WO1992013307A1 - Verfahren und anordnung zur überwachung von rechnermanipulationen - Google Patents

Verfahren und anordnung zur überwachung von rechnermanipulationen Download PDF

Info

Publication number
WO1992013307A1
WO1992013307A1 PCT/EP1992/000061 EP9200061W WO9213307A1 WO 1992013307 A1 WO1992013307 A1 WO 1992013307A1 EP 9200061 W EP9200061 W EP 9200061W WO 9213307 A1 WO9213307 A1 WO 9213307A1
Authority
WO
WIPO (PCT)
Prior art keywords
computer
program
computers
attributes
monitoring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP1992/000061
Other languages
German (de)
English (en)
French (fr)
Inventor
Rainer Glaschick
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wincor Nixdorf International GmbH
Original Assignee
Siemens Nixdorf Informationssysteme AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Nixdorf Informationssysteme AG filed Critical Siemens Nixdorf Informationssysteme AG
Priority to EP92902319A priority Critical patent/EP0567492B1/de
Publication of WO1992013307A1 publication Critical patent/WO1992013307A1/de
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/32Monitoring with visual or acoustical indication of the functioning of the machine
    • G06F11/324Display of status information
    • G06F11/327Alarm or error message display
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning

Definitions

  • the present invention relates to a method and an arrangement for monitoring manipulations on computers which are connected via a network, according to the preamble of claims 1 and 13, respectively.
  • Manipulations on computers mean, in particular, changes to executable programs by unauthorized persons, e.g. the "infection” of computers with “viruses” or “Trojan horses”.
  • Classified operating systems are those that are based on evaluation guidelines such as the American "Trusted Computer System Evaluation Criteria", the German Correspond to "IT security criteria” or similar rule collections. From certain classes, classified operating systems have built-in security levels that make manipulation more difficult. For example, from class B2 of the above-mentioned "Trusted Computer System Evaluation Criteria” so-called “access control lists” are prescribed, which allow a finer gradation of the writing privileges. Prescribed log files facilitate the detection of manipulations, but do not prevent them. However, if an intruder succeeds in obtaining the appropriate privileges, he can manipulate files as in conventional systems.
  • the invention is based on the fact that the manipulation of databases (eg files and / or file directories) also changes their attributes.
  • the special one lies in the principle that a monitoring device that is not accessible to intruders (eg a computer that is set up in a closed room to which only a very limited number of people have access) is connected to the other computers in a valve-like manner.
  • valve-like means that the monitoring device can access the computers connected to the network, but an intruder who has penetrated one of these computers cannot access the monitoring device.
  • a program for checking file inventories is therefore not available on the computer to be checked itself, but in the protected monitoring device, which is preferably a monitoring computer. This division considerably increases the effort required for intruders to switch off the protection without an alarm being triggered.
  • the method according to the invention is preferably applied to files which a central administration, e.g. by a system administrator.
  • files which a central administration e.g. by a system administrator.
  • parts of the operating system and the files that control the system are included. This protection is particularly important as manipulation can endanger the entire system.
  • the monitoring of the data inventory attributes by the monitoring device can be carried out automatically and at regular time intervals.
  • the polling can be carried out deliberately at irregular time intervals, so that an intruder cannot use the times between regular checks for manipulation.
  • the monitoring device preferably queries the data inventory attributes of several computers in a time-nested fashion compares them with target values. This is particularly useful if the monitoring is carried out synchronously, ie the monitoring device waits after submitting a query until the computer reports back the file attribute. For reasons of operational safety, the monitoring device must contain a timer in order to recognize missing acknowledgments and to evaluate them as a failed query. Since the confirmation of queries by the computers takes a certain amount of time, it makes sense to submit the queries in a time-interleaved manner by the monitoring device.
  • the query of the file inventory attributes is implemented by a so-called "client-server architecture".
  • the monitoring device is a monitoring computer on which there is a tester program (client) and at least one file in which the file stocks to be checked and the respective target values of their attributes are stored.
  • At least one service program (server) is implemented on the computers to be checked, which can calculate the attributes of the file inventory on this computer on request and report them back via the network.
  • service programs are usually also implemented on the computers, which enable "entry” into the computer via the network.
  • At least one such utility program must not be implemented on the monitoring computer in order to ensure the valve-like connection of the monitoring computer to the network.
  • a first preferred option for further security is to encrypt the communication over the network.
  • encryption with changing keys is preferably used.
  • These changing keys could e.g. by the known method of Diffie and Hellmann (W. Diffie and M.E. Hellmann, New Directions in Cryptography, I.E.E. Trans. Inf. Series, No. 6, November 1976, p. 140). This known method enables the generation of a common key between two participants through a public dialogue without a listener being able to reconstruct the key.
  • Another preferred way to further increase security is to open communication allow a secure authentication protocol to run between the tester program and the utility program.
  • a secure authentication protocol is known for example from DE-OS 38 17 484.
  • a secret key is encrypted in the utility program by a simple method, for example by linking to XOR, with a fixed, likewise stored value.
  • a third possibility for increasing security consists in integrating the utility program for calculating and delivering the file attributes into a further, already existing utility program, whereby the effort of an intruder increases considerably since he now has to replace a utility program with one, that must function unchanged for the services originally to be executed. If this does not happen, the misconduct would be noticed.
  • the program text of this extended service program can preferably be transmitted to the monitoring computer before communication with it, where the actual program text is compared with a setpoint.
  • a fourth possibility for increasing security is that one does not implement complete service programs for calculating the file attributes on the computers, but only load programs.
  • the actual service program is only available on the monitoring computer, which sends this to a loading program before a computer is checked.
  • an intruder cannot modify the utility program because it is not available on the computer at all.
  • the utility is preferably provided with an ordinary or cryptographic checksum in the monitor that must be returned by the loader. This can be done before Submit the utility a random number entered in it so that a new checksum must be transmitted each time.
  • the checksum can be dispensed with and an alternating key for symmetrical encryption of the dialogs can be stored in the utility program instead.
