Intrusion detection and tolerance: A global scheme.

Protecting implemented security mechanisms and trusting their output (e.g. log files) when the host, under which they are deployed, is compromised, is among the major challenges that have to be faced. To fulfil this need, recent advances in security have considered the design of storage-based intrusion detection system, which detect intrusions by looking at the low-level disk requests patterns. However, these systems neither tolerate intrusions, nor do they distinguish whether the disk requests are generated by legitimate or malicious processes; and consequently, they generate a lot of false negative and positive alerts. In this paper, we present a Cooperative Intrusion Detection and Tolerance System, called CIDTS, which takes advantage of the information that are available at the network, host operating system, and storage level to better detect intrusion attempts in their early stages, even when the host is compromised. To allow cooperation, the disk communication interface that transports requests between the storage level and the host level is extended to forward information about the processes that generate the request. The paper also provides intrusion tolerance capabilities and provides techniques to support investigation activities. Copyright © 2007 John Wiley & Sons, Ltd. [ABSTRACT FROM AUTHOR]