A prototype for filesystem integrity checker in user-space mood

Abstract

Today, improving the security of computer systems has become a vital and challenging problem. Attackers can seriously damage the integrity of filesystems. Attack detection is complex and time-consuming for system administrators, and it is becoming more so. One of the means to detect intruder's activity is to trace all unauthorized changes in a filesystem. Current user-space mood checkers, due to being slow detectors, suffer from the opportunity gap that occurs between filesystem checks. Basing on the principle of thinking like an attacker, this prototype is developed to minimize the total time taken for checking by focusing on critical files. The proposed technique will accelerate the checking process through acquiring specific file extensions from the filesystem rather than targeting the entire filesystem. Discrepancies in the filesystem are reported after comparing current files hashing values with original hashing values. This prototype is configured to use variety of hashing algorithms to measure the performance on different scales and to provide various choices for users. Research results on Windows Server 2003 show that the average total time taken for this prototype is in the range of three to four minutes. The elapsed time of filesystem checking by Windows System File Check tool “SFC” has been decreased to eighty five percent on this prototype.