Forensix: A Robust, High-Performance Reconstruction System

Authors:
Ashvin Goel;Wu-chang Feng;David Maier;Wu-chi Feng;Jonathan Walpole
Affiliations:
University of Toronto;Portland State University;Portland State University;Portland State University;Portland State University
Venue:
ICDCSW '05 Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05) - Volume 02
Year:
2005

Citing 0
Cited 16

Backtracking intrusions

ACM Transactions on Computer Systems (TOCS)
The taser intrusion recovery system

Proceedings of the twentieth ACM symposium on Operating systems principles
Correlating multi-session attacks via replay

HOTDEP'06 Proceedings of the 2nd conference on Hot Topics in System Dependability - Volume 2
Collapsar: a VM-based architecture for network attack detention center

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Analysis of Computer Intrusions Using Sequences of Function Calls

IEEE Transactions on Dependable and Secure Computing
Flight data recorder: monitoring persistent-state interactions to improve systems management

OSDI '06 Proceedings of the 7th symposium on Operating systems design and implementation
Evaluating the survivability of Intrusion Tolerant Database systems and the impact of intrusion detection deficiencies

International Journal of Information and Computer Security
Reconstructing system state for intrusion analysis

ACM SIGOPS Operating Systems Review
Efficiently tracking application interactions using lightweight virtualization

Proceedings of the 1st ACM workshop on Virtual machine security
Integrating intrusion alert information to aid forensic explanation: An analytical intrusion detection framework for distributive IDS

Information Fusion
Network forensics based on fuzzy logic and expert system

Computer Communications
Attribution of malicious behavior

ICISS'10 Proceedings of the 6th international conference on Information systems security
Correlating multi-session attacks via replay

HotDep'06 Proceedings of the Second conference on Hot topics in system dependability
A framework for post-event timeline reconstruction using neural networks

Digital Investigation: The International Journal of Digital Forensics & Incident Response
An empirical study of automatic event reconstruction systems

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Hi-Fi: collecting high-fidelity whole-system provenance

Proceedings of the 28th Annual Computer Security Applications Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

When computer intrusions occur, one of the most costly, time-consuming, and human-intensive tasks is the analysis and recovery of the compromised system. At a time when the cost of human resources dominates the cost of CPU, network, and storage resources, we argue that computing systems should, in fact, be built with automated analysis and recovery as a primary goal. Towards this end, we describe the design, implementation, and evaluation of Forensix: a robust, high-precision reconstruction and analysis system for supporting the computer equivalent of "TiVo". Forensix uses three key mechanisms to improve the accuracy and reduce the human overhead of performing forensic analysis. First it performs comprehensive monitoring of the execution of a target system at the kernel event level, giving a high-resolution, application-independent view of all activity. Second, it streams the kernel event information, in real-time, to append-only storage on a separate, hardened, logging machine, making the system resilient to a wide variety of attacks. Third, it uses database technology to support high-level querying of the archived log, greatly reducing the human cost of performing forensic analysis.