Adam G. Pennington
John Linwood Griffin
Skip Abstract Section
Abstract
Storage-based intrusion detection consists of storage systems watching for and identifying data access patterns characteristic of system intrusions. Storage systems can spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and tampering with audit logs. For example, examination of 18 real intrusion tools reveals that most (15) can be detected based on their changes to stored files. Further, an Intrusion Detection System (IDS) embedded in a storage device continues to operate even after client operating systems are compromised. We describe and evaluate a prototype storage IDS, built into a disk emulator, to demonstrate both feasibility and efficiency of storage-based intrusion detection. In particular, both the performance overhead (< 1%) and memory required (1.62MB for 13995 rules) are minimal.
- Axelsson, S. 1998. Research in intrusion-detection systems: A survey. Tech. rep. 98--17, Department of Computer Engineering, Chalmers University of Technology.Google Scholar
- Banikazemi, M., Poff, D., and Abali, B. 2005. Storage-based intrusion detection for storage area networks (SANs). In Proceedings of the IEEE Symposium on Mass Storage Systems. IEEE Computer Society, 118--127. Google ScholarDigital Library
- Bishop, M. and Dilger, M. 1996. Checking for race conditions in file accesses. Comput. Syst. 9, 2, 131--152.Google Scholar
- Butler, K. R. B., McLaughlin, S., and McDaniel, P. D. 2008. Rootkit-resistant disks. In Proceedings of the Conference on Computer and Communications Security (CCS’08). ACM, 403--416. Google ScholarDigital Library
- Card, R., Ts’o, T., and Tweedie, S. 1994. Design and implementation of the second extended file system. In Proceedings of the 1st Dutch International Symposium on Linux.Google Scholar
- Castro, M. and Liskov, B. 2000. Proactive recovery in a byzantine-fault-tolerant system. In Proceedings of the Symposium on Operating Systems Design and Implementation. USENIX Association, 273--287. Google ScholarDigital Library
- Chen, P. M. and Noble, B. D. 2001. When virtual is better than real. In Proceedings of the Conference on Hot Topics in Operating Systems. IEEE Computer Society, 133--138. Google ScholarDigital Library
- Cheswick, B. and Bellovin, S. 1994. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading, MA. Google ScholarDigital Library
- Denning, D. 1987. An intrusion-detection model. IEEE Trans. Softw. Engin. SE-13, 2, 222--232. Google ScholarDigital Library
- Denning, D. E. 1999. Information Warfare and Security. Addison-Wesley, Reading, MA. Google ScholarDigital Library
- Farmer, D. 2000. What are MACtimes? Dr. Dobb’s J. 25, 10, 68--74.Google Scholar
- Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for UNIX processes. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 120--128. Google ScholarDigital Library
- Ganger, G. R. and Nagle, D. F. 2001. Better security via smarter devices. In Proceedings of the Conference on Hot Topics in Operating Systems. IEEE, 100--105. Google ScholarDigital Library
- Ganger, G. R., Economou, G., and Bielski, S. M. 2003. Finding and containing enemies within the walls with self-securing network interfaces. Tech. rep. CMU-CS-03-109, Carnegie Mellon University.Google Scholar
- Garfinkel, T. and Rosenblum, M. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS’03). The Internet Society.Google Scholar
- Gibson, G. A., Nagle, D. F., Amiri, K., Butler, J., Chang, F. W., Gobioff, H., Hardin, C., Riedel, E., Rochberg, D., and Zelenka, J. 1998. A cost-effective, high-bandwidth storage architecture. SIGPLAN Not. 33, 11, 92--103. Google ScholarDigital Library
- Gobioff, H. 1999. Security for a high performance commodity storage subsystem. Ph.D. thesis, School of Computer Science, Carnegie Mellon University. Google ScholarDigital Library
- Griffin, J. L. 2004. Timing-accurate storage emulation: Evaluating hypothetical storage components in real computers. Ph.D. thesis, Carnegie Mellon University. Google ScholarDigital Library
- Howard, J. H., Kazar, M. L., Menees, S. G., Nichols, D. A., Satyanarayanan, M., Sidebotham, R. N., and West, M. J. 1988. Scale and performance in a distributed file system. ACM Trans. Comput. Syst. 6, 1, 51--81. Google ScholarDigital Library
- Huang, Y. N., Kintala, C. M. R., Bernstein, L., and Wang, Y. M. 1996. Components for software fault-tolerance and rejuvenation. AT&T Bell Lab. Tech. J. 75, 2, 29--37.Google ScholarCross Ref
- Katcher, J. 1997. Postmark: A new file system benchmark. Tech. rep. TR3022, Network Appliance.Google Scholar
- Kim, G. H. and Spafford, E. H. 1994. The design and implementation of Tripwire: A file system integrity checker. In Proceedings of the Conference on Computer and Communications Security (CCS’94). ACM, 18--29. Google ScholarDigital Library
- Ko, C., Ruschitzka, M., and Levitt, K. 1997. Execution monitoring of security-critical pro- grams in distributed systems: A specification-based approach. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 175--187. Google ScholarDigital Library
- Kumar, P. and Satyanarayanan, M. 1995. Flexible and safe resolution of file conflicts. In Proceedings of the USENIX Annual Technical Conference. USENIX Association, 95--106. Google ScholarDigital Library
- Lemos, R. 2002. Putting fun back into hacking. http://zdnet.com/100-1105-948404.html.Google Scholar
