File integrity monitoring tools: Issues, challenges, and solutions

Peddoju, Suresh K.; Upadhyay, Himanshu; Lagos, Leonel

doi:10.1002/cpe.5825

Cited by 11 publications

(5 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These tools continuously monitor the file system for changes, including changes to file attributes, content, and timestamps. They can generate alerts when unauthorized or unexpected modifications occur [30], [26].…”

Section: Literature Review and Related Workmentioning

confidence: 99%

“…Current FITs work offline pattern which means these tools will monitor the files at scheduled times to check the integrity of the system. Delay in detection is the biggest issue because this will create an opportunity for the intruder to take advantage of the system [30].…”

Section: Literature Review and Related Workmentioning

confidence: 99%

“…One of the main challenges when building a FIM is realtime detection, which should have minimal performance overhead to ensure it can be used effectively in real production environments. High-performance overhead can cause system slowdowns, reduced productivity, and user frustration, which could lead to the tool being disabled or ignored [30]. Implementing a FIM in an ICS poses specific challenges due to the constraints of computing resources and the need for continuous system operation.…”

Section: Literature Review and Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Real-Time Intrusion Detection of Insider Threats in Industrial Control System Workstations Through File Integrity Monitoring

Al-Muntaser,

Mohamed,

Tuama

2023

IJACSA

View full text Add to dashboard Cite

Industrial control systems (ICS) play a crucial role in various industries and ensuring their security is paramount for maintaining process continuity and reliability. In ICS, the most damaging cyber-attacks often come from trusted insiders rather than external threats or malware. Insiders have the advantage of bypassing security measures and staying undetected. This research focuses on developing a real-time intrusion detection system for ICS workstations that effectively detects insider threats while prioritizing user privacy. The approach employs file integrity monitoring to identify suspicious activities, particularly file violations such as data tampering and destruction. The model presented in this research demonstrates low system resource consumption by utilizing an event-triggered approach instead of continuous polling of file data. The model leverages built-in operating system functions, eliminating the need for third-party software installation. To minimize disruptions to the ICS network, the model operates at the supervisory level within the ICS architecture. Through extensive testing, the model achieves a high level of accuracy, detecting insider intrusions with a high true positive rate. This reliable detection capability contributes to enhancing the security of ICS and mitigating the risks associated with insider threats. By implementing this real-time intrusion detection system, organizations can effectively protect their control systems while preserving user privacy.

show abstract

Section: Literature Review and Related Workmentioning

confidence: 99%

Section: Literature Review and Related Workmentioning

confidence: 99%

Section: Literature Review and Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Real-Time Intrusion Detection of Insider Threats in Industrial Control System Workstations Through File Integrity Monitoring

Al-Muntaser,

Mohamed,

Tuama

2023

IJACSA

View full text Add to dashboard Cite

show abstract

“…Once captured, the data undergoes rigorous preprocessing to filter out background network noise, thereby accentuating the characteristics unique to ransomware traffic. This preprocessing includes techniques such as signature-based analysis to identify known ransomware patterns, file integrity monitoring for detecting unauthorized alterations, and entropy scanning to identify randomness in encrypted files [17,22,28,44]. The result is a comprehensive dataset that embodies a diverse array of ransomware activities, laying the groundwork for subsequent analysis using the BERT model.…”

Section: Network Traffic Datasetsmentioning

confidence: 99%

Analyzing Data Theft Ransomware Traffic Patterns Using BERT

Almeida,

Vasconcelos

2023

Preprint

View full text Add to dashboard Cite

This research looks into the evolving dynamics of ransomware, shifting from conventional encryption-based attacks to sophisticated data exfiltration strategies. Employing the Bidirectional Encoder Representations from Transformers (BERT) model, the study analyzes network traffic patterns to detect ransomware activities, offering new insights into their covert operations. The findings emphasize the need for advanced AI tools in cybersecurity, highlighting the significance of adapting and innovating defense strategies to counter the changing landscape of ransomware threats. The study contributes to a deeper understanding of ransomware evolution and underscores the importance of integrating AI in cybersecurity practices.

show abstract

“…We refer readers to Ref. [20] for detail comparison of currently available tools for file integrity monitoring and their underlying approaches.…”

Section: Related Workmentioning

confidence: 99%

Real-time Container Integrity Monitoring for Large-Scale Kubernetes Cluster

Kitahara

Gajananan

Watanabe

2021

Journal of Information Processing

View full text Add to dashboard Cite

Container integrity monitoring is defined as a key requirement for regulatory compliance such as PCI-DSS, in which any unexpected changes such as file updates or program runs must be logged for later audit. System call monitoring provides comprehensive monitoring of such change events on container since it may suffer from large amount of false alarms unless well-defined allowlist rules are coordinated before deploying a container. Defining such a comprehensive allowlist is not feasible especially when managing various kinds of application workloads in large-scale enterprise cluster. We propose a new approach for identifying real anomalies in system call events effectively without relying on any predefined allowlist configuration in this paper. Our novel filtering algorithm based on the knowledge acquired autonomously from Kubernetes cluster control plane reduces 99.999% of noise effectively and distills only abnormal events in real time. Furthermore, we define concrete criteria for highly-scalable container integrity monitoring and verify the implementation of proposing filtering method that has actual high scalability while maintaining its detection capability. Our experiment with real applications on around 3,800 containers demonstrates its effectiveness even on large-scale clusters, and we clarified how detected events are triggered by user operation.

show abstract

File integrity monitoring tools: Issues, challenges, and solutions

Cited by 11 publications

References 12 publications

Real-Time Intrusion Detection of Insider Threats in Industrial Control System Workstations Through File Integrity Monitoring

Real-Time Intrusion Detection of Insider Threats in Industrial Control System Workstations Through File Integrity Monitoring

Analyzing Data Theft Ransomware Traffic Patterns Using BERT

Real-time Container Integrity Monitoring for Large-Scale Kubernetes Cluster

Contact Info

Product

Resources

About