Trading Elephants for Ants: Efficient Post-attack Reconstitution

  title={Trading Elephants for Ants: Efficient Post-attack Reconstitution},
  author={Meixing Le and Zhaohui Wang and Quan Jia and Angelos Stavrou and Anup K. Ghosh and Sushil Jajodia},
While security has become a first-class consideration in systems’ design and operation, most of the commercial and research efforts have been focused on detection, prevention, and forensic analysis of attacks. Relatively little work has gone into efficient recovery of application and data after a compromise. Administrators and end-users are faced with the arduous task of cleansing the affected machines. Restoring the system using snapshot is disruptive and it can lead to data loss. 



Reconstructing system state for intrusion analysis

This paper describes a technique that helps generate a time-line of the state of the system, based on preprocessing the audit log, that simplifies the implementation of the analysis queries and enables running the analysis tools interactively on large data sets.

Application-level isolation and recovery with solitude

This paper presents Solitude, an application-level isolation and recovery system that is designed to both limit the effects of attacks and simplify the post-intrusion recovery process.

Forensix: a robust, high-performance reconstruction system

This work argues that computing systems should, in fact, be built with automated analysis and recovery as a primary goal, and describes the design, implementation, and evaluation of Forensix: a robust, high-precision reconstruction and analysis system for supporting the computer equivalent of "TiVo".

Backtracking intrusions

The goal of BackTracker is to identify automatically potential sequences of steps that occurred in an intrusion to identify files and processes that could have affected that detection point and displays chains of events in a dependency graph.

The taser intrusion recovery system

The design of Taser is described, a system that helps in selectively recovering legitimate file-system data after an attack or local damage occurs, and is effective in recovering from a wide range of intrusions as well as damage caused by system management errors.

ReVirt: enabling intrusion analysis through virtual-machine logging and replay

ReVirt removes the dependency on the target operating system by moving it into a virtual machine and logging below the virtual machine, and enables it to provide arbitrarily detailed observations about what transpired on the system, even in the presence of non-deterministic attacks and executions.

Secure program execution via dynamic information flow tracking

This work presents a simple architectural mechanism called dynamic information flow tracking that can significantly improve the security of computing systems with negligible performance overhead and is transparent to users or application programmers.

Apiary: Easy-to-Use Desktop Application Fault Containment on Commodity Operating Systems

The results with real applications, known exploits, and a 24-person user study show that Apiary has modest performance overhead, is effective in limiting the damage from real vulnerabilities, and is as easy for users to use as a traditional desktop.

Intrusion Recovery Using Selective Re-execution

An evaluation of a prototype of RETRO for Linux with 2 real-world attacks, 2 synthesized challenge attacks, and 6 attacks from previous work, shows that RETRO can often repair the system without user involvement, and avoids false positives and negatives from previous solutions.

Secure in-VM monitoring using hardware virtualization

This paper presents Secure In-VM Monitoring (SIM), a general-purpose framework that enables security monitoring applications to be placed back in the untrusted guest VM for efficiency without sacrificing the security guarantees provided by running them outside of the VM.