摘要
随着越来越多的法律法规要求将电子数据纳入审计监督范围,电子数据安全审计变得愈来愈重要.电子数据审计要求为数据的更改生成可验证的审计跟踪记录.现有的针对电子数据审计的系统因为不能防止内部人员的攻击以保证审计跟踪记录的安全可信,无法很好地满足用户需求.设计并实现了一个基于连续多版本的可审计文件系统CV-AFS,通过连续多版本技术连续捕获和保存文件系统数据变化,引入了一个可信的审计代理负责生成相应的审计跟踪记录,事后审计机构可根据审计跟踪记录来对数据进行审计,从而防止了内部人员的攻击.通过使用增量Hash算法,降低了生成审计跟踪记录的开销.作者在Linux上基于多版本文件系统ext3cow实现了CV-AFS的原型系统并进行了性能测试.Postmark的测试结果表明,CV-AFS的总时间开销要比使用传统完全Hash算法的开销降低43.5%.
With the trend of more and more recent federal, state and local legislation mandating the retention and access of electronic records and audit information, the security audit of digital data becomes more and more important. The key requirement of the digital audit is to generate verifiable audit trails on the change of electronic records. Current systems for compliance with digital audit legislation fail to provide the security and trustworthiness of audit trails in the presence of a powerful insider adversary. A continuous versioning-based auditable file system, CV-AFS, is presented. All changes to data are recorded and the system will construct a data history through continuous versioning. A trusted audit agent is introduced to generate corresponding audit trails. At a later time, an auditor may verify the version history of a file according to the audit trails, and thus important data can be protected against insider attacks. The overhead of generating audit trails is reduced through the use of incremental and parallelizable Hash construction. The authors have implemented a prototype of CV-AFS in the ext3cow versioning file system based on Linux and evaluated its performance. Postmark benchmark test shows that the time overhead of CV AFS is reduced by 43.5% compared with traditional serial Hash construction.
出处
《计算机研究与发展》
EI
CSCD
北大核心
2009年第11期1830-1838,共9页
Journal of Computer Research and Development
基金
国家"八六三"高技术研究发展计划基金项目(2009AA01A4303)
高等学校博士学科点专项科研基金项目(20070003092)
教育部新世纪优秀人才支持计划基金项目(NCET-05-0067)
国家自然科学基金项目(60873066)
关键词
安全审计
连续多版本
审计跟踪记录
增量Hash
防篡改硬件
security audit
continuous versioning
audit trails
incremental Hash construction
tamper-resistant hardware