Block storage listener for detecting file-level intrusions

An intrusion detection system (IDS) is usually located and operated at the host, where it captures local suspicious events, or at an appliance that listens to the network activity. Providing an online IDS to the storage controller is essential for dealing with compromised hosts or coordinated attacks by multiple hosts. SAN block storage controllers are connected to the world via block-level protocols, such as iSCSI and Fibre Channel. Usually, block-level storage systems do not maintain information specific to the file-system using them. The range of threats that can be handled at the block level is limited. A file system view at the controller, together with the knowledge of which arriving block belongs to which file or inode, will enable the detection of file-level threats. In this paper, we present IDStor, an IDS for block-based storage. IDStor acts as a listener to storage traffic, out of the controller's I/O path, and is therefore attractive for integration into existing SAN-based storage solutions. IDStor maintains a block-to-file mapping that is updated online. Using this mapping, IDStor infers the semantics of file-level commands from the intercepted block-level operations, thereby detecting file-level intrusions by merely observing the block read and write commands passing between the hosts and the controller.

[1]  Dalit Naor,et al.  Capability based Secure Access Control to Networked Storage Devices , 2007, 24th IEEE Conference on Mass Storage Systems and Technologies (MSST 2007).

[2]  Dongsheng Wang,et al.  Virtual-Machine-based Intrusion Detection on File-aware Block Level Storage , 2006, 2006 18th International Symposium on Computer Architecture and High Performance Computing (SBAC-PAD'06).

[3]  Mohammad Banikazemi,et al.  Storage-based intrusion detection for storage area networks (SANs) , 2005, 22nd IEEE / 13th NASA Goddard Conference on Mass Storage Systems and Technologies (MSST'05).

[4]  Andrea C. Arpaci-Dusseau,et al.  X-RAY: a non-invasive exclusive caching mechanism for RAIDs , 2004, Proceedings. 31st Annual International Symposium on Computer Architecture, 2004..

[5]  Dongsheng Wang,et al.  IDRS: Combining File-level Intrusion Detection with Block-level Data Recovery based on iSCSI , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[6]  Gregory R. Ganger,et al.  On the Feasibility of Intrusion Detection Inside Workstation Disks , 2003 .

[7]  Andrea C. Arpaci-Dusseau,et al.  Improving file system reliability with I/O shepherding , 2007, SOSP.

[8]  Andy Oram,et al.  Understanding the Linux Kernel, Second Edition , 2002 .

[9]  Yuanyuan Zhou,et al.  Association Proceedings of the Third USENIX Conference on File and Storage Technologies San Francisco , CA , USA March 31 – April 2 , 2004 , 2004 .

[10]  Andrea C. Arpaci-Dusseau,et al.  Life or Death at Block-Level , 2004, OSDI.

[11]  Andrea C. Arpaci-Dusseau,et al.  Database-aware semantically-smart storage , 2005, FAST'05.

[12]  Craig A. N. Soules,et al.  Storage-based Intrusion Detection: Watching Storage Activity for Suspicious Behavior , 2003, USENIX Security Symposium.

[13]  Kanchi Gopinath,et al.  Discovery of Application Workloads from Network File Traces , 2010, FAST.

[14]  Daniel Pierre Bovet,et al.  Understanding the Linux Kernel , 2000 .

[15]  Andrea C. Arpaci-Dusseau,et al.  Semantically-smart disk systems: past, present, and future , 2006, PERV.

[16]  Marco Cesati,et al.  Understanding the Linux Kernel, Third Edition , 2005 .

[17]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[18]  Margo I. Seltzer,et al.  Tracking Back References in a Write-Anywhere File System , 2010, FAST.

[19]  William Yurcik,et al.  Toward a threat model for storage systems , 2005, StorageSS '05.