ABSTRACT

    Carnegie Mellon University Technical Report CMU-CS-02-140, May 2002.

    Intrusion Detection, Diagnosis, and Recovery with Self-Securing Storage

    John D. Strunk, Garth R. Goodson, Adam G. Pennington, Craig A.N. Soules, Gregory R. Ganger

    Electrical and Computer Engineering
    Carnegie Mellon University
    Pittsburgh, PA 15213

    http://www.pdl.cmu.edu/

    Self-securing storage turns storage devices into active parts of an intrusion survival strategy. From behind a thin storage interface (e.g., SCSI or CIFS), a self-securing storage server can watch storage requests, keep a record of all storage activity, and prevent compromised clients from destroying stored data. This paper describes three ways self-securing storage enhances an administrator’s ability to detect, diagnose, and recover from client system intrusions. First, storage-based intrusion detection offers a new observation point for noticing suspect activity. Second, post-hoc intrusion diagnosis starts with a plethora of normally-unavailable information. Finally, post-intrusion recovery is reduced to restarting the system with a pre-intrusion storage image retained by the server. Combined, these features can improve an organization’s ability to survive successful digital intrusions.

    FULL PAPER: pdf / postscript


    PDL Home Publications Home

    © 2008.
    Last updated 10 November, 2004