Storage-Based Intrusion Detection

Abstract

Storage-based intrusion detection consists of storage systems watching for and identifying data access patterns characteristic of system intrusions. Storage systems can spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and tampering with audit logs. For example, examination of 18 real intrusion tools reveals that most (15) can be detected based on their changes to stored files. Further, an Intrusion Detection System (IDS) embedded in a storage device continues to operate even after client operating systems are compromised. We describe and evaluate a prototype storage IDS, built into a disk emulator, to demonstrate both feasibility and efficiency of storage-based intrusion detection. In particular, both the performance overhead (< 1%) and memory required (1.62MB for 13995 rules) are minimal.

Document Details

Document Type
Pub Defense Publication
Publication Date
Dec 01, 2010
Source ID
10.1145/1880022.1880024

Entities

People

  • Adam G. Pennington
  • Gregory R. Ganger
  • John D. Strunk
  • John Linwood Griffin
  • John S. Bucy

Organizations

  • Air Force Research Laboratory
  • Army Research Office
  • Carnegie Mellon University

Tags

Fields of Study

  • Computer science

Readers

  • Computer Science/Computer Engineering/Data Science/Digital Signal Processing.
  • Cybersecurity.
  • Sensor Fusion and Tracking Systems.