- Liu, P., Jajodia, S., and McCollum, C. D. 2000. Intrusion confinement by isolation in infor- mation systems. In Proceedings of the IFIP Working Conference on Database Security. IFIP, 3--18. Google ScholarDigital Library
- Lunt, T. F. and Jagannathan, R. 1988. A prototype real-time intrusion-detection expert system. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 59--66.Google Scholar
- NFR 2002. Nfr security. http://www.nfr.net/.Google Scholar
- Packetstorm 2009. Packet storm security. http://www.packetstormsecurity.org/.Google Scholar
- Paul, N., Gurumurthi, S., and Evans, D. 2005. Towards disk-level malware detection. In Proceedings of the CoBaSSA -- Workshop on Code Based Software Security Assessments.Google Scholar
- Paul, N. R. 2008. Disk-level behavioral malware detection. Ph.D. thesis, University of Virginia. Google ScholarDigital Library
- Paxson, V. 1998. Bro: A system for detecting network intruders in real-time. In Proceedings of the USENIX Security Symposium. USENIX Association, 31--51. Google ScholarDigital Library
- Payne, B. D., de A. Carbone, M. D. P., and Lee, W. 2007. Secure and flexible monitoring of virtual machines. In Proceedings of the Computer Security Applications Conference (ACSAC’07). IEEE, 385--397.Google Scholar
- Pennington, A. G., Strunk, J. D., Griffin, J. L., Soules, C. A.N., Goodson, G. R., and Ganger, G. R. 2003. Storage-based intrusion detection: Watching storage activity for suspicious behavior. In Proceedings of the USENIX Security Symposium. Google ScholarDigital Library
- Porras, P. A. and Neumann, P. G. 1997. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the National Information Systems Security Conference. 353--365.Google Scholar
- Purczynski, W. 2002. Gnu fileutils -- Recursive directory removal race condition. http://www.mail-archive.com/[email protected]/msg01537.html.Google Scholar
- Samar, V. and Schemers III, R. J. 1995. Unified login with pluggable authentication modules (PAM). Tech. rep., Open Software Foundation RFC 86.0, Open Software Foundation.Google Scholar
- Scambray, J., McClure, S., and Kurtz, G. 2001. Hacking Exposed: Network Security Secrets and Solutions. Osborne/McGraw-Hill. Google ScholarDigital Library
- Schneier, B. and Kelsey, J. 1999. Secure audit logs to support computer forensics. ACM Trans. Inf. Syst. Secur. 2, 2, 159--176. Google ScholarDigital Library
- Sivathanu, M., Prabhakaran, V., Popovici, F. I., Denehy, T. E., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. 2003. Semantically smart disk systems. In Proceedings of the Conference on File and Storage Technologies. USENIX Association, 73--88. Google ScholarDigital Library
- Strom, R. 2008. Emc Celerra family technical review. http://www.emc.com/pdf/partnersalliances/einfo/McAfee_netshield.pdf.Google Scholar
- Strunk, J. D., Goodson, G. R., Scheinholtz, M. L., Soules, C. A. N., and Ganger, G. R. 2000. Self-securing storage: Protecting data in compromised systems. In Proceedings of the Symposium on Operating Systems Design and Implementation. USENIX Association, 165--180. Google ScholarDigital Library
- Sugerman, J., Venkitachalam, G., and Lim, B.-H. 2001. Virtualizing I/O devices on vmware workstation’s hosted virtual machine monitor. In Proceedings of the USENIX Annual Technical Conference. USENIX Association, 1--14. Google ScholarDigital Library
- Sureshkumar, N. 2009. Antivirus scanning best practices guide. Tech. rep., Network Appliance Inc. http://media.netapp.com/documents/tr-3107.pdfGoogle Scholar
- Terry, D. B., Theimer, M. M., Petersen, K., Demers, A. J., Spreitzer, M. J., and Hauser, C. H. 1995. Managing update conflicts in Bayou, a weakly connected replicated storage system. Oper. Syst. Rev. 29, 5. Google ScholarDigital Library
- Tripwire. 2002. Tripwire open souce 2.3.1. http://ftp4.sf.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz.Google Scholar
- Vaidyanathan, K., Harper, R. E., Hunter, S. W., and Trivedi, K. S. 2002. Analysis and implementation of software rejuvenation in cluster systems. Perform. Eval. Rev. 29, 1, 62--71. Google ScholarDigital Library
- Weber, R. O. 2004. Scsi object-based storage device commands (osd). ftp://ftp.t10.org/t10/drafts/osd/osd-r10.pdf.Google Scholar
- Zhang, X., van Doorn, L., Jaeger, T., Perez, R., and Sailer, R. 2002. Secure coprocessor- based intrusion detection. In Proceedings of the ACM SIGOPS European Workshop. ACM. Google ScholarDigital Library
- Zhang, Y. and Wang, D. 2006. Research on object-storage-based intrusion detection. In Proceedings of the 12th International Conference on Parallel and Distributed Systems (ICPADS’06). IEEE Computer Society, 68--78. Google ScholarDigital Library
Index Terms
- Storage-Based Intrusion Detection
Recommendations
Intrusion Detection for Object-Based Storage System
ICYCS '08: Proceedings of the 2008 The 9th International Conference for Young Computer ScientistsSince storage systems can see changes to persistent data on them, some types of intrusions can be detected by storage systems. Storage-based intrusion detection system (SIDS) has become a valuable tool in monitoring for the intrusion. However, the ...
Rule generalisation in intrusion detection systems using SNORT
Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion
In this article, the authors describe common intrusion detection techniques, NIDS evasion methods, and how NIDSs detect intrusions. Additionally, we introduce new evasion methods, present test results for confirming attack outcomes based on server ...
Comments