Techniques are provided herein to enhance detection of compromised network devices by maintaining a list of network device indicators of compromise (i.e., a footprint), determining the viable footprints relevant to the device’s specific deployment context, and placing checks for these footprints onto a device. Based on the reduced set of footprints, these footprints are placed in a cryptoprocessor (e.g., Trusted Platform Module (TPM)) to ensure that potentially relevant evidence cannot be silently discarded. As soon as a new footprint is characterized, devices may forward found instances of these footprints to a security controller. This allows the security controller to do remediation well prior to the installation of fixes/patches. Placement of events in a TPM also allows attacks on bare metal machines to be detected by virtual machines.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Voit, Eric; Pendleton, Jared; and Mccoy, Chris, "DYNAMIC DEVICE COMPROMISE FOOTPRINT PRE-FILTERING", Technical Disclosure Commons, (October 08, 2018)