constructed dynamically in response to events throughout the network. This paper defines user capability classes and identifies critical physical tampering points in intrusion detection architectures. CONFIDANT is evaluated in the presence of the identified insider tampering exposures. Evaluation results are compared to the Tripwire and AIDE response to the same stimulus. Results show increased mitigation against tampering modes including Pacing, Altering Internal Data, and File Juggling. The mitigation techniques such as Encapsulation, Redundancy, Scrambling, and Mandatory Obsolescence, are capable of mitigating several challenging exposures including various insider tampering risks.