Abstract | ||
---|---|---|
Storage-based intrusion detection allows storage systems to watch for data modifications characteristic of system intrusions. This enables storage systems to spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and tampering with audit logs. Further, an intrusion detection system (IDS) embedded in a storage device continues to operate even after client systems are compromised. This paper describes a number of specific warning signs visible at the storage interface. Examination of 18 real intrusion tools reveals that most (15) can be detected based on their changes to stored files. We describe and evaluate a prototype storage IDS, embedded in an NFS server, to demonstrate both feasibility and efficiency of storage-based intrusion detection. In particular, both the performance overhead and memory required (152KB for 4730 rules) are minimal. |
Year | Venue | Keywords |
---|---|---|
2003 | USENIX Security | real intrusion tool,prototype storage ids,nfs server,suspicious behavior,client system,storage-based intrusion detection,storage system,storage activity,system intrusion,intrusion detection system,storage interface,storage device,computer viruses,intrusion detection,application programming interface,rule based systems |
Field | DocType | Citations |
Rule-based system,Host-based intrusion detection system,Information assurance,Computer science,Computer security,Computer virus,Anomaly-based intrusion detection system,Application programming interface,Trojan,Intrusion detection system,Operating system,Embedded system | Conference | 64 |
PageRank | References | Authors |
4.82 | 24 | 6 |
Name | Order | Citations | PageRank |
---|---|---|---|
Adam G. Pennington | 1 | 67 | 5.25 |
John D. Strunk | 2 | 538 | 47.56 |
John Linwood Griffin | 3 | 476 | 35.66 |
Craig A. N. Soules | 4 | 591 | 45.41 |
Garth R. Goodson | 5 | 679 | 43.14 |
Gregory R. Ganger | 6 | 4560 | 383.16 |