1. Field of the Invention
The present invention relates generally to detecting computer system security breaches and, more specifically, to detecting such breaches in computer systems having data storage arrays.
2. Description of the Related Art
Computer systems, particularly those having access to external networks such as the Internet, are vulnerable to intrusion or attack by unauthorized individuals. Such persons may be involved in industrial espionage, seeking trade secrets and other information stored on the system, or may simply be seeking to vandalize the system. Businesses, governments and other organizations spend considerable sums to protect the data stored on their computer systems and prevent disruption of system operations. Sophisticated firewalls and other mechanisms for thwarting intruders or attackers outside an organization have been developed. Security mechanisms have also been developed for protecting data against unauthorized access by individuals inside an organization. Although such mechanisms provide the first line of defense against intrusions and attacks, there is also a need for mechanisms that detect such security breaches in the event an intruder is at least partially successful so that corrective actions can be taken as soon as possible.
Although computer systems typically have many elements, including mass data storage devices, host computers, back-end servers, administrative workstations, and various peripheral devices, intrusion detection solutions have focused upon host computers or servers. Conventional intrusion detection software operates on host computers and monitors file changes, evaluates whether changes in file structures indicate an attack based upon attack signatures and rule sets, and notifies system administrators or other personnel if data stored on network servers have been compromised. Various attack signatures and rule sets are known that are used to differentiate between expected types of changes and those that are likely to indicate an intrusion. For example, a password file can normally be expected to change from time to time, but a large number of changes occurring within a short time span may indicate an intruder has accessed the system. Similar intrusion detection software for network routers and switches has also been developed.
Host-based intrusion detection solutions are themselves potentially vulnerable to attack. Once an intruder gains access to a host, the intruder may be able to render them ineffective and thus escape detection. It would be desirable to provide an intrusion detection solution that is resistant to access by an intruder. The present invention addresses this problem and others in the manner described below.