Backtracking intrusions

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Backtracking intrusions

Full text

Pdf (647 KB)

Source

ACM Transactions on Computer Systems (TOCS) archive
Volume 23 , Issue 1 (February 2005) table of contents

Pages: 51 - 76

Year of Publication: 2005

ISSN:0734-2071

Authors

Samuel T. King	University of Michigan, Ann Arbor, MI
Peter M. Chen	University of Michigan, Ann Arbor, MI

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 30, Downloads (12 Months): 232, Citation Count: 10

Additional Information:

abstract references cited by index terms review collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1047915.1047918 What is a DOI?

ABSTRACT

Analyzing intrusions today is an arduous, largely manual task because system administrators lack the information and tools needed to understand easily the sequence of steps that occurred in an attack. The goal of BackTracker is to identify automatically potential sequences of steps that occurred in an intrusion. Starting with a single detection point (e.g., a suspicious file), BackTracker identifies files and processes that could have affected that detection point and displays chains of events in a dependency graph. We use BackTracker to analyze several real attacks against computers that we set up as honeypots. In each case, BackTracker is able to highlight effectively the entry point used to gain access to the system and the sequence of steps from that entry point to the point at which we noticed the intrusion. The logging required to support BackTracker added 9&percent; overhead in running time and generated 1.2 GB per day of log data for an operating-system intensive workload.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Paul Ammann , Sushil Jajodia , Peng Liu, Recovery from Malicious Transactions, IEEE Transactions on Knowledge and Data Engineering, v.14 n.5, p.1167-1185, September 2002 [doi>10.1109/TKDE.2002.1033782]
	2	Ken Ashcraft , Dawson Engler, Using Programmer-Written Compiler Extensions to Catch Security Holes, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.143, May 12-15, 2002
	3	Kerstin Buchacker , Volkmar Sieh, Framework for Testing the Fault-Tolerance of Systems Including OS and Network Aspects, The 6th IEEE International Symposium on High-Assurance Systems Engineering: Special Topic: Impact of Networking, p.95-105, October 24-26, 2001
	4	CERT. 2000. Steps for recovering from a UNIX or NT system compromise. Tech. rep. CERT Coordination Center. Available online at http://www.cert.org/tech_tips/win-UNIX-system_compromise.html.
	5	CERT. 2001. Detecting signs of intrusion. Tech. rep. CMU/SEI-SIM-009. CERT Coordination Center. Available online at http://www.cert.org/security-improvement/modules/m09.html.
	6	CERT. 2002a. CERT/CC overview incident and vulnerability trends. Tech. rep. CERT Coordination Center. Available online at http://www.cert.org/present/cert-overview-trends/.
	7	CERT. 2002b. Multiple vulnerabilities In OpenSSL. Tech. rep. CERT Advisory CA-2002-23. CERT Coordination Center. Available online at http://www.cert.org/advisories/CA-2002-23.html.
	8	Cheswick, B. 1992. An evening with Berferd in which a cracker is lured, endured, and studied. In Proceedings of the Winter 1992 USENIX Technical Conference. 163--174.
	9	Christie, A. M. 2002. The Incident Detection, Analysis, and Response (IDAR) Project. Tech. rep. CERT Coordination Center. Available online at http://www.cert.org/idar.
	10	CIAC. 2001. L-133: Sendmail debugger arbitrary code execution vulnerability. Tech. rep. Computer Incident Advisory Capability. Available online at http://www.ciac.org/ciac/bulletins/l-133.shtml.
	11	Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976 [doi>10.1145/360051.360056]
	12	George W. Dunlap , Samuel T. King , Sukru Cinar , Murtaza A. Basrai , Peter M. Chen, ReVirt: enabling intrusion analysis through virtual-machine logging and replay, Proceedings of the 5th symposium on Operating systems design and implementation Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading , December 09-11, 2002, Boston, Massachusetts [doi>10.1145/1060289.1060309]
	13	Farmer, D. 2000. What are MACtimes? Dr. Dobb's J. 25, 10 (Oct.), 68, 70--74.
	14	Farmer, D. 2001. Bring out your dead. Dr. Dobb's J. 26, 1 (Jan.), 104--105, 107--108.
	15	Farmer, D. and Venema, W. 2000. Forensic computer analysis: an introduction. Dr. Dobb's J. 25, 9 (Sept.), 70, 72--75.
	16	Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
	17	Garfinkel, T. and Rosenblum, M. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 2003 Network and Distributed System Security Symposium (NDSS).
	18	Goel, A., Shea, M., Ahuja, S., and Chang Feng, W. 2003. Forensix: A robust, high-performance reconstruction system. In Proceedings of the 2003 Symposium on Operating Systems Principles (poster session).
	19	Goldberg, I., Wagner, D., Thomas, R., and Brewer, E. A. 1996. A secure environment for untrusted helper applications. In Proceedings of the 1996 USENIX Security Symposium. 1--13.
	20	Huagang, X. 2000. Build a secure system with LIDS. Available online at http://www.lids.org/document/build_lids-0.2.html.
	21	Gene H. Kim , Eugene H. Spafford, The design and implementation of tripwire: a file system integrity checker, Proceedings of the 2nd ACM Conference on Computer and communications security, p.18-29, November 1994, Fairfax, Virginia, United States [doi>10.1145/191177.191183]
	22	King, S. T., Dunlap, G. W., and Chen, P. M. 2003. Operating system support for virtual machines. In Proceedings of the 2003 USENIX Technical Conference. 71--84.
	23	Vladimir Kiriansky , Derek Bruening , Saman P. Amarasinghe, Secure Execution via Program Shepherding, Proceedings of the 11th USENIX Security Symposium, p.191-206, August 05-09, 2002
	24	Leslie Lamport, Time, clocks, and the ordering of events in a distributed system, Communications of the ACM, v.21 n.7, p.558-565, July 1978 [doi>10.1145/359545.359563]
	25	Butler W. Lampson, A note on the confinement problem, Communications of the ACM, v.16 n.10, p.613-615, Oct. 1973 [doi>10.1145/362375.362389]
	26	The Honeynet Project. 2001. Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community. Addison Wesley, Reading, MA.
	27	Tip, F. 1995. A survey of program slicing techniques. J. Programm. Lang. 3, 3.
	28	Tyson, W. M. 2001. DERBI: Diagnosis, explanation and recovery from computer break-ins. Tech. rep. DARPA Project F30602-96-C-0295 Final Report. SRI International, Menlo Task, CA. Artificial Intelligence Center. Available online at http://www.dougmoran.com/dmoran/publications.html.
	29	Larry Wall , Mike Loukides, Programming Perl, O'Reilly & Associates, Inc., Sebastopol, CA, 2000
	30	Zhu, N. and Chiueh, T. 2003. Design, implementation, and evaluation of repairable file service. In Proceedings of the 2003 International Conference on Dependable Systems and Networks (DSN). 217--226.

