2016 International Conference on Electronic Information Technology and Intellectualization (ICEITI 2016) ISBN: 978-1-60595-364-9
The Application of Information Audit in Power
Information System
Fei Yang
ABSTRACT
As an afterthought review methodology, security audit technology had been widely applied in the field of information security. In power information system, security auditing technology plays an irreplaceable role in the security vulnerabilities discovery, ATP attack detection and incident forensic analysis. This paper conducted a systematic research of audit information technology in the power information system, we firstly had a details research for each equipment security audit technology including operating system, database and network device. Afterwards, we designed the security audit system for the power information system including the system architecture, data collection technology and data processing method. It is shown that the security of power information system can be effectively enhanced by the security audit system.
INTRODUCTION
Nowadays, information security has gained more and more attention from the industry enterprise and the government. As an afterthought review methodology, security audit technology was widely applied in the field of information security and was commonly deemed as a method to obtain electronic evidence afterwards [1-2].
Security audit is always used to supply electronic intrusion evidence that cannot be disavowed according to some given theory and track the source of network
_______________________
attack. It was first come up with by James P. Anders Co. in its technical report “Computer Security Threat Monitoring and Surveillance” [3]. Also, this company released its first security audit software SATAN in 1995. Afterwards, many other companies developed their own audit software, such as DAS-Logger by db app security, NSFOCUS SAS by NSFOCUS and so on.
As the control center of the power system, power information system plays the key role in power system. Therefore, the security of the system must be strictly guaranteed. With the help of security audit technique, we can trace the attack source, explore the underlying attack and identify whether there is a network attack.
THE SECURITY AUDIT RESEARCH OF THE EQUIPMENT
Among the power information systems, there are three kinds of equipment audit including the operating system audit, database audit and network equipment audit. At the operational level, the following principles should be considered during the audit process [4].
1) Turn on the audit service of the device and configure the audit range to cover user’s behavior, usage of the resource and function call of important commands.
2) Protect the audit process against unexpected interruption. The audit process of the equipment should be run at the system level or root level which means that any normal user cannot terminate the audit process.
3) Protect audit records against unexpected delete, alter or overwrite. Firstly, we should disable the root user or administrator user for the UNIX like operation system and Windows operation system separately. Secondly, we should set up three types of user’s roles for the equipment to execute its own job. These three types of user’s roles are called device administrator, security officer and auditor separately. Thirdly, we need to distribute proper permissions for those roles, that each role has it minimal privilege of the equipment. The device administrator only has administrative rights on the device including setting up accounts. The security officer can only configure user’s permission. The auditor can only do the job related to system audit but not to delete these logs from the device.
We take operating system of Linux and Windows as an example to illustrate the operating system audit technology. The audit technique of the operating system should include the following content [5].
In Linux operating system, we can use the following instructions to check whether the audit function is turned on: ps -axu | grepsyslogd, ps -aux | grep audit or audit query.
In Linux operating system, we should firstly configure the privileges of the audit configuration file /etc/syslog. conf not more than 644 which mean that only the auditor can modify the audit configuration file. Secondly, configure the privileges of audit log file under the folder /var/log below 400 which means that only the auditor has permission to read those audit records.
In Windows operating system, these audit records are protected by the operation system once the system had set up those three types of accounts and made proper permission of each account. On the other hand, the auditor should expand storage space of log records to avoid audit failure event when the storage space is full which can be configured at Computer -> Manage -> Event Viewer -> Windows logs.
The database audit is another important part of the security audit, and the requirement is similar to the operating system audit, however, the instructions are different[6].
In Oracle database, we can use the instruction SQL*Plus: show parameter audit to check whether the value of audit_trail is db/os/xml.
In MySQL database, we can use the instruction show variables like ‘log_%’ to check if the result is on which means the audit function is turned on.
In Sybase database, we can use the instruction exec sp_configure "auditing" to check if the result is 1 which means the audit function is turned on.
As we all know, database is mainly used for data service in the information system. To reduce the performance impact to the database, the normal data exchange behavior is not considered in the audit content rule exclude the operation and maintenance behavior of the database.
In Oracle database, we can use the instruction select * from dba_audit_trail to check the content of the database audit.
In Sybase database, we can use the instruction use sybsecurity and exec sp_displayaudit to check the content of the database audit.
In Oracle database, the audit records are save under the folder “$ORACLE_BASE/ admin/ $ORACLE_SID/ adump”. As a result, the permissions of the folder should be set less than 400 to prevent other user’s access.
