Storage-based Intrusion Detection: Watching storage activity for suspicious behavior
Proceedings of 12th USENIX Security Symposium, Washington, D.C., Aug 4-8, 2003. Supercedes Carnegie Mellon University SCS Technical Report CMU-CS-02-179, September 2002.
Adam G. Pennington, John D. Strunk, John Linwood Griffin, Craig A.N.
Garth R. Goodson, Gregory R. Ganger
Electrical and Computer Engineering
Carnegie Mellon University
Pittsburgh, PA 15213
Storage-based intrusion detection allows storage systems to watch for data modifications characteristic of system in-trusions. This enables storage systems to spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and tampering with audit logs. Further, an intrusion detection system (IDS) embedded in a storage device continues to operate even after client systems are compromised. This paper describes a number of specific warning signs visible at the storage interface. Examination of 18 real intrusion tools reveals that most (15) can be detected based on their changes to stored files. We describe and evaluate a prototype storage IDS, embedded in an NFS server, to demonstrate both feasibility and efficiency of storage-based intrusion detection. In particular, both the performance overhead and memory required (152 KB for 4730 rules) are minimal..
KEYWORDS: Intrusion detection, IDS, virus detection, computer security.