  • a discrepancy is found when checking the file inventory attributes or the authenticity of the computer to be checked, there are various evaluation options. For example, an entry can be made in a corresponding file. A message can also be sent to a system administrator. Alternatively, an alarm bell can be triggered. Another utility in the computer to be checked can be addressed that deactivates this computer. If a bus network such as Ethernet is used as the network, the computer can also be isolated from the network from the monitoring computer. For this purpose, a hardware device can constantly monitor the data packets on the network. If the computer sends a packet (or is supposed to receive one), this can be recognized by the hardware arrangement, since the packets carry the address of the computer in a specific position. The hardware device can then cause the monitoring computer not to behave in accordance with the protocol but to disturb the computer. This ensures in any case that the suspected computer is isolated from the network.
  • FIG. 1 is a schematic representation of an embodiment of the arrangement of the invention
  • FIG. 2 is a detailed illustration of the arrangement according to FIG. 1;
  • 3 is a schematic representation of the flow of communication between the tester program and the utility program
  • 4 is an example of the file on the checking computer, which contains files to be checked by a computer and examples of attributes assigned to these files;
  • FIG. 1 schematically shows the arrangement according to the invention with a monitoring computer 1, which is connected to one or more computers 3 to be checked via a (local) network 2.
  • the "Ethernet" bus system 4 with the TCP / IP protocol is used as the local network; however, it is also possible to use other types of networks and the TCP / IP protocol can also be handled via serial lines and switching computers.
  • the monitoring computer 1 is physically secured by a shield 5, so that no unauthorized access to it is possible. For this purpose, for example, a special, lockable room can be used, to which only a known small number of employees have access.
  • FIG. 2 shows a more detailed illustration of this arrangement, on which a client-server architecture is implemented by software.
  • a client-server architecture is implemented by software.
  • a utility program (server) 44 is also installed on this computer 3.
  • the checking program (client) 45 runs in the monitoring computer 1 and receives the names and the target attributes of the files to be checked in the computer from a file 46. For each entry in the file 46, an order for calculating the attributes of a file is sent to the service program 44, which in turn determines the named file 33, determines its attributes and transmits them back to the checker program 45 in response. This answer is compared by the tester program 45 with the target values in the file 46.
  • the diode symbols 47 and 48 indicate the valve-like property of the client-server architecture used. At least the diode symbol 48 is redundant. It is essential that the monitoring computer 1 cannot be accessed.
  • the monitoring computer 1 is configured such that no utilities are active or can be activated on it. To this extent, the monitoring computer is isolated from the network.
  • FIG. 3 shows schematically the course of communication between see the tester program 45 and the utility program 44.
  • the step “create order” 23 takes place in the tester program 45.
  • the step “transmit order” 24 takes place via the network 2.
  • the step “process order” 25 takes place in the utility program 44, the step “confirm order” 26 again takes place via the network 2 and the step “finally process the order” 27 takes place again in the examiner program 46. As shown in Fig. 3, this process is repeated several times.
  • an order consists in determining the attributes of a file on the computer 3 to be checked.
  • the orders are usually carried out synchronously, i.e.
  • the service program 44 executes the job immediately and reports the result back to the checker program 45.
  • the tester program 45 after it has sent the order via the network 2, waits for the response from the service program 44 to arrive.
  • the orders can also be sent to the various computers nested in time and be received.
  • the service program 44 can also form an order file for a later execution (batch job); however, the significantly larger time limit, which can usually last up to an hour, increases the chance for an intruder to manipulate the order files. This is generally easier than manipulating the utility program.
  • the client-server architecture is implemented by software.
  • a network is generally required which provides fast transport functions.
  • Ethernet has the advantage that with the Access to the physical medium, the cable, to all previously connected computers is possible without having to activate a central configuration management.
  • the type of network is irrelevant to the proposed arrangement. It is only assumed that the tester program 45 on the monitoring computer 1 can initiate the service program 44 on the computer 3 to be monitored and receives a result.
  • the valve action between network 2 and monitoring computer 1 can also be generated by hardware; however, this solution is not so elegant because it has to be done at a higher level.
  • the monitoring computer 1 must receive responses from the computer 3 to be monitored, so that bidirectional communication is necessary.
  • a valve effect of the hardware should therefore have an effect on the contents of the data blocks transmitted over the network. It is much easier to configure the software on the monitoring computer 1 so that it only interprets the contents of the incoming data packets in the context of the monitoring protocol and does not allow general access.
  • An authentication process is not encryption of data exchange in the conventional sense. In the authentication process, it is not the confidentiality of the data exchange that must be ensured, but the authenticity of the messages. It must therefore be ensured that the expected response also comes from the accepted utility 44 in an unadulterated manner.
  • the method of the loading program allows the service program 44 to be provided with a constantly changing identifier. This provides a better secure key storage for the above-mentioned authentication protocols, because the time for extracting the key and installing it in a deception utility program is shorter than if the utility program is permanently available on the monitoring computer.
  • a deceiver loading program is of no use to an intruder, since the intruder must execute the transmitted service program 44 in order to generate an authentic response to the monitoring computer 1.
  • A is usually used as symmetric encryption A process that uses the same key for encryption and decryption.
  • the well-known American “Data Encryption Standard” (DES) is mentioned as an example.
  • a checksum of a conventional type for example as a cross sum or cyclic code (cyclic redundancy check, CRC), allows simple means to construct a second file for a file, the checksum of which is equal to the first file.
  • CRC cyclic redundancy check
  • a cryptographic checksum (more precisely: cryptographically secure checksum) is a method that calculates a checksum for a file so that this calculation can be carried out efficiently, but it is practically impossible to find a second file that has the same checksum. An example of this is the method by Juenemann, described in the ISO standard X500, part III.
  • the types of attributes of the file inventory used for checking have no influence on the invention; rather, they are one of the essential properties of the computer to be monitored. Only the continuous checking of the attributes without the need for checksums offers significant protection against manipulation, since many manipulation methods are known in which a change in the file attributes is brought about.
  • Fig. 4 shows an example of the contents of a file 46, the file names to be checked (file na e) and each associated attributes such as a checksum, priority attributes, the membership, the size and the date of the file.
  • FIG. 5 shows an example of the pseudocode for a service program 44
  • FIG. 6 shows an example for the pseudocode of an examiner program 45.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer And Data Communications (AREA)
  • Burglar Alarm Systems (AREA)
  • Alarm Systems (AREA)
PCT/EP1992/000061 1991-01-16 1992-01-14 Verfahren und anordnung zur überwachung von rechnermanipulationen Ceased WO1992013307A1 (de)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP92902319A EP0567492B1 (de) 1991-01-16 1992-01-14 Verfahren und anordnung zur überwachung von rechnermanipulationen