The audit technique of the network equipment is the other important security audit technique. We take the Cisco router for example to illustrate how to check whether the audit functions is turned on. We can use the instruction show logging to check if the result contains words such as logging on; logging buffered; logging trap notifications which means the audit function is turned on[7].
THE DESIGN AND IMPLEMENTATION OF SECURITY AUDIT SYSTEM
Since power information system is a distributed information system consists of many subsystems from molecular company, it is suitable to adopt the distributed audit platform. Each subnet has a network monitor which is responsible for monitoring the network data flow; each server and terminal is installed with agent model software [8];the Router, Switch, Firewall and other network equipment will send their audit records to the audit center [9]; the audit center will process all the audit records and generate the report.
Data Collection
The audit record is mainly collected from the network and collected by the network monitor in each subnet. In power information system, four steps should be taken to fulfill the data monitoring [8].
1) Place the network monitor host into a hub environment or connect the network monitor host to the mirror port of the Switch. Since hub is designed to broadcast each data packet to every computer that connected, the network monitor host will certainly receive other data packets that are not sent to it. Similarly, connecting the network monitor host to the Switch’s mirror port will enable the network monitor host to receive all data packets.
2) Set the Network Interface Card (NIC) under promiscuous mode [10]. NIC has different work modes, only the promiscuous mode will enable the network monitor host to receive all data packets regardless of the destination of the data packet.
3) Use raw socket, Libpcap, Jpcap, Win Pcapetc to fetch the data packet. The first two steps will only enable NIC to receiver all data packets in the subnet. However, the raw socket, Libpcap or Win Pcap provides a method to enable the host to fetch these data packets from the NIC cache [11].
4) Extract useful information from the data packet. For each data packet, the information that should at least be extracted is the source IP, destination IP, Source port, destination port, MAC address, protocol ID and the most important data content[12].
Data Processing
CONCLUSION
Power information is one of the most important information systems in our industry. It is no doubt that the security of the power information system must be guaranteed. As one of the most important information security technologies, security audit plays an important role in the power information system.
This paper conducted a comprehensive research of audit technology in the power information system, we firstly have a details research for each equipment security audit technology including operating system, database and network devices. Afterwards, we designed the security audit system for the power information system. In practical application, the result showed that the security audit can effectively enhance the security of power information system.
REFERENCES
1. K.E. Price. “Host-Based Misuse Detection and Conventional Operating Systems' audit Data Collection,” Master Thesis, Purdue University, 1997.
2. Zhang Junliang. “Research and Implementation of Network Security Audit System Based on the Information Filtering,” Master Thesis, Northwest University, 2009.
3. J.P. Anderson, “Computer Security Threat Monitoring and Surveillance.” Fort Washington, James P Anderson Co., 1980, pp 1-50.
4. Daniels T.E., Spafford E.H.A. "Network Audit System for Host basted Intrusion Detection(NASHID) in Linux". Purdue University, 2000.
5. T.E. Daniels, E.H. Spafford, et al. “Network Audit System for Host-Based Intrusion Detection (NASHID) in Linux”. Computer Security Applications, ACSAC'00. 16th Annua1 Conference, 2000, pp 178-187.
6. Wang Weiping, ZhangWei, Design and Implementation of Informix Database Security Audit System, Computing Technology and Automation [j], 2007, pp 125-128.
7. Li Cheng, Wang Weizhao, Cheng Li, Wang Weinong, Li Jiabing, "Study and Implementation of Network Security Audit System Based on Firewall Log" Computer Engineering [J], 2002, pp 17-19.
8. Ding Qing, “The Research and Implementation of A Network Security Audit System,” Master Thesis, Southeast University, 2006.
9. Li Cheng, Wang Weizhao, et al. “Study and Implementation of Network Security Audit System Based on Firewall Log,” Computer Engineering, 2002, pp 17-19.
10. Lu Meng, “Study and Practice to the Distributed Newtork Security Audit System,” Master Thesis, Guizhou University, 2006.
11. A. Mounji, B. Le Charlier, et al. “Distributed Audit Trail Analysis,”. Proceedings of the Symposium on Network and Distributed System Security, 1995, pp 102 – 112.
12. Ningning Wu. Audit Data Analysis and Mining: [PhD Dissertation] [D]. George Mason University, 2001.
13. W. Halbert “Artificial Neural Networks: Approximation and Learning Theory,” Blackwell Publishers, Inc. Cambridge, MA, USA, 1992.
