Storage-Based Intrusion Detection

Q Engineering

ACM Transactions on Information and System Security Pub Date : 2010-12-01 DOI:10.1145/1880022.1880024

Adam G. Pennington, J. Griffin, John S. Bucy, J. Strunk, G. Ganger

引用次数: 23

Abstract

Storage-based intrusion detection consists of storage systems watching for and identifying data access patterns characteristic of system intrusions. Storage systems can spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and tampering with audit logs. For example, examination of 18 real intrusion tools reveals that most (15) can be detected based on their changes to stored files. Further, an Intrusion Detection System (IDS) embedded in a storage device continues to operate even after client operating systems are compromised. We describe and evaluate a prototype storage IDS, built into a disk emulator, to demonstrate both feasibility and efficiency of storage-based intrusion detection. In particular, both the performance overhead (< 1%) and memory required (1.62MB for 13995 rules) are minimal.

查看原文本刊更多论文

基于存储的入侵检测

基于存储的入侵检测是指存储系统监视和识别系统入侵的数据访问模式特征。存储系统可以发现几种常见的入侵者行为，例如添加后门、插入特洛伊木马和篡改审计日志。例如，对18个真实入侵工具的检查显示，大多数(15)可以根据它们对存储文件的更改来检测。此外，嵌入在存储设备中的入侵检测系统(IDS)即使在客户端操作系统受到威胁后也能继续运行。我们描述并评估了一个内置在磁盘模拟器中的存储IDS原型，以证明基于存储的入侵检测的可行性和效率。特别是，性能开销(< 1%)和所需内存(13995条规则1.62MB)都是最小的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Information and System Security 工程技术-计算机：信息系统

CiteScore

4.50

自引率

0.00%

发文量

审稿时长

3.3 months

期刊介绍： ISSEC is a scholarly, scientific journal that publishes original research papers in all areas of information and system security, including technologies, systems, applications, and policies.