FABS: file and block surveillance system for determining anomalous disk accesses

Despite increasingly sophisticated security measures, attackers have continued to find ways to gain access to stored data with impacts including data disclosure, modification, or deletion. There currently exist no tools independent of the operating system to monitor storage status. The authors introduced FABS as a comprehensive tool to monitor storage for anomalous accesses. A scalable GUI prototype, VisFlowConnect-SS, which represents storage accesses visually to human operators, was also introduced. The goal is an integrated storage-based monitoring system that provides intrusion detection, minimizes attack damage, and assists with post-attack forensic analysis.

[1]  Frederick Gallegos Sarbanes–Oxley Act of 2002 (PL 107-204) and Impact on the it Auditor , 2003 .

[2]  The Design of the SEER Predictive Caching System , 1994, 1994 First Workshop on Mobile Computing Systems and Applications.

[3]  Ulf Lindqvist,et al.  eXpert-BSM: a host-based intrusion detection solution for Sun Solaris , 2001, Seventeenth Annual Computer Security Applications Conference.

[4]  Mahadev Satyanarayanan,et al.  Long Term Distributed File Reference Tracing: Implementation and Experience , 1996, Softw. Pract. Exp..

[5]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[6]  Sushil Jajodia,et al.  Surviving Information Warfare Attacks , 1999, Computer.

[7]  William Yurcik,et al.  Trade-offs in protecting storage: a meta-data comparison of cryptographic, backup/versioning, immutable/tamper-proof, and redundant storage solutions , 2005, 22nd IEEE / 13th NASA Goddard Conference on Mass Storage Systems and Technologies (MSST'05).

[8]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[9]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[10]  Yuanyuan Zhou,et al.  Association Proceedings of the Third USENIX Conference on File and Storage Technologies San Francisco , CA , USA March 31 – April 2 , 2004 , 2004 .

[11]  Peter Reiher File Profiling for Insider Threats , 2002 .

[12]  Geoffrey H. Kuenning,et al.  Detecting insider threats by monitoring system call activity , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[13]  Craig A. N. Soules,et al.  Self-securing storage: protecting data in compromised systems , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[14]  Craig A. N. Soules,et al.  Storage-based Intrusion Detection: Watching Storage Activity for Suspicious Behavior , 2003, USENIX Security Symposium.

[15]  John P. McDermott,et al.  Storage Jamming , 1995, DBSec.

[16]  John P. McDermott,et al.  Towards a model of storage jamming , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.