skip to main content
research-article

Storage-Based Intrusion Detection

Published: 01 December 2010 Publication History

Abstract

Storage-based intrusion detection consists of storage systems watching for and identifying data access patterns characteristic of system intrusions. Storage systems can spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and tampering with audit logs. For example, examination of 18 real intrusion tools reveals that most (15) can be detected based on their changes to stored files. Further, an Intrusion Detection System (IDS) embedded in a storage device continues to operate even after client operating systems are compromised. We describe and evaluate a prototype storage IDS, built into a disk emulator, to demonstrate both feasibility and efficiency of storage-based intrusion detection. In particular, both the performance overhead (< 1%) and memory required (1.62MB for 13995 rules) are minimal.

References

[1]
Axelsson, S. 1998. Research in intrusion-detection systems: A survey. Tech. rep. 98--17, Department of Computer Engineering, Chalmers University of Technology.
[2]
Banikazemi, M., Poff, D., and Abali, B. 2005. Storage-based intrusion detection for storage area networks (SANs). In Proceedings of the IEEE Symposium on Mass Storage Systems. IEEE Computer Society, 118--127.
[3]
Bishop, M. and Dilger, M. 1996. Checking for race conditions in file accesses. Comput. Syst. 9, 2, 131--152.
[4]
Butler, K. R. B., McLaughlin, S., and McDaniel, P. D. 2008. Rootkit-resistant disks. In Proceedings of the Conference on Computer and Communications Security (CCS’08). ACM, 403--416.
[5]
Card, R., Ts’o, T., and Tweedie, S. 1994. Design and implementation of the second extended file system. In Proceedings of the 1st Dutch International Symposium on Linux.
[6]
Castro, M. and Liskov, B. 2000. Proactive recovery in a byzantine-fault-tolerant system. In Proceedings of the Symposium on Operating Systems Design and Implementation. USENIX Association, 273--287.
[7]
Chen, P. M. and Noble, B. D. 2001. When virtual is better than real. In Proceedings of the Conference on Hot Topics in Operating Systems. IEEE Computer Society, 133--138.
[8]
Cheswick, B. and Bellovin, S. 1994. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading, MA.
[9]
Denning, D. 1987. An intrusion-detection model. IEEE Trans. Softw. Engin. SE-13, 2, 222--232.
[10]
Denning, D. E. 1999. Information Warfare and Security. Addison-Wesley, Reading, MA.
[11]
Farmer, D. 2000. What are MACtimes? Dr. Dobb’s J. 25, 10, 68--74.
[12]
Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. 1996. A sense of self for UNIX processes. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 120--128.
[13]
Ganger, G. R. and Nagle, D. F. 2001. Better security via smarter devices. In Proceedings of the Conference on Hot Topics in Operating Systems. IEEE, 100--105.
[14]
Ganger, G. R., Economou, G., and Bielski, S. M. 2003. Finding and containing enemies within the walls with self-securing network interfaces. Tech. rep. CMU-CS-03-109, Carnegie Mellon University.
[15]
Garfinkel, T. and Rosenblum, M. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS’03). The Internet Society.
[16]
Gibson, G. A., Nagle, D. F., Amiri, K., Butler, J., Chang, F. W., Gobioff, H., Hardin, C., Riedel, E., Rochberg, D., and Zelenka, J. 1998. A cost-effective, high-bandwidth storage architecture. SIGPLAN Not. 33, 11, 92--103.
[17]
Gobioff, H. 1999. Security for a high performance commodity storage subsystem. Ph.D. thesis, School of Computer Science, Carnegie Mellon University.
[18]
Griffin, J. L. 2004. Timing-accurate storage emulation: Evaluating hypothetical storage components in real computers. Ph.D. thesis, Carnegie Mellon University.
[19]
Howard, J. H., Kazar, M. L., Menees, S. G., Nichols, D. A., Satyanarayanan, M., Sidebotham, R. N., and West, M. J. 1988. Scale and performance in a distributed file system. ACM Trans. Comput. Syst. 6, 1, 51--81.
[20]
Huang, Y. N., Kintala, C. M. R., Bernstein, L., and Wang, Y. M. 1996. Components for software fault-tolerance and rejuvenation. AT&amp;T Bell Lab. Tech. J. 75, 2, 29--37.
[21]
Katcher, J. 1997. Postmark: A new file system benchmark. Tech. rep. TR3022, Network Appliance.
[22]
Kim, G. H. and Spafford, E. H. 1994. The design and implementation of Tripwire: A file system integrity checker. In Proceedings of the Conference on Computer and Communications Security (CCS’94). ACM, 18--29.
[23]
Ko, C., Ruschitzka, M., and Levitt, K. 1997. Execution monitoring of security-critical pro- grams in distributed systems: A specification-based approach. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 175--187.
