Storage-based intrusion detection

ACM Transactions on Information and System Security

Volumn 13, Issue 4, 2010, Pages

  Pennington, Adam G ^a   Griffin, John Linwood ^a   Bucy, John S ^a   Strunk, John D ^a   Ganger, Gregory R ^a  

^a Carnegie Mellon University   (United States)

Author keywords

Intrusion detection; Storage

Indexed keywords

AUDIT LOGS; BACKDOORS; DATA ACCESS PATTERNS; INTRUSION DETECTION SYSTEMS; OPERATING SYSTEMS; STORAGE; STORAGE DEVICES; STORAGE SYSTEMS; STORAGE-BASED INTRUSION DETECTION; TROJAN HORSE;

COMPUTER CRIME; COMPUTER OPERATING SYSTEMS; EMBEDDED SYSTEMS;

INTRUSION DETECTION;

EID: 78651392217     PISSN: 10949224     EISSN: 15577406     Source Type: Journal    
DOI: 10.1145/1880022.1880024     Document Type: Article

References (50)

1. AXELSSON, S. 1998. Research in intrusion-detection systems: A survey. Tech. rep. 98-17, Department of Computer Engineering, Chalmers University of Technology.
2. BANIKAZEMI, M., POFF, D., AND ABALI, B. 2005. Storage-based intrusion detection for storage area networks (SANs). In Proceedings of the IEEE Symposium on Mass Storage Systems. IEEE Computer Society, 118-127.
3. BISHOP, M. AND DILGER, M. 1996. Checking for race conditions in file accesses. Comput. Syst. 9, 2, 131-152.
4. BUTLER, K. R. B., MCLAUGHLIN, S., AND MCDANIEL, P. D. 2008. Rootkit-resistant disks. In Proceedings of the Conference on Computer and Communications Security (CCS'08). ACM, 403-416.
5. CARD, R., TS'O, T., AND TWEEDIE, S. 1994. Design and implementation of the second extended file system. In Proceedings of the 1st Dutch International Symposium on Linux.
6. CASTRO, M. AND LISKOV, B. 2000. Proactive recovery in a byzantine-fault-tolerant system. In Proceedings of the Symposium on Operating Systems Design and Implementation. USENIX Association, 273-287.
7. CHEN, P. M. AND NOBLE, B. D. 2001. When virtual is better than real. In Proceedings of the Conference on Hot Topics in Operating Systems. IEEE Computer Society, 133-138.
8. CHESWICK, B. AND BELLOVIN, S. 1994. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley, Reading, MA.
9. DENNING, D. 1987. An intrusion-detection model. IEEE Trans. Softw. Engin. SE-13, 2, 222-232.
10. DENNING, D. E. 1999. Information Warfare and Security. Addison-Wesley, Reading, MA.
11. FARMER, D. 2000. What are MACtimes? Dr. Dobb's J. 25, 10, 68-74.
12. FORREST, S., HOFMEYR, S. A., SOMAYAJI, A., AND LONGSTAFF, T. A. 1996. A sense of self for UNIX processes. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 120-128.
13. GANGER, G. R. AND NAGLE, D. F. 2001. Better security via smarter devices. In Proceedings of the Conference on Hot Topics in Operating Systems. IEEE, 100-105.
14. GANGER, G. R., ECONOMOU, G., AND BIELSKI, S. M. 2003. Finding and containing enemies within the walls with self-securing network interfaces. Tech. rep. CMU-CS-03-109, Carnegie Mellon University.
15. GARFINKEL, T. AND ROSENBLUM, M. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS'03). The Internet Society.
16. GIBSON, G. A., NAGLE, D. F., AMIRI, K., BUTLER, J., CHANG, F. W., GOBIOFF, H., HARDIN, C., RIEDEL, E., ROCHBERG, D., AND ZELENKA, J. 1998. A cost-effective, high-bandwidth storage architecture. SIGPLAN Not. 33, 11, 92-103.
17. GOBIOFF, H. 1999. Security for a high performance commodity storage subsystem. Ph.D. thesis, School of Computer Science, Carnegie Mellon University.
18. GRIFFIN, J. L. 2004. Timing-accurate storage emulation: Evaluating hypothetical storage components in real computers. Ph.D. thesis, Carnegie Mellon University.
19. HOWARD, J. H., KAZAR, M. L., MENEES, S. G., NICHOLS, D. A., SATYANARAYANAN, M., SIDEBOTHAM, R. N., AND WEST, M. J. 1988. Scale and performance in a distributed file system. ACM Trans. Comput. Syst. 6, 1, 51-81. (Pubitemid 18574134)
20. HUANG, Y. N., KINTALA, C. M. R., BERNSTEIN, L., AND WANG, Y. M. 1996. Components for software fault-tolerance and rejuvenation. AT&T Bell Lab. Tech. J. 75, 2, 29-37.
21. KATCHER, J. 1997. Postmark: A new file system benchmark. Tech. rep. TR3022, Network Appliance.
22. KIM, G. H. AND SPAFFORD, E. H. 1994. The design and implementation of Tripwire: A file system integrity checker. In Proceedings of the Conference on Computer and Communications Security (CCS'94). ACM, 18-29.
23. KO, C., RUSCHITZKA, M., AND LEVITT, K. 1997. Execution monitoring of security-critical programs in distributed systems: A specification-based approach. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 175-187.
