12th USENIX Security Symposium Abstract
Pp. 137-152 of the Proceedings
Storage-based Intrusion Detection: Watching Storage Activity for Suspicious Behavior
Adam G. Pennington, John D. Strunk, John Linwood Griffin, Craig A.N. Soules, Garth R. Goodson, and Gregory R. Ganger, Carnegie Mellon University
Storage-based intrusion detection allows storage systems
to watch for data modifications characteristic of system intrusions.
This enables storage systems to spot several common
intruder actions, such as adding backdoors, inserting
Trojan horses, and tampering with audit logs. Further, an
intrusion detection system (IDS) embedded in a storage
device continues to operate even after client systems are
compromised. This paper describes a number of specific
warning signs visible at the storage interface. Examination
of 18 real intrusion tools reveals that most (15) can be detected
based on their changes to stored files. We describe
and evaluate a prototype storage IDS, embedded in an NFS
server, to demonstrate both feasibility and efficiency of
storage-based intrusion detection. In particular, both the
performance overhead and memory required (152 KB for
4730 rules) are minimal.
- View the full text of this paper in HTML and PDF.
Until August 2004, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2003 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.