Intrusion Detection, Diagnosis, and Recovery with Self-Securing Storage

Abstract

Self-securing storage turns storage devices into active parts of an intrusion survival strategy. From behind a thin storage interface (e.g., SCSI or CIFS), a self-securing storage server can watch storage requests, keep a record of all storage activity, and prevent compromised clients from destroying stored data. This paper describes three ways self-securing storage enhances an administrator's ability to detect, diagnose, and recover from client system intrusions. First, storage-based intrusion detection offers a new observation point for noticing suspect activity. Second, post-hoc intrusion diagnosis starts with a plethora of normally-unavailable information. Finally, post-intrusion recovery is reduced to restarting the system with a pre-intrusion storage image retained by the server. Combined, these features can improve an organization's ability to survive successful digital intrusions.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
May 01, 2002
Accession Number
ADA461216

Entities

People

  • Adam G. Pennington
  • Craig A. Soules
  • Garth R. Goodson
  • Gregory R. Ganger
  • John D. Strunk

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber
  • Energy and Power Technologies

DTIC Thesaurus Topics

  • Abstracts
  • Boundaries
  • Computers
  • Detection
  • Device Drivers
  • Information Operations
  • Intrusion
  • Intrusion Detection
  • Operating Systems
  • Recovery
  • Security
  • Servers (Computer Hardware)
  • Standards

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Educational Psychology
  • Parallel and Distributed Computing.