Many sensors have been and are being deployed to detect the activities of malicious insiders and enable attribution to the proper individuals. The ADAMS program attempts to utilize the activity evidence captured by these sensors to proactively anticipate forthcoming malicious behavior by detecting the precursors of that malicious behavior. We will facilitate this goal by developing a specialized sensor that detects attempts to tamper with these sensors and/or the evidential logs they create. Such tampering is highly indicative that a perpetrator is engaged in and attempting to hide his/her malicious behavior. This sensor will also block tamper attempts so that neither the captured activity logs nor the sensors creating those logs are corrupted. Blockages will be completely hidden from the attacker(s) so that he/she is unaware that the tampering actions have been thwarted and the malicious behavior detected. Thus, our proposed Tamper Sensor is both 1) a highly tuned sensor that detects attempts to disable sensors or modify sensor logs (delete, modify, or insert log entries), and 2) an effector that invisibly prevents tampering attempts, preserving the integrity of the recorded activity so that uncorrupted log files may be analyzed by other ADAMS program detectors.
Keywords: Anti-Tampering, Tamper Sensing, Tamper Detection