ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Backtracking intrusions
Full text PdfPdf (185 KB)
Source ACM Symposium on Operating Systems Principles archive
Proceedings of the nineteenth ACM symposium on Operating systems principles table of contents
Bolton Landing, NY, USA
SESSION: Making operating systems more robust table of contents
Pages: 223 - 236  
Year of Publication: 2003
ISBN:1-58113-757-5
Also published in ...
Authors
Samuel T. King  University of Michigan, Ann Arbor, MI
Peter M. Chen  University of Michigan, Ann Arbor, MI
Sponsors
SIGOPS: ACM Special Interest Group on Operating Systems
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 21,   Downloads (12 Months): 142,   Citation Count: 37
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/945445.945467
What is a DOI?

ABSTRACT

Analyzing intrusions today is an arduous, largely manual task because system administrators lack the information and tools needed to understand easily the sequence of steps that occurred in an attack. The goal of BackTracker is to identify automatically potential sequences of steps that occurred in an intrusion. Starting with a single detection point (e.g., a suspicious file), BackTracker identifies files and processes that could have affected that detection point and displays chains of events in a dependency graph. We use BackTracker to analyze several real attacks against computers that we set up as honeypots. In each case, BackTracker is able to highlight effectively the entry point used to gain access to the system and the sequence of steps from that entry point to the point at which we noticed the intrusion. The logging required to support BackTracker added 9% overhead in running time and generated 1.2 GB per day of log data for an operating-system intensive workload.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Steps for Recovering from a UNIX or NT System Compromise. Technical report, CERT Coordination Center, April 2000. http://www.cert.org/tech_tips/ win-UNIX-system_compromise.html.
 
2
Detecting Signs of Intrusion. Technical Report CMU/SEI-SIM-009, CERT Coordination Center, April 2001. http://www.cert.org/security-improvement/modules/m09.html.
 
3
L-133: Sendmail Debugger Arbitrary Code Execution Vulnerability. Technical report, Computer Incident Advisory Capability, August 2001. http://www.ciac.org/ciac/bulletins/l-133.shtml.
 
4
CERT/CC Overview Incident and Vulnerability Trends. Technical report, CERT Coordination Center, April 2002. http://www.cert.org/present/cert-overview-trends/.
 
5
Multiple Vulnerabilities In OpenSSL. Technical Report CERT Advisory CA-2002-23, CERT Coordination Center, July 2002. http://www.cert.org/advisories/CA-2002-23.html.
 
6
Paul Ammann , Sushil Jajodia , Peng Liu, Recovery from Malicious Transactions, IEEE Transactions on Knowledge and Data Engineering, v.14 n.5, p.1167-1185, September 2002  [doi>10.1109/TKDE.2002.1033782]
 
7
Ken Ashcraft , Dawson Engler, Using Programmer-Written Compiler Extensions to Catch Security Holes, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.143, May 12-15, 2002
 
8
Kerstin Buchacker , Volkmar Sieh, Framework for Testing the Fault-Tolerance of Systems Including OS and Network Aspects, The 6th IEEE International Symposium on High-Assurance Systems Engineering: Special Topic: Impact of Networking, p.95-105, October 24-26, 2001
 
9
Bill Cheswick. An Evening with Berferd in Which a Cracker is Lured, Endured, and Studied. In Proceedings of the Winter 1992 USENIX Technical Conference, pages 163--174, January 1992.
 
10
Alan M. Christie. The Incident Detection, Analysis, and Response (IDAR) Project. Technical report, CERT Coordination Center, July 2002. http://www.cert.org/idar.
11
Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976  [doi>10.1145/360051.360056]
12
George W. Dunlap , Samuel T. King , Sukru Cinar , Murtaza A. Basrai , Peter M. Chen, ReVirt: enabling intrusion analysis through virtual-machine logging and replay, Proceedings of the 5th symposium on Operating systems design and implementation

Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading

, December 09-11, 2002, Boston, Massachusetts  [doi>10.1145/1060289.1060309]
 
13
Dan Farmer. What are MACtimes? Dr. Dobb's Journal, October 2000.
 
14
Dan Farmer. Bring out your dead. Dr. Dobb's Journal, January 2001.
 
15
Dan Farmer and Wietse Venema. Forensic computer analysis: an introduction. Dr. Dobb's Journal, September 2000.
 
16
Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
 
17
Tal Garfinkel and Mendel Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the 2003 Network and Distributed System Security Symposium (NDSS), February 2003.
 
