Carnegie Mellon University Parallel Data Lab Technical Report CMU-PDL-03-106, December, 2003.
John Linwood Griffin, Adam Pennington, John S. Bucy, Deepa Choundappan,
Nithya Muralidharan, Gregory R. Ganger
Electrical and Computer Engineering
Carnegie Mellon University
Pittsburgh, PA 15213
Storage-based intrusion detection systems (IDSes) can be valuable tools
in monitoring for and notifying
administrators of malicious software executing on a host computer, including
many common intrusion toolkits. This paper makes a case for implementing
IDS functionality in the firmware of workstations locally attached
disks, on which the bulk of important system files typically reside.
To evaluate the feasibility of this approach, we built a prototype disk-based
IDS into a SCSI disk emulator. Experimental results from this prototype
indicate that it would indeed be feasible, in terms of CPU and memory
costs, to include IDS functionality in low-cost desktop disk drives.
KEYWORDS: Computer security, intrusion detection, IDS, local disk, disk firmware.
FULL PAPER: pdf / postscript