Storage-based Intrusion Detection: Watching storage activity for suspicious behavior

Abstract

Storage-based intrusion detection allows storage systems to transparently watch for suspicious activity. Storage systems are well-positioned to spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and tampering with audit logs. Further, an intrusion detection system (IDS) embedded in a storage device continues to operate even after client systems are compromised. This paper describes a number of specific warning signs visible at the storage interface. It describes and evaluates a storage IDS, embedded in an NFS server, demonstrating both feasibility and efficiency of storage-based intrusion detection. In particular, both the performance overhead and memory required (40 KB for a reasonable set of rules) are minimal. With small extensions, storage IDSs can also be embedded in block-based storage devices.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Oct 01, 2002
Accession Number
ADA461142

Entities

People

  • Adam G. Pennington
  • Craig A. Soules
  • Garth R. Goodson
  • Gregory R. Ganger
  • John D. Strunk
  • John L. Griffin

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Air Force Research Laboratories
  • Computer Programming
  • Computers
  • Cybersecurity
  • Detection
  • False Alarms
  • Information Warfare
  • Intrusion
  • Intrusion Detection
  • Intrusion Detection Systems
  • Intrusion Detectors
  • Kernels (Operating System)
  • Law
  • Operating Systems
  • Security
  • Servers (Computer Hardware)
  • Word Processors

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Parallel and Distributed Computing.
  • Sensor Fusion and Tracking Systems.