Trading Elephants for Ants: Efficient Post-attack Reconstitution

While security has become a first-class consideration in systems’ design and operation, most of the commercial and research efforts have been focused on detection, prevention, and forensic analysis of attacks. Relatively little work has gone into efficient recovery of application and data after a compromise. Administrators and end-users are faced with the arduous task of cleansing the affected machines. Restoring the system using snapshot is disruptive and it can lead to data loss.

[1]  Subbarayan Venkatesan,et al.  Forensic analysis of file system intrusions using improved backtracking , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[2]  Craig A. N. Soules,et al.  Metadata Efficiency in Versioning File Systems , 2003, FAST.

[3]  Margo I. Seltzer,et al.  Provenance-Aware Storage Systems , 2006, USENIX Annual Technical Conference, General Track.

[4]  Jason Nieh,et al.  Apiary: Easy-to-Use Desktop Application Fault Containment on Commodity Operating Systems , 2010, USENIX Annual Technical Conference.

[5]  Wu-chi Feng,et al.  Forensix: a robust, high-performance reconstruction system , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[6]  Ashvin Goel,et al.  Application-level isolation and recovery with solitude , 2008, Eurosys '08.

[7]  Xi Wang,et al.  Intrusion Recovery Using Selective Re-execution , 2010, OSDI.

[8]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[9]  Wenke Lee,et al.  Secure in-VM monitoring using hardware virtualization , 2009, CCS.

[10]  Eyal de Lara,et al.  The taser intrusion recovery system , 2005, SOSP '05.

[11]  Sanjeev Khanna,et al.  Data Provenance: Some Basic Issues , 2000, FSTTCS.

[12]  Ashvin Goel,et al.  Reconstructing system state for intrusion analysis , 2008, OPSR.

[13]  Hao Chen,et al.  Back to the Future: A Framework for Automatic Malware Removal and System Repair , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[14]  R. Krishnakumar Kernel korner: kprobes-a kernel debugger , 2005 .

[15]  Norman C. Hutchinson,et al.  Deciding when to forget in the Elephant file system , 1999, SOSP.

[16]  Yogesh L. Simmhan,et al.  A survey of data provenance in e-science , 2005, SGMD.

[17]  Dennis Gannon,et al.  A survey of data provenance techniques , 2005 .

[18]  Randal C. Burns,et al.  Ext3cow: a time-shifting file system for regulatory compliance , 2005, TOS.

[19]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[20]  C HutchinsonNorman,et al.  Deciding when to forget in the Elephant file system , 1999 .

[21]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[22]  Sushil Jajodia,et al.  Rewriting Histories: Recovering from Malicious Transactions , 2004, Distributed and Parallel Databases.