Reconstructing system state for intrusion analysis

Authors:
Ashvin Goel;Kamran Farhadi;Kenneth Po;Wu-chang Feng
Affiliations:
University of Toronto;University of Toronto;University of Toronto;Portland State University
Venue:
ACM SIGOPS Operating Systems Review
Year:
2008

Citing 13
Cited 1

The design and implementation of tripwire: a file system integrity checker

CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
Developing time-oriented database applications in SQL

Developing time-oriented database applications in SQL
STATL: an attack language for state-based intrusion detection

Journal of Computer Security
Backtracking intrusions

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
ReVirt: enabling intrusion analysis through virtual-machine logging and replay

OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Forensix: A Robust, High-Performance Reconstruction System

ICDCSW '05 Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05) - Volume 02
The taser intrusion recovery system

Proceedings of the twentieth ACM symposium on Operating systems principles
Automatic high-performance reconstruction and recovery

Computer Networks: The International Journal of Computer and Telecommunications Networking
Synthesizing fast intrusion prevention/detection systems from high-level specifications

SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Intrusion detection using sequences of system calls

Journal of Computer Security
Flight data recorder: monitoring persistent-state interactions to improve systems management

OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Application-level isolation and recovery with solitude

Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008

Hi-Fi: collecting high-fidelity whole-system provenance

Proceedings of the 28th Annual Computer Security Applications Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

The analysis of a compromised system is a time-consuming and error-prone task today because commodity operating systems provide limited auditing facilities. We have been developing an operating-system level auditing system called Forensix that captures a high-resolution image of all system activities so that detailed analysis can be performed after an attack is detected. The challenge with this approach is that the large amount of audit data generated can overwhelm analysis tools. In this paper, we describe a technique that helps generate a time-line of the state of the system. This technique, based on preprocessing the audit log, simplifies the implementation of the analysis queries and enables running the analysis tools interactively on large data sets.