[24]
Kumar, P. and Satyanarayanan, M. 1995. Flexible and safe resolution of file conflicts. In Proceedings of the USENIX Annual Technical Conference. USENIX Association, 95--106.
[25]
Lemos, R. 2002. Putting fun back into hacking. http://zdnet.com/100-1105-948404.html.
[26]
Liu, P., Jajodia, S., and McCollum, C. D. 2000. Intrusion confinement by isolation in infor- mation systems. In Proceedings of the IFIP Working Conference on Database Security. IFIP, 3--18.
[27]
Lunt, T. F. and Jagannathan, R. 1988. A prototype real-time intrusion-detection expert system. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 59--66.
[28]
NFR 2002. Nfr security. http://www.nfr.net/.
[29]
Packetstorm 2009. Packet storm security. http://www.packetstormsecurity.org/.
[30]
Paul, N., Gurumurthi, S., and Evans, D. 2005. Towards disk-level malware detection. In Proceedings of the CoBaSSA -- Workshop on Code Based Software Security Assessments.
[31]
Paul, N. R. 2008. Disk-level behavioral malware detection. Ph.D. thesis, University of Virginia.
[32]
Paxson, V. 1998. Bro: A system for detecting network intruders in real-time. In Proceedings of the USENIX Security Symposium. USENIX Association, 31--51.
[33]
Payne, B. D., de A. Carbone, M. D. P., and Lee, W. 2007. Secure and flexible monitoring of virtual machines. In Proceedings of the Computer Security Applications Conference (ACSAC’07). IEEE, 385--397.
[34]
Pennington, A. G., Strunk, J. D., Griffin, J. L., Soules, C. A.N., Goodson, G. R., and Ganger, G. R. 2003. Storage-based intrusion detection: Watching storage activity for suspicious behavior. In Proceedings of the USENIX Security Symposium.
[35]
Porras, P. A. and Neumann, P. G. 1997. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the National Information Systems Security Conference. 353--365.
[36]
Purczynski, W. 2002. Gnu fileutils -- Recursive directory removal race condition. http://www.mail-archive.com/[email protected]/msg01537.html.
[37]
Samar, V. and Schemers III, R. J. 1995. Unified login with pluggable authentication modules (PAM). Tech. rep., Open Software Foundation RFC 86.0, Open Software Foundation.
[38]
Scambray, J., McClure, S., and Kurtz, G. 2001. Hacking Exposed: Network Security Secrets and Solutions. Osborne/McGraw-Hill.
[39]
Schneier, B. and Kelsey, J. 1999. Secure audit logs to support computer forensics. ACM Trans. Inf. Syst. Secur. 2, 2, 159--176.
[40]
Sivathanu, M., Prabhakaran, V., Popovici, F. I., Denehy, T. E., Arpaci-Dusseau, A. C., and Arpaci-Dusseau, R. H. 2003. Semantically smart disk systems. In Proceedings of the Conference on File and Storage Technologies. USENIX Association, 73--88.
[41]
Strom, R. 2008. Emc Celerra family technical review. http://www.emc.com/pdf/partnersalliances/einfo/McAfee_netshield.pdf.
[42]
Strunk, J. D., Goodson, G. R., Scheinholtz, M. L., Soules, C. A. N., and Ganger, G. R. 2000. Self-securing storage: Protecting data in compromised systems. In Proceedings of the Symposium on Operating Systems Design and Implementation. USENIX Association, 165--180.
[43]
Sugerman, J., Venkitachalam, G., and Lim, B.-H. 2001. Virtualizing I/O devices on vmware workstation’s hosted virtual machine monitor. In Proceedings of the USENIX Annual Technical Conference. USENIX Association, 1--14.
[44]
Sureshkumar, N. 2009. Antivirus scanning best practices guide. Tech. rep., Network Appliance Inc. http://media.netapp.com/documents/tr-3107.pdf
[45]
Terry, D. B., Theimer, M. M., Petersen, K., Demers, A. J., Spreitzer, M. J., and Hauser, C. H. 1995. Managing update conflicts in Bayou, a weakly connected replicated storage system. Oper. Syst. Rev. 29, 5.
[46]
Tripwire. 2002. Tripwire open souce 2.3.1. http://ftp4.sf.net/sourceforge/tripwire/tripwire-2.3.1-2.tar.gz.
[47]
Vaidyanathan, K., Harper, R. E., Hunter, S. W., and Trivedi, K. S. 2002. Analysis and implementation of software rejuvenation in cluster systems. Perform. Eval. Rev. 29, 1, 62--71.
[48]
Weber, R. O. 2004. Scsi object-based storage device commands (osd). ftp://ftp.t10.org/t10/drafts/osd/osd-r10.pdf.
[49]
Zhang, X., van Doorn, L., Jaeger, T., Perez, R., and Sailer, R. 2002. Secure coprocessor- based intrusion detection. In Proceedings of the ACM SIGOPS European Workshop. ACM.
[50]
Zhang, Y. and Wang, D. 2006. Research on object-storage-based intrusion detection. In Proceedings of the 12th International Conference on Parallel and Distributed Systems (ICPADS’06). IEEE Computer Society, 68--78.

