Abstract: Most authentication sub-systems can not guarantee the authenticity of the account, and an intruder using a stolen account may be regarded as a legitimate user. In order to filter out such illegal users, the storage system should be able to watch for the user access activities. In order to enhance the storage security, the paper proposed an immune anomaly detection scheme to identify the anomalous access behavior. When an access rectuest violates the access control rule,it is viewed as Non-self,so as to provide some storage early warning tips to the storage security subsystem. The proposed storage anomaly detection system (SADS) targets the anomaly detection at storage level and focuses on the read/write data requests, constructing two-layer detection together with the network intrusion detection system (KIDS). The simulation results show the proposed scheme can reach rather high detection rate and low false alarm rate,validating its feasibility. The overhead test exhibits that the computation time caused by SADS is acceptable, e. g below 11. 6% as to 3MB data.

Key words: Storage security, Anomaly detection, AIS, User access behavior