Carnegie Mellon University Technical Report CMU-CS-02-179, September 2002. Superceded by Proceedings of 12th USENIX Security Symposium, Washington, D.C., Aug 4-8, 2003.
Adam G. Pennington, John D. Strunk, John Linwood Griffin, Craig A.N.
Soules,
Garth R. Goodson, Gregory R. Ganger
Electrical and Computer Engineering
Carnegie Mellon University
Pittsburgh, PA 15213
http://www.pdl.cmu.edu/
Storage-based intrusion detection allows storage systems to transparently watch for suspicious activity. Storage systems are well-positioned to spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and tampering with audit logs. Further, an intrusion detection system (IDS) embedded in a storage device continues to operate even after client systems are compromised. This paper describes a number of specific warning signs visible at the storage interface. It describes and evaluates a storage IDS, embedded in an NFS server, demonstrating both feasibility and efficiency of storage-based intrusion detection. In particular, both the performance overhead and memory required (40 KB for a reasonable set of rules) are minimal. With small extensions, storage IDSs can also be embedded in block-based storage devices.
KEYWORDS: Intrusion detection, IDS, virus detection, computer security.
FULL PAPER, TR VERSION pdf / postscript
FULL PAPER, CONFERENCE VERSION pdf / postscript