Cited By

View all
  • (2020)Detecting Suspicious Behavior on Surveillance Videos: Dealing with Visual Behavior Similarity between Bystanders and Offenders2020 IEEE ANDESCON10.1109/ANDESCON50619.2020.9272175(1-7)Online publication date: 13-Oct-2020
  • (2018)Reactive redundancy for data destruction protection (R2D2)Computers and Security10.1016/j.cose.2017.12.01274:C(184-201)Online publication date: 1-May-2018
  • (2016)SlickProceedings of the 31st Annual ACM Symposium on Applied Computing10.1145/2851613.2851795(2033-2040)Online publication date: 4-Apr-2016
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security
ACM Transactions on Information and System Security  Volume 13, Issue 4
December 2010
412 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/1880022
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 December 2010
Accepted: 01 August 2009
Revised: 01 July 2009
Received: 01 April 2008
Published in TISSEC Volume 13, Issue 4

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Storage
  2. intrusion detection

Qualifiers

  • Research-article
  • Research
  • Refereed

Funding Sources

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)7
  • Downloads (Last 6 weeks)0
Reflects downloads up to 13 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2020)Detecting Suspicious Behavior on Surveillance Videos: Dealing with Visual Behavior Similarity between Bystanders and Offenders2020 IEEE ANDESCON10.1109/ANDESCON50619.2020.9272175(1-7)Online publication date: 13-Oct-2020
  • (2018)Reactive redundancy for data destruction protection (R2D2)Computers and Security10.1016/j.cose.2017.12.01274:C(184-201)Online publication date: 1-May-2018
  • (2016)SlickProceedings of the 31st Annual ACM Symposium on Applied Computing10.1145/2851613.2851795(2033-2040)Online publication date: 4-Apr-2016
  • (2016)User profiling in intrusion detectionJournal of Network and Computer Applications10.1016/j.jnca.2016.06.01272:C(14-27)Online publication date: 1-Sep-2016
  • (2015)GuardatProceedings of the Tenth European Conference on Computer Systems10.1145/2741948.2741958(1-16)Online publication date: 17-Apr-2015
  • (2014)Identity-Based Secure DistributedData Storage SchemesIEEE Transactions on Computers10.1109/TC.2013.2663:4(941-953)Online publication date: 1-Apr-2014
  • (2014)Operating system security by integrity checking and recovery using write-protected storageIET Information Security10.1049/iet-ifs.2012.03468:2(122-131)Online publication date: 1-Mar-2014
  • (2014)Identifying Forensically Uninteresting Files Using a Large CorpusDigital Forensics and Cyber Crime10.1007/978-3-319-14289-0_7(86-101)Online publication date: 23-Dec-2014
  • (2011)Architectural support for secure virtualization under a vulnerable hypervisorProceedings of the 44th Annual IEEE/ACM International Symposium on Microarchitecture10.1145/2155620.2155652(272-283)Online publication date: 3-Dec-2011

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media