Storage-based intrusion detection: Watching storage activity for suspicious behavior

John L. Griffin, Johns Hopkins University

In this talk I describe my previous work on storage-based intrusion detection. This technique preserves system integrity by allowing storage systems components to watch for and respond to data modifications that are characteristic of malicious intrusions. Storage systems are able to spot several common intruder actions, such as an intruder adding backdoors, inserting Trojan horses, and tampering with audit logs. Further, an intrusion detection system (IDS) embedded in a storage device continues to operate effectively even after client systems or network devices are compromised.