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DEP4101141.4 1991-01-16
DE4101141A DE4101141C1 (enExample) 1991-01-16 1991-01-16

Publications (1)

Publication Number Publication Date
WO1992013307A1 true WO1992013307A1 (de) 1992-08-06

Family

ID=6423123

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP1992/000061 Ceased WO1992013307A1 (de) 1991-01-16 1992-01-14 Verfahren und anordnung zur überwachung von rechnermanipulationen

Country Status (6)

Country Link
EP (1) EP0567492B1 (enExample)
AT (1) ATE112078T1 (enExample)
DE (1) DE4101141C1 (enExample)
DK (1) DK0567492T3 (enExample)
ES (1) ES2059211T3 (enExample)
WO (1) WO1992013307A1 (enExample)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6973305B2 (en) 2003-09-10 2005-12-06 Qualcomm Inc Methods and apparatus for determining device integrity
EP2591437B1 (en) * 2010-07-09 2018-11-14 BlackBerry Limited Microcode-based challenge/response process

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0304033A2 (de) * 1987-08-19 1989-02-22 Siemens Aktiengesellschaft Verfahren zum Diagnostizieren einer von Computerviren befallenen Datenverarbeitungsanlage
WO1990005418A1 (en) * 1988-11-03 1990-05-17 Lentz Stephen A System and method of protecting integrity of computer data and software

