Trading Elephants for Ants: Efficient Post-attack Reconstitution

@inproceedings{Le2011TradingEF,
  title={Trading Elephants for Ants: Efficient Post-attack Reconstitution},
  author={Meixing Le and Zhaohui Wang and Quan Jia and Angelos Stavrou and Anup K. Ghosh and Sushil Jajodia},
  booktitle={SecureComm},
  year={2011}
}
While security has become a first-class consideration in systems’ design and operation, most of the commercial and research efforts have been focused on detection, prevention, and forensic analysis of attacks. Relatively little work has gone into efficient recovery of application and data after a compromise. Administrators and end-users are faced with the arduous task of cleansing the affected machines. Restoring the system using snapshot is disruptive and it can lead to data loss. 

References

SHOWING 1-10 OF 23 REFERENCES

Reconstructing system state for intrusion analysis

TLDR
This paper describes a technique that helps generate a time-line of the state of the system, based on preprocessing the audit log, that simplifies the implementation of the analysis queries and enables running the analysis tools interactively on large data sets.

Application-level isolation and recovery with solitude

TLDR
This paper presents Solitude, an application-level isolation and recovery system that is designed to both limit the effects of attacks and simplify the post-intrusion recovery process.

Forensix: a robust, high-performance reconstruction system

TLDR
This work argues that computing systems should, in fact, be built with automated analysis and recovery as a primary goal, and describes the design, implementation, and evaluation of Forensix: a robust, high-precision reconstruction and analysis system for supporting the computer equivalent of "TiVo".

Backtracking intrusions

TLDR
The goal of BackTracker is to identify automatically potential sequences of steps that occurred in an intrusion to identify files and processes that could have affected that detection point and displays chains of events in a dependency graph.

The taser intrusion recovery system

TLDR
The design of Taser is described, a system that helps in selectively recovering legitimate file-system data after an attack or local damage occurs, and is effective in recovering from a wide range of intrusions as well as damage caused by system management errors.

ReVirt: enabling intrusion analysis through virtual-machine logging and replay

TLDR
ReVirt removes the dependency on the target operating system by moving it into a virtual machine and logging below the virtual machine, and enables it to provide arbitrarily detailed observations about what transpired on the system, even in the presence of non-deterministic attacks and executions.

Secure program execution via dynamic information flow tracking

TLDR
This work presents a simple architectural mechanism called dynamic information flow tracking that can significantly improve the security of computing systems with negligible performance overhead and is transparent to users or application programmers.

Apiary: Easy-to-Use Desktop Application Fault Containment on Commodity Operating Systems

TLDR
The results with real applications, known exploits, and a 24-person user study show that Apiary has modest performance overhead, is effective in limiting the damage from real vulnerabilities, and is as easy for users to use as a traditional desktop.

Intrusion Recovery Using Selective Re-execution

TLDR
An evaluation of a prototype of RETRO for Linux with 2 real-world attacks, 2 synthesized challenge attacks, and 6 attacks from previous work, shows that RETRO can often repair the system without user involvement, and avoids false positives and negatives from previous solutions.

Secure in-VM monitoring using hardware virtualization

TLDR
This paper presents Secure In-VM Monitoring (SIM), a general-purpose framework that enables security monitoring applications to be placed back in the untrusted guest VM for efficiency without sacrificing the security guarantees provided by running them outside of the VM.