Analysis of Computer Intrusions Using Sequences of Function Calls
IEEE Transactions on Dependable and Secure Computing
Computer forensics in forensis
ACM SIGOPS Operating Systems Review
Efficiently tracking application interactions using lightweight virtualization
Proceedings of the 1st ACM workshop on Virtual machine security
Assessing operational impact in enterprise systems by mining usage patterns
DSOM'07 Proceedings of the Distributed systems: operations and management 18th IFIP/IEEE international conference on Managing virtualization of networks and services
LogGC: garbage collecting audit log
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Hi-index | 0.00 |
Intrusion detection systems alert the system administrators of intrusions but, in most cases, do not provide details about which system events are relevant to the intrusion and how the system events are related. We consider intrusions of file systems. Existing tools, like BackTracker, help the system administrator backtrack from the detection point, which is a file with suspicious contents, to possible entry points of the intrusion by providing a graph containing dependency information between the various files and processes that could be related to the detection point. We improve such backtracking techniques by logging certain additional parameters of the file system during normal operations (real-time) and examining the logged information during the analysis phase. In addition, we use data flow analysis within the processes related to the intrusion to prune unwanted paths from the dependency graph. This results in significant reduction in search space, search time, and false positives. We also analyze the effort required in terms of storage space and search time.