The design and implementation of tripwire: a file system integrity checker
CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
Developing time-oriented database applications in SQL
Developing time-oriented database applications in SQL
STATL: an attack language for state-based intrusion detection
Journal of Computer Security
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
ReVirt: enabling intrusion analysis through virtual-machine logging and replay
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Forensix: A Robust, High-Performance Reconstruction System
ICDCSW '05 Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05) - Volume 02
The taser intrusion recovery system
Proceedings of the twentieth ACM symposium on Operating systems principles
Automatic high-performance reconstruction and recovery
Computer Networks: The International Journal of Computer and Telecommunications Networking
Synthesizing fast intrusion prevention/detection systems from high-level specifications
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Intrusion detection using sequences of system calls
Journal of Computer Security
Flight data recorder: monitoring persistent-state interactions to improve systems management
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Application-level isolation and recovery with solitude
Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
Hi-Fi: collecting high-fidelity whole-system provenance
Proceedings of the 28th Annual Computer Security Applications Conference
Hi-index | 0.00 |
The analysis of a compromised system is a time-consuming and error-prone task today because commodity operating systems provide limited auditing facilities. We have been developing an operating-system level auditing system called Forensix that captures a high-resolution image of all system activities so that detailed analysis can be performed after an attack is detected. The challenge with this approach is that the large amount of audit data generated can overwhelm analysis tools. In this paper, we describe a technique that helps generate a time-line of the state of the system. This technique, based on preprocessing the audit log, simplifies the implementation of the analysis queries and enables running the analysis tools interactively on large data sets.