Accession Number:

ADA461216

Title:

Intrusion Detection, Diagnosis, and Recovery with Self-Securing Storage

Descriptive Note:

Corporate Author:

CARNEGIE-MELLON UNIV PITTSBURGH PA SCHOOL OF COMPUTER SCIENCE

Report Date:

2002-05-01

Pagination or Media Count:

31.0

Abstract:

Self-securing storage turns storage devices into active parts of an intrusion survival strategy. From behind a thin storage interface e.g., SCSI or CIFS, a self-securing storage server can watch storage requests, keep a record of all storage activity, and prevent compromised clients from destroying stored data. This paper describes three ways self-securing storage enhances an administrators ability to detect, diagnose, and recover from client system intrusions. First, storage-based intrusion detection offers a new observation point for noticing suspect activity. Second, post-hoc intrusion diagnosis starts with a plethora of normally-unavailable information. Finally, post-intrusion recovery is reduced to restarting the system with a pre-intrusion storage image retained by the server. Combined, these features can improve an organizations ability to survive successful digital intrusions.

Subject Categories:

  • Computer Systems Management and Standards

Distribution Statement:

APPROVED FOR PUBLIC RELEASE