Storage-Based Intrusion Detection

Storage-based intrusion detection consists of storage systems watching for and identifying data access patterns characteristic of system intrusions. Storage systems can spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and tampering with audit logs. For example, examination of 18 real intrusion tools reveals that most (15) can be detected based on their changes to stored files. Further, an Intrusion Detection System (IDS) embedded in a storage device continues to operate even after client operating systems are compromised. We describe and evaluate a prototype storage IDS, built into a disk emulator, to demonstrate both feasibility and efficiency of storage-based intrusion detection. In particular, both the performance overhead (< 1%) and memory required (1.62MB for 13995 rules) are minimal.

[1]  Mahadev Satyanarayanan,et al.  Flexible and Safe Resolution of File Conflicts , 1995, USENIX.

[2]  Trent Jaeger,et al.  Secure coprocessor-based intrusion detection , 2002, EW 10.

[3]  H. V. Jagadish,et al.  Information warfare and security , 1998, SGMD.

[4]  Wpin Samur Unified Login with Pluggable Authentication Modules ( PAM ) , 1999 .

[5]  Nathanael Paul,et al.  Disk-level behavioral malware detection , 2008 .

[6]  Mahadev Satyanarayanan,et al.  Scale and performance in a distributed file system , 1987, SOSP '87.

[7]  Beng-Hong Lim,et al.  Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor , 2001, USENIX Annual Technical Conference, General Track.

[8]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[9]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[10]  Gregory R. Ganger,et al.  Finding and Containing Enemies Within the Walls with Self-securing Network Interfaces (CMU-CS-03-109) , 2003 .

[11]  Garth A. Gibson,et al.  Security for a high performance commodity storage subsystem , 1999 .

[12]  Marvin Theimer,et al.  Managing update conflicts in Bayou, a weakly connected replicated storage system , 1995, SOSP.

[13]  Dongsheng Wang,et al.  Research on object-storage-based intrusion detection , 2006, 12th International Conference on Parallel and Distributed Systems - (ICPADS'06).

[14]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[15]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[16]  Stefan Axelsson Research in Intrusion-Detection Systems: A Survey , 1998 .

[17]  Craig A. N. Soules,et al.  Self-securing storage: protecting data in compromised systems , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[18]  Jeffrey Katcher,et al.  PostMark: A New File System Benchmark , 1997 .

[19]  Jim Zelenka,et al.  A cost-effective, high-bandwidth storage architecture , 1998, ASPLOS VIII.

[20]  Stuart McClure,et al.  Hacking Exposed Windows 2000: Network Security Secrets and Solutions , 2001 .

[21]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[22]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[23]  Lawrence Bernstein,et al.  Components for software fault tolerance and rejuvenation , 1996, AT&T Tech. J..

[24]  Gregory R. Ganger,et al.  Better security via smarter devices , 2001, Proceedings Eighth Workshop on Hot Topics in Operating Systems.

[25]  R. Jagannathan,et al.  A prototype real-time intrusion-detection expert system , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[26]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[27]  Mohammad Banikazemi,et al.  Storage-based intrusion detection for storage area networks (SANs) , 2005, 22nd IEEE / 13th NASA Goddard Conference on Mass Storage Systems and Technologies (MSST'05).

[28]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[29]  Sudhanva Gurumurthi,et al.  Towards Disk-Level Malware Detection , 2005 .

[30]  Gregory R. Ganger,et al.  Timing-accurate storage emulation: evaluating hypothetical storage components in real computer systems , 2004 .

[31]  Stuart McClure,et al.  Hacking Exposed; Network Security Secrets and Solutions , 1999 .

[32]  Andrea C. Arpaci-Dusseau,et al.  Semantically-Smart Disk Systems , 2003, FAST.

[33]  Kishor S. Trivedi,et al.  Analysis and implementation of software rejuvenation in cluster systems , 2001, SIGMETRICS '01.

[34]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[35]  Vipin Samar,et al.  Unified login with pluggable authentication modules (PAM) , 1996, CCS '96.

[36]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[37]  Patrick D. McDaniel,et al.  Rootkit-resistant disks , 2008, CCS.

[38]  Craig A. N. Soules,et al.  Storage-based Intrusion Detection: Watching Storage Activity for Suspicious Behavior , 2003, USENIX Security Symposium.

[39]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[40]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[41]  Miguel Castro,et al.  Proactive recovery in a Byzantine-fault-tolerant system , 2000, OSDI.

[42]  Mahadev Satyanarayanan,et al.  Scale and performance in a distributed file system , 1988, TOCS.

[43]  Sushil Jajodia,et al.  Intrusion Confinement by Isolation in Information Systems , 2000, J. Comput. Secur..

[44]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.