CITED BY 10

	Xiaoqi Jia , Shengzhi Zhang , Jiwu Jing , Peng Liu, Using virtual machines to do cross-layer damage assessment, Proceedings of the 1st ACM workshop on Virtual machine security, October 27-27, 2008, Alexandria, Virginia, USA
	Sean Peisert , Sidney Karin , Matt Bishop , Keith Marzullo, Principles-driven forensic analysis, Proceedings of the 2005 workshop on New security paradigms, September 20-23, 2005, Lake Arrowhead, California
	Amel Meddeb , Yacine Djemaiel , Noureddine Boudriga, Global intrusion detection and tolerance in networked systems, Proceedings of the 2007 ACM symposium on Applied computing, March 11-15, 2007, Seoul, Korea
	Sahika Genc , Stéphane Lafortune, Predictability of event occurrences in partially-observed discrete-event systems, Automatica (Journal of IFAC), v.45 n.2, p.301-311, February, 2009
	Sean Peisert , Matt Bishop , Keith Marzullo, Computer forensics in forensis, ACM SIGOPS Operating Systems Review, v.42 n.3, April 2008
	Hai Wang , Peng Liu , Lunquan Li, Evaluating the survivability of Intrusion Tolerant Database systems and the impact of intrusion detection deficiencies, International Journal of Information and Computer Security, v.1 n.3, p.315-340, June 2007
	Yih Huang , Angelos Stavrou , Anup K. Ghosh , Sushil Jajodia, Efficiently tracking application interactions using lightweight virtualization, Proceedings of the 1st ACM workshop on Virtual machine security, October 27-27, 2008, Alexandria, Virginia, USA
	Abhijit Bose , Xin Hu , Kang G. Shin , Taejoon Park, Behavioral detection of malware on mobile handsets, Proceeding of the 6th international conference on Mobile systems, applications, and services, June 17-20, 2008, Breckenridge, CO, USA
	Sean Peisert , Matt Bishop , Sidney Karin , Keith Marzullo, Analysis of Computer Intrusions Using Sequences of Function Calls, IEEE Transactions on Dependable and Secure Computing, v.4 n.2, p.137-150, April 2007
	Bon K. Sy, Integrating intrusion alert information to aid forensic explanation: An analytical intrusion detection framework for distributive IDS, Information Fusion, v.10 n.4, p.325-341, October, 2009

INDEX TERMS

Primary Classification:
D. Software
D.4 OPERATING SYSTEMS
D.4.6 Security and Protection

Additional Classification:
K. Computing Milieux
K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
K.6.4 System Management
K.6.5 Security and Protection (D.4.6, K.4.2)
Subjects: Unauthorized access (e.g., hacking, phreaking); Invasive software (e.g., viruses, worms, Trojan horses)

Keywords:
Computer forensics, information flow, intrusion analysis

REVIEW

"Stefano Zanero : Reviewer"

BackTracker, a tool developed to help system administrators track intrusions, is described in this paper. The tool creates a graph of the interactions between system objects, helping in the forensic analysis of a compromised machine. The tool has more...

Collaborative Colleagues:

Samuel T. King: colleagues

Peter M. Chen: colleagues

Adobe Acrobat

QuickTime

Windows Media Player

Real Player

Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading