A secure and auditable logging infrastructure based on a permissioned blockchain
Introduction
Log data is produced today by most information systems used in organizations. It provides information about regular events occurring on these systems, but may also contain indicators for malicious behavior or attacks such as denial of service attacks, malware activities and other types of attacks on an organization’s infrastructure. Analysis of these logs helps prevent security breaches, or enables detection and subsequent damage control when an incident has taken place (Venter and Eloff, 2003).
In case a breach is successful, it’s desirable to identify the perpetrator in a forensic investigation and bring the responsible person to court. In practice however intruders may attempt to alter or delete log entries documenting the intrusion (Schneier and Kelsey, 1999). Besides being exposed to malicious modification, log records are also often processed during analysis, for example by SIEM systems (Menges et al., 2018). To be successful in a trial, the organization must be able to provide an indisputable proof of integrity for the log evidence. This proof must guarantee that no modification occurred during processing, so that the evidence remains admissible in court.
The primary requirements for legally admissible digital evidence are relevance and authenticity (Bidgoli, 2006, p. 658ff). In order for a piece of evidence to be relevant, there should be a persistent chain of custody. Reliable and verifiable evidence generation, transmission and storage are part of this chain of custody and prerequisites for authentication of evidence in court (Casey, 2011). As a result, verifiable generation procedures constitute a key requirement for auditable logging infrastructures.
Prior research has already developed various approaches to create and protect secure logs from intruders (see Section 2). A key aspect of these works is integrity preservation of evidence using write-only or access-protected storage. Recently developed blockchain technology provides a novel way to achieve these goals. Blockchain systems are highly redundant data stores with the purpose of maintaining an append-only log of transactions. Since data is shared with other independent organizations based on distributed consensus, it is tamper-resistant. If a majority of participants are honest, availability and integrity of stored data is maintained. Of particular interest to enterprise applications are permissioned blockchains, where the set of participants is authenticated.
Based on a permissioned blockchain, we develop a secure infrastructure to ensure integrity and non-repudiation of log events without a trusted service provider. It is designed to prove the existence of a log entry at the time of generation by using integrity proofs stored in a distributed auditing layer. The blockchain network storing the proofs is maintained by a consortium of independent operators. Auditors can verify the integrity of previously submitted evidence by contacting any node in the network. Automated signing, storage and integrity proof generation for each log event provide the necessary authentication and non-repudiation. For evaluation, we create a prototype as part of the DINGfest project (Menges et al., 2018). DINGfest aims to create an open-source SIEM infrastructure and currently consists of three main components: data acquisition, data analysis and forensics & incident reporting. This work adds a fourth data auditing component to ensure forensic auditability.
The paper is structured as follows: After explaining prior work and some of its shortcomings, we propose a general design for secure logging based on a permissioned blockchain. For evaluation, we then build the prototype within the DINGfest infrastructure and describe our results regarding security and performance.
Section snippets
Related work
Specialized hardware or software is required to achieve the aforementioned security goals of secure logging systems. Prior work on secure logging systems can be grouped into three categories: append-only storage systems, forward-secure evolving signatures and trusted third party (TTP) notary services (Cucurull and Puiggalí, 2016). Hardware-based write-only devices are a cost-intensive solution, especially when there is a large amount of continuously generated log data. For this reason we focus
System design
Following the design science research methodology by Peffers et al. (2007), we begin by elaborating requirements and objectives for the system. Based on these requirements, we consider the available options for storing data when using a blockchain system and describe a general architecture for a blockchain-based auditable logging system. We also discuss two options for operation of the blockchain network in practice.
Prototype
For demonstration and evaluation purposes, we create a prototype based on a SIEM reference architecture. We build on the DINGfest infrastructure created in prior work, which implements some parts of the design described above, like the storage cluster. It however currently lacks a way to ensure end-to-end integrity, auditability and non-repudiation of the original log evidence. The prototype adds this capability in the form of a blockchain-based distributed log auditing service. The service is
Evaluation
Crucial aspects of the design that should be evaluated are security and performance. System security is important since vulnerabilities to attacks may question the very purpose of the infrastructure. Performance considerations are important as well to ensure scalability for larger organizations, especially since blockchain systems are known for their scalability limitations. The security evaluation is based on a structured analysis of threats, while the performance evaluation focuses on
Conclusion
This paper presents an infrastructure for log auditing using a permissioned blockchain to store integrity proofs. It is based on legal requirements for admissible evidence and represents an on-premise alternative to third-party solutions and specialized write-only hardware. Even without a third-party service provider, the solution achieves immutability through cooperation and data sharing between independent nodes. It permits processing of evidence for security analytics purposes while ensuring
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgement
This research was supported by the Federal Ministry of Education and Research (grant no. 16KIS0501K), Germany, as part of the DINGfest project (https://dingfest.ur.de).
Benedikt Putz studied at the University of Augsburg, University of Oulu and the University of Regensburg, where he received his Master of Science degree with Honors. Currently he is a research assistant at the Department of Information Systems at the University of Regensburg, Germany. His research concerns distributed ledger and blockchain systems, with a focus on applications of the technology in information systems security.
References (28)
A secure log architecture to support remote auditing
Math. Comput. Model.
(2013)- et al.
Blockchain enabled privacy audit logs
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
(2017) - Accorsi, R., 2009. Log data as digital evidence: what secure logging protocols have to offer?Proc. of the International...
- et al.
Towards blockchain-driven, secure and transparent audit logs
Proceedings of the 15th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services
(2018) - et al.
Consensus in the age of blockchains
CoRR
(2017) - et al.
Shared Cloud Object Store, governed by permissioned blockchain
Proceedings of the 11th ACM International Systems and Storage Conference on - SYSTOR ’18
(2018) Handbook of Information Security
(2006)- BitFury Group, 2018. Exonum...
- et al.
Keyless signatures’ infrastructure: how to build global distributed hash-trees
Proc. of the Nordic Conference on Secure IT Systems
(2013) - et al.
Efficient quantum-Immune keyless signatures with identity.
IACR Cryptol.
(2014)
Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet
Practical byzantine fault tolerance and proactive recovery
ACM Trans. Comput. Syst.
Distributed immutabilization of secure logs
Lect. Notes Comput. Sci.
A temporal blockchain: a formal analysis
Proceedings - 2016 International Conference on Collaboration Technologies and Systems, CTS 2016
Cited by (38)
Blockchain meets Internet of Things (IoT) forensics: A unified framework for IoT ecosystems
2023, Internet of Things (Netherlands)Blockchain from the information systems perspective: Literature review, synthesis, and directions for future research
2023, Information and ManagementAudiWFlow: Confidential, collusion-resistant auditing of distributed workflows
2022, Blockchain: Research and ApplicationsCitation Excerpt :Cucurull and Puiggalí [14] proposed to adding checkpoints to storage that generate logs that are then published to the Bitcoin blockchain; however, tampering with logs is possible between the checkpoint intervals. Putz et al. [15] targeted this limitation by enabling integrity verification of each log entry through hashes published on a permissioned blockchain. They verified each log collected from different organisations.
EBDF: The enterprise blockchain design framework and its application to an e-Procurement ecosystem
2022, Computers and Industrial EngineeringHERMES: Fault-tolerant middleware for blockchain interoperability
2022, Future Generation Computer SystemsCitation Excerpt :The distributed recovery protocol has assumptions regarding log management. Log entries need integrity, durability, availability, and confidentiality guarantees, as they are an attractive attack point [19]. Every log entry contains a hash of its payload for guaranteeing integrity.
Distilling blockchain requirements for digital investigation platforms
2021, Journal of Information Security and Applications
Benedikt Putz studied at the University of Augsburg, University of Oulu and the University of Regensburg, where he received his Master of Science degree with Honors. Currently he is a research assistant at the Department of Information Systems at the University of Regensburg, Germany. His research concerns distributed ledger and blockchain systems, with a focus on applications of the technology in information systems security.
Florian Menges received both the Bachelor of Science and Master of Science degree from the University of Regensburg, Germany. Currently he is a research assistant at the Department of Information Systems at the University of Regensburg, Germany. His research interests include threat intelligence with a focus on sharing and reporting intelligence data, storage strategies for intelligence data as well as anonymization techniques and incentivizing the sharing and reporting of incident data.
Günther Pernul received both the diploma degree and the doctorate degree (with honors) from the University of Vienna, Austria. Currently he is full professor at the Department of Information Systems at the University of Regensburg, Germany. Prior he held positions with the University of Duisburg-Essen, Germany and with University of Vienna, Austria, and visiting positions the University of Florida and the College of Computing at the Georgia Institute of Technology, Atlanta. His research interests are manifold, covering data and information security aspects, data protection and privacy, data analytics, and advanced data centric applications.