1. Field of the Invention
The present invention relates generally to computer system operations, and more specifically to a log file protection system which prevents intruders from deleting or altering server computer log information.
2. Relevant Art
Intruder detection comprises the two principal elements of log information collection and log information analysis. In other words, intruders cannot be detected without log information. From the point of view of an intruder evading detection, it is indispensable for them to delete any data evidence of the intrusion recorded in the log information; and tools exist for doing this. In some countries unprecedented debate has been held concerning legislation that would make the maintenance of log information concerning intrusions mandatory. It is clear that such log information is indispensable for the detection of intruders, and therefore there is a need to protect such log information from deletion or alteration by intruders.
Log file protection systems for these purposes exist (for example, see Bruce Schneier, John Kelsey: Cryptographic Support for Secure Logs on Untrusted Machines, The Seventh USENIX Security Symposium Proceedings, USENIX Press pp. 53-62, 1998, Core SDI S. A.: secure syslog, http://www.core-sdi.com/Core-SDI/english/slogging/ssyslog.html). These systems concentrate primarily on making it difficult to alter log information. This in itself is a very important function. However, once log information has been altered or deleted, some of this log information is lost, and it is not possible to restore it. Normal files can be restored from backups or from the original media, but as log information is updated from time to time, even if a backup exists for a certain point in time, it is possible that new log information will have been added thereafter. It is clear, therefore, that simple backups alone are insufficient.
The following two methods are well known as countermeasures for log information alteration or deletion:                storing log information on write-once media; and        transferring log information to a computer considered to be secure, via a network.        
There are, however, problems with these methods. The information must be stored on the write-once media at some particular point and, if that point in time is not opportune, there is a risk of losing data. For example, it is clear that periodic backups using a UNIX based cron daemon to start specific programs at a specified time and day of the week leave the possibility of data loss.
Furthermore, methods that involve the transfer of log information via a network to a computer assumed to be secure entail various problems in terms of the transfer itself.