Reconstructing system state for intrusion analysis

The analysis of a compromised system is a time-consuming and error-prone task today because commodity operating systems provide limited auditing facilities. We have been developing an operating-system level auditing system called Forensix that captures a high-resolution image of all system activities so that detailed analysis can be performed after an attack is detected. The challenge with this approach is that the large amount of audit data generated can overwhelm analysis tools. In this paper, we describe a technique that helps generate a time-line of the state of the system. This technique, based on preprocessing the audit log, simplifies the implementation of the analysis queries and enables running the analysis tools interactively on large data sets.

[1]  R. Sekar,et al.  Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications , 1999, USENIX Security Symposium.

[2]  Richard T. Snodgrass,et al.  Developing Time-Oriented Database Applications in SQL , 1999 .

[3]  Wu-chi Feng,et al.  Automatic high-performance reconstruction and recovery , 2007, Comput. Networks.

[4]  Wu-chi Feng,et al.  Forensix: a robust, high-performance reconstruction system , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[5]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[6]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[7]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[8]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[9]  M. P. F. C. A. J. Sammes BSc,et al.  Forensic Computing , 2000, Practitioner Series.

[10]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[11]  Ashvin Goel,et al.  Application-level isolation and recovery with solitude , 2008, Eurosys '08.

[12]  Ewa Huebner,et al.  Computer Forensic Analysis in a Virtual Environment , 2007, Int. J. Digit. EVid..

[13]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[14]  Eyal de Lara,et al.  The taser intrusion recovery system , 2005, SOSP '05.

[15]  Shan Lu,et al.  Flight data recorder: monitoring persistent-state interactions to improve systems management , 2006, OSDI '06.

[16]  Rodney McKemmish,et al.  What is forensic computing , 1999 .