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4262329A (en) * 1978-03-27 1981-04-14 Computation Planning, Inc. Security system for data processing
ATE31827T1 (de) * 1983-10-13 1988-01-15 Josef Seifert Verfahren zum schutz von auf maschinenlesbaren datentraegern aufgezeichneten programmen vor unerlaubter einsichtnahme und unerlaubtem kopieren.
GB8704883D0 (en) * 1987-03-03 1987-04-08 Hewlett Packard Co Secure information storage
DE3736760A1 (de) * 1987-10-30 1989-05-11 Trans Tech Team Immobilien Gmb Verfahren zur verhinderung der verbreitung von computerviren
DE3817484A1 (de) * 1988-05-21 1989-11-30 Thomas Prof Beth Verfahren und schaltungsanordnung zur identifikation und echtheitspruefung aller arten von spezifischen merkmalen

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0304033A2 (de) * 1987-08-19 1989-02-22 Siemens Aktiengesellschaft Verfahren zum Diagnostizieren einer von Computerviren befallenen Datenverarbeitungsanlage
WO1990005418A1 (en) * 1988-11-03 1990-05-17 Lentz Stephen A System and method of protecting integrity of computer data and software

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
COMPUTERS & SECURITY. Bd. 7, Nr. 2, April 1988, AMSTERDAM NL Seiten 157 - 163; H.J. HIGHLAND: 'How to combat a computer virus' *
COMPUTERS & SECURITY. Bd. 9, Nr. 2, April 1990, AMSTERDAM NL Seiten 131 - 137; GHANNAM M. AL-DOSSARY: 'Computer virus prevention and containment on mainframes' *

Also Published As

Publication number Publication date
EP0567492A1 (de) 1993-11-03
DE4101141C1 (enExample) 1992-07-02
ATE112078T1 (de) 1994-10-15
ES2059211T3 (es) 1994-11-01
EP0567492B1 (de) 1994-09-21
DK0567492T3 (da) 1995-01-09

Similar Documents

Publication Publication Date Title
DE69921454T2 (de) Prüfung von sofwarenagenten und aktivitäten von agenten
DE69213062T2 (de) Authentisierungsprotokolle für Kommunikationsnetzwerke
DE69229755T2 (de) Anordnung und Verfahren zur Freigabe von geschützten Prozessen in einem verteilten Mehrprozessdatensystem
DE69634880T2 (de) Verfahren und gerät zum kontrollierten zugriff zu verschlüsselten datenakten in einem computersystem
DE4107019A1 (de) Verfahren und vorrichtung zur ueberpruefung von kennwoertern
DE19952527A1 (de) Verfahren und Transaktionsinterface zum gesicherten Datenaustausch zwischen unterscheidbaren Netzen
WO2001090855A1 (de) Verschlüsseln von abzuspeichernden daten in einem iv-system
EP3763089B1 (de) Verfahren und steuersystem zum steuern und/oder überwachen von geräten
EP2272199B1 (de) Verteilte datenspeicherungseinrichtung
DE60317024T2 (de) Methode zum Setzen der Konfigurationsinformationen eines Speichergerätes
EP3412018B1 (de) Verfahren zum austausch von nachrichten zwischen sicherheitsrelevanten vorrichtungen
DE10146361B4 (de) Verteiltes System
EP0280035B1 (de) Verfahren zum Sichern von Programmen und zur Integritätskontrolle gesicherter Programme
DE102018112742A1 (de) Computerimplementiertes Verfahren zum Übergeben eines Datenstrings von einer Anwendung an eine Datenschutzeinrichtung
EP3718263B1 (de) Verfahren und steuersystem zum steuern und/oder überwachen von geräten
DE10028500A1 (de) Verfahren zur Installation von Software in einer Hardware
EP0567492B1 (de) Verfahren und anordnung zur überwachung von rechnermanipulationen
WO2014068051A1 (de) Verfahren zum geschützten hinterlegen von ereignisprotokoll-daten eines computersystems, computerprogrammprodukt sowie computersystem
WO2005048103A1 (de) Sichere erfassung von eingabewerten
DE10064658B4 (de) Rechneranordnung, die an ein Datenübertragungsnetz anschließbar ist
WO2015062812A1 (de) Sicherheitsrelevantes system mit supervisor
DE202023100943U1 (de) Auf maschinellem Lernen basierendes System für einen dynamischen Verschlüsselungsdienst, der die Sicherheit von Gesundheitsdaten im Krankenhausdatenmanagement aufrechterhalten kann
WO1998026537A1 (de) Verfahren zur elektronisch gesicherten speicherung von daten in einer datenbank
DE69512667T2 (de) Verfahren und vorrichtung zur verifikation von datenfolgen
EP2318974B1 (de) Verfahren zum betrieb einer transaktionsbasierten ablaufsteuerung

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): FI NO US

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH DE DK ES FR GB GR IT LU MC NL SE

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 1992902319

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 1992902319

Country of ref document: EP

WWG Wipo information: grant in national office

Ref document number: 1992902319

Country of ref document: EP