PDL Abstract

Storage-Based Intrusion Detection

ACM Transactions on Information and System Security, Vol. 13, No. 4, Article 30, Pub. December 2010.

Adam G. Pennington, John Linwood Griffin, John S. Bucy, John D. Strunk, Gregory R. Ganger

Dept. Electrical and Computer Engineering
Carnegie Mellon University
Pittsburgh, PA 15213

Storage-based intrusion detection consists of storage systems watching for and identifying data access patterns characteristic of system intrusions. Storage systems can spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and tampering with audit logs. For example, examination of 18 real intrusion tools reveals that most (15) can be detected based on their changes to stored files. Further, an Intrusion Detection System (IDS) embedded in a storage device continues to operate even after client operating systems are compromised. We describe and evaluate a prototype storage IDS, built into a disk emulator, to demonstrate both feasibility and efficiency of storage-based intrusion detection. In particular, both the performance overhead (< 1%) and memory required (1.62MB for 13995 rules) are minimal.