Appears in Proceedings of the 12th USENIX Security SymposiumWasington, DC. August 2003.Storage-based Intrusion Detection:Watching storage activity for suspicious behaviorAdam G. Pennington, John D. Strunk, John Linwood Griffin,Craig A.N. Soules, Garth R. Goodson, Gregory R. GangerCarnegie Mellon UniversityAbstractStorage-based intrusion detection allows storage systemsto watch for data modifications characteristic of system in-trusions. This enables storage systems to spot several com-mon intruder actions, such as adding backdoors, insertingTrojan horses, and tampering with audit logs. Further, anintrusion detection system (IDS) embedded in a storagedevice continues to operate even after client systems arecompromised. This paper describes a number of specificwarning signs visible at the storage interface. Examinationof 18 real intrusion tools reveals that most (15) can be de-tected based on their changes to stored files. We describeand evaluate a prototype storage IDS, embedded in an NFSserver, to demonstrate both feasibility and efficiency ofstorage-based intrusion detection. In particular, both theperformance overhead and memory required (152 KB for4730 rules) are minimal.1 IntroductionMany intrusion detection systems (IDSs) have been devel-oped over the years [1, 23, 29], with most falling into oneof two categories: network-based or host-based. NetworkIDSs (NIDS) are usually embedded in sniffers or firewalls,scanning traffic to, from, and within a network environ-ment for attack signatures and suspicious traffic [5, 25].Host-based IDSs (HIDS) are fully or partially embeddedwithin each host’s OS. They examine local information(such as system calls [10]) for signs of intrusion or suspi-cious behavior. Many environments employ multiple IDSs,each watching activity from its own vantage point.The storage system is another interesting vantage point forintrusion detection. Several common intruder actions [7,p. 218][34, pp. 363–365] are quite visible at the storageinterface. Examples include manipulating system utilities(e.g., to add backdoors or Trojan horses), tampering withaudit log contents (e.g., to eliminate evidence), and reset-ting attributes (e.g., to hide changes). By design, a stor-age server sees all changes to persistent data, allowing it totransparently watch for suspicious changes and issue alertsabout the corresponding client systems. Also, like a NIDS,a storage IDS must be compromise-independent of the hostOS, meaning that it cannot be disabled by an intruder whoonly successfully gets past a host’s OS-level protection.This paper motivates and describes storage-based intrusiondetection. It presents several kinds of suspicious behav-ior that can be spotted by a storage IDS. Using sixteen“rootkits” and two worms as examples, we describe howfifteen of them would be exposed rapidly by our storageIDS. (The other three do not modify stored files.) Mostof them are exposed by modifying system binaries, addingfiles to system directories, scrubbing the audit log, or usingsuspicious file names. Of the fifteen detected, three mod-ify the kernel to hide their presence from host-based detec-tion including FS integrity checkers like Tripwire [18]. Ingeneral, compromises cannot hide their changes from thestorage device if they wish to persist across reboots; to bere-installed upon reboot, the tools must manipulate storedfiles.A storage IDS could be embedded in many kinds of storagesystems. The extra processing power and memory spacerequired should be feasible for file servers, disk array con-trollers, and perhaps augmented disk drives. Most detec-tion rules will also require FS-level understanding of thestored data. Such understanding exists trivially for a fileserver, and may be explicitly provided to block-based stor-age devices. This understanding of a file system is anal-ogous to the understanding of application protocols usedby a NIDS [27], but with fewer varieties and structuralchanges over time.As a concrete example with which to experiment, we haveaugmented an NFS server with a storage IDS that sup-ports online, rule-based detection of suspicious modifica-tions. This storage IDS supports the detection of four cat-egories of suspicious activities. First, it can detect unex-pected changes to important system files and binaries, us-ing a rule-set very similar to Tripwire’s. Second, it can de-tect patterns of changes like non-append modification (e.g.,of system log files) and reversing of inode times. Third, itcan detect specifically proscribed content changes to crit-ical files (e.g., illegal shells inserted into /etc/passwd).Fourth, it can detect the appearance of specific file names(e.g., hidden “dot” files) or content (e.g., known virusesor attack tools). An administrative interface supplies theAppears in Proceedings of the 12th USENIX Security Symposium Washington, DC. August 2003.detection rules, which are checked during the processingof each NFS request. When a detection rule triggers, theserver sends the administrator an alert containing the fullpathname of the modified file, the violated rule, and theoffending NFS operation. Experiments show that the run-time cost of such intrusion detection is minimal. Furtheranalysis indicates that little memory capacity is needed forreasonable rulesets (e.g., only 152 KB for an example con-taining 4730 rules).The remainder of this paper is organized as follows. Sec-tion 2 introduces storage-based intrusion detection. Sec-tion 3 evaluates the potential of storage-based intrusiondetection by examining real intrusion tools. Section 4 dis-cusses storage IDS design issues. Section 5 describes aprototype storage IDS embedded in an NFS server. Sec-tion 6 uses this prototype to evaluate the costs of storage-based intrusion detection. Section 7 presents related work.Section 8 summarizes this paper’s contributions and dis-cusses continuing work.2 Storage-based Intrusion DetectionStorage-based intrusion detection enables storage devicesto examine the requests they service for suspicious clientbehavior. Although the world view that a storage serversees is incomplete, two features combine to make it a well-positioned platform for enhancing intrusion detection ef-forts. First, since storage devices are independent of hostOSes, they can continue to look for intrusions after the ini-tial compromise, whereas a host-based IDS can be disabledby the intruder. Second, since most computer systems relyheavily