ACM Transactions on Computer Systems (TOCS)
The taser intrusion recovery system
Proceedings of the twentieth ACM symposium on Operating systems principles
Correlating multi-session attacks via replay
HOTDEP'06 Proceedings of the 2nd conference on Hot Topics in System Dependability - Volume 2
Collapsar: a VM-based architecture for network attack detention center
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Analysis of Computer Intrusions Using Sequences of Function Calls
IEEE Transactions on Dependable and Secure Computing
Flight data recorder: monitoring persistent-state interactions to improve systems management
OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
International Journal of Information and Computer Security
Reconstructing system state for intrusion analysis
ACM SIGOPS Operating Systems Review
Efficiently tracking application interactions using lightweight virtualization
Proceedings of the 1st ACM workshop on Virtual machine security
Network forensics based on fuzzy logic and expert system
Computer Communications
Attribution of malicious behavior
ICISS'10 Proceedings of the 6th international conference on Information systems security
Correlating multi-session attacks via replay
HotDep'06 Proceedings of the Second conference on Hot topics in system dependability
A framework for post-event timeline reconstruction using neural networks
Digital Investigation: The International Journal of Digital Forensics & Incident Response
An empirical study of automatic event reconstruction systems
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Hi-Fi: collecting high-fidelity whole-system provenance
Proceedings of the 28th Annual Computer Security Applications Conference
Hi-index | 0.00 |
When computer intrusions occur, one of the most costly, time-consuming, and human-intensive tasks is the analysis and recovery of the compromised system. At a time when the cost of human resources dominates the cost of CPU, network, and storage resources, we argue that computing systems should, in fact, be built with automated analysis and recovery as a primary goal. Towards this end, we describe the design, implementation, and evaluation of Forensix: a robust, high-precision reconstruction and analysis system for supporting the computer equivalent of "TiVo". Forensix uses three key mechanisms to improve the accuracy and reduce the human overhead of performing forensic analysis. First it performs comprehensive monitoring of the execution of a target system at the kernel event level, giving a high-resolution, application-independent view of all activity. Second, it streams the kernel event information, in real-time, to append-only storage on a separate, hardened, logging machine, making the system resilient to a wide variety of attacks. Third, it uses database technology to support high-level querying of the archived log, greatly reducing the human cost of performing forensic analysis.