Date of Original Version



Technical Report

Rights Management

All Rights Reserved

Abstract or Description

Storage-based intrusion detection allows storage systems to watch for data modifications characteristic of system in-trusions. This enables storage systems to spot several common intruder actions, such as adding backdoors, inserting Trojan horses, and tampering with audit logs. Further, an intrusion detection system (IDS) embedded in a storage device continues to operate even after client systems are compromised. This paper describes a number of specific warning signs visible at the storage interface. Examination of 18 real intrusion tools reveals that most (15) can be detected based on their changes to stored files. We describe and evaluate a prototype storage IDS, embedded in an NFS server, to demonstrate both feasibility and efficiency of storage-based intrusion detection. In particular, both the performance overhead and memory required (152 KB for 4730 rules) are minimal.


Superceded by Proceedings 12th USENIX Security Symposium, Washington, D.C., Aug 4-8, 2003.