The authors build a case for Storage-based intrusion detection systems (IDS), as opposed to host-based or network-based IDS'es. Their system sits at the file system interface and watches for operations based on a set of rules. For example, the storage-based IDS (S-IDS) can watch for changes to system files that rarely change. Such a change would indicate that somebody with root access is changing system files, maybe through a rootkit. By recognizing such malicious activity at the file system interface, the SIDS can prevent malicious changes even when a host machine has been compromised. This paper generated quite a bit of discussion. Some of the issues are listed below: Can a SIDS be used to detect leakage of sensitive data? The authors focus on "writes," but do not address the issue of illegal reads. There could be honeypots on the filesystem, which the SIDS could recognize on a read, and signal an alarm. Analysis could be much stronger. There were concerns about response. How should an administrator respond to an alarm raised by an SIDS? Slowing down the user, or denying access, could be detrimental. Maybe the rules could specify response actions based on each suspected attack. Some may be less serious than others, which would imply a classification of attacks based on severity. The authors suggest that the administrator be notified of planned upgrades. However, this could become complicated as several details would be needed regarding the upgrade (version, checksum, etc.). Moreover, intruders could hide in the noise by using rootkits during a planned system upgrade. An SIDS could be used to screen files saved to disk (similar to anti-virus programs). What if an SIDS flags a user's file as a rootkit. An administrator would have to look at it, and this might violate a user's privacy. This would be intrusive. There is the assumption that the fileserver cannot be penetrated. There are several filesystems that are hosted on "regular" machines, with the same OS as any other host that could be attacked by the hacker. So, a serious hacker might just attack the file system first. It would be important to make sure that the file system server is highly specialized and secure. The authors draw an analogy between Network-based IDSes recognizing application layer traffic, and S-IDS'es understanding application file types and structure. However, at first thought, file types seem to be more complicated than simply recognizing application layer traffic. Having an S-IDS that peeks into files could be quite heavy-weight. Votes: SA 1 A 15 R 5 SR 0