24. KUMAR, P. AND SATYANARAYANAN, M. 1995. Flexible and safe resolution of file conflicts. In Proceedings of the USENIX Annual Technical Conference. USENIX Association, 95-106.
25. LEMOS, R. 2002. Putting fun back into hacking. http://zdnet.com/100-1105- 948404.html.
26. LIU, P., JAJODIA, S., AND MCCOLLUM, C. D. 2000. Intrusion confinement by isolation in information systems. In Proceedings of the IFIP Working Conference on Database Security. IFIP, 3-18.
27. LUNT, T. F. AND JAGANNATHAN, R. 1988. A prototype real-time intrusion-detection expert system. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 59-66.
28. NFR 2002. Nfr security. http://www.nfr.net/.
29. PACKETSTORM 2009. Packet storm security. http://www.packetstormsecurity. org/.
30. PAUL, N., GURUMURTHI, S., AND EVANS, D. 2005. Towards disk-level malware detection. In Proceedings of the CoBaSSA - Workshop on Code Based Software Security Assessments.
31. PAUL, N. R. 2008. Disk-level behavioral malware detection. Ph.D. thesis, University of Virginia.
32. PAXSON, V. 1998. Bro: A system for detecting network intruders in real-time. In Proceedings of the USENIX Security Symposium. USENIX Association, 31-51.
33. PAYNE, B. D., DE A. CARBONE, M. D. P., AND LEE, W. 2007. Secure and flexible monitoring of virtual machines. In Proceedings of the Computer Security Applications Conference (ACSAC'07). IEEE, 385-397.
34. PENNINGTON, A. G., STRUNK, J. D., GRIFFIN, J. L., SOULES, C. A.N., GOODSON, G. R., AND GANGER, G. R. 2003. Storage-based intrusion detection:Watching storage activity for suspicious behavior. In Proceedings of the USENIX Security Symposium.
35. PORRAS, P. A. AND NEUMANN, P. G. 1997. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the National Information Systems Security Conference. 353-365.
36. PURCZYNSKI, W. 2002. Gnu fileutils - Recursive directory removal race condition. http://www.mail-archive.com/bug-fileutils@gnu.org/msg01537.html.
37. SAMAR, V. AND SCHEMERS III, R. J. 1995. Unified login with pluggable authentication modules (PAM). Tech. rep., Open Software Foundation RFC 86.0, Open Software Foundation.
38. SCAMBRAY, J., MCCLURE, S., AND KURTZ, G. 2001. Hacking Exposed: Network Security Secrets and Solutions. Osborne/McGraw-Hill.
39. SCHNEIER, B. AND KELSEY, J. 1999. Secure audit logs to support computer forensics. ACM Trans. Inf. Syst. Secur. 2, 2, 159-176.
40. SIVATHANU, M., PRABHAKARAN, V., POPOVICI, F. I., DENEHY, T. E., ARPACI-DUSSEAU, A. C., AND ARPACI-DUSSEAU, R. H. 2003. Semantically smart disk systems. In Proceedings of the Conference on File and Storage Technologies. USENIX Association, 73-88.
41. STROM, R. 2008. Emc Celerra family technical review. http://www.emc.com/ pdf/partnersalliances/einfo/McAfee netshield.pdf.
42. STRUNK, J. D., GOODSON, G. R., SCHEINHOLTZ, M. L., SOULES, C. A. N., AND GANGER, G. R. 2000. Self-securing storage: Protecting data in compromised systems. In Proceedings of the Symposium on Operating Systems Design and Implementation. USENIX Association, 165-180.
43. SUGERMAN, J., VENKITACHALAM, G., AND LIM, B.-H. 2001. Virtualizing I/O devices on vmware workstation's hosted virtual machine monitor. In Proceedings of the USENIX Annual Technical Conference. USENIX Association, 1-14.
44. SURESHKUMAR, N. 2009. Antivirus scanning best practices guide. Tech. rep., Network Appliance Inc. http://media.netapp.com/documents/tr-3107.pdf
45. TERRY, D. B., THEIMER, M.M., PETERSEN, K.,DEMERS, A. J., SPREITZER, M. J., AND HAUSER, C. H. 1995. Managing update conflicts in Bayou, a weakly connected replicated storage system. Oper. Syst. Rev. 29, 5.
46. TRIPWIRE. 2002. Tripwire open souce 2.3.1. http://ftp4.sf.net/ sourceforge/tripwire/tripwire-2.3.1-2.tar.gz.
47. VAIDYANATHAN, K., HARPER, R. E., HUNTER, S. W., AND TRIVEDI, K. S. 2002. Analysis and implementation of software rejuvenation in cluster systems. Perform. Eval. Rev. 29, 1, 62-71.
48. WEBER, R. O. 2004. Scsi object-based storage device commands (osd). ftp://ftp.t10.org/t10/drafts/osd/osd-r10.pdf.
49. ZHANG, X., VAN DOORN, L., JAEGER, T., PEREZ, R., AND SAILER, R. 2002. Secure coprocessorbased intrusion detection. In Proceedings of the ACM SIGOPS European Workshop. ACM.
50. ZHANG, Y. AND WANG, D. 2006. Research on object-storage-based intrusion detection. In Proceedings of the 12th International Conference on Parallel and Distributed Systems (ICPADS'06). IEEE Computer Society, 68-78.