18
Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. A Secure Environment for Untrusted Helper Applications. In Proceedings of the 1996 USENIX Technical Conference, July 1996.
 
19
Xie Huagang. Build a secure system with LIDS, 2000. http://www.lids.org/document/build_lids-0.2.html.
20
Gene H. Kim , Eugene H. Spafford, The design and implementation of tripwire: a file system integrity checker, Proceedings of the 2nd ACM Conference on Computer and communications security, p.18-29, November 1994, Fairfax, Virginia, United States  [doi>10.1145/191177.191183]
 
21
Samuel T. King, George W. Dunlap, and Peter M. Chen. Operating System Support for Virtual Machines. In Proceedings of the 2003 USENIX Technical Conference, pages 71--84, June 2003.
 
22
Vladimir Kiriansky , Derek Bruening , Saman P. Amarasinghe, Secure Execution via Program Shepherding, Proceedings of the 11th USENIX Security Symposium, p.191-206, August 05-09, 2002
23
Leslie Lamport, Time, clocks, and the ordering of events in a distributed system, Communications of the ACM, v.21 n.7, p.558-565, July 1978  [doi>10.1145/359545.359563]
24
Butler W. Lampson, A note on the confinement problem, Communications of the ACM, v.16 n.10, p.613-615, Oct. 1973  [doi>10.1145/362375.362389]
 
25
The Honeynet Project, editor. Know your enemy: revealing the security tools, tactics, and motives of the blackhat community. Addison Wesley, August 2001.
 
26
Frank Tip. A survey of program slicing techniques. Journal of Programming Languages, 3(3), 1995.
 
27
W. M. Tyson. DERBI: Diagnosis, Explanation and Recovery from Computer Break-ins. Technical Report DARPA Project F30602-96-C-0295 Final Report, SRI International, Artificial Intelligence Center, January 2001. http://www.dougmoran.com/dmoran/publications.html.
 
28
Larry Wall , Mike Loukides, Programming Perl, O'Reilly & Associates, Inc., Sebastopol, CA, 2000
 
29
Ningning Zhu and Tzi-cker Chiueh. Design, Implementation, and Evaluation of Repairable File Service. In Proceedings of the 2003 International Conference on Dependable Systems and Networks (DSN), June 2003.

CITED BY  37
Arvind Seshadri , Mark Luk , Elaine Shi , Adrian Perrig , Leendert van Doorn , Pradeep Khosla, Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
Jun Xu , Peng Ning , Chongkyung Kil , Yan Zhai , Chris Bookholt, Automatic diagnosis and response to memory corruption vulnerabilities, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
Ashvin Goel , Kenneth Po , Kamran Farhadi , Zheng Li , Eyal de Lara, The taser intrusion recovery system, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
Kiran Lakkaraju , William Yurcik , Adam J. Lee, NVisionIP: netflow visualizations of system state for security situational awareness, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA
Edmund B. Nightingale , Peter M. Chen , Jason Flinn, Speculative execution in a distributed file system, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
Arnar Birgisson , Mohan Dhawan , Úlfar Erlingsson , Vinod Ganapathy , Liviu Iftode, Enforcing authorization policies using transactional memory introspection, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
Xiaoqi Jia , Shengzhi Zhang , Jiwu Jing , Peng Liu, Using virtual machines to do cross-layer damage assessment, Proceedings of the 1st ACM workshop on Virtual machine security, October 27-27, 2008, Alexandria, Virginia, USA
Akshat Verma , Kaladhar Voruganti , Ramani Routray , Rohit Jain, SWEEPER: an efficient disaster recovery point identification mechanism, Proceedings of the 6th USENIX Conference on File and Storage Technologies, p.1-16, February 26-29, 2008, San Jose, California
Manuel Egele , Christopher Kruegel , Engin Kirda , Heng Yin , Dawn Song, Dynamic spyware analysis, 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference, p.1-14, June 17-22, 2007, Santa Clara, CA
Jedidiah R. Crandall , Gary Wassermann , Daniela A. S. de Oliveira , Zhendong Su , S. Felix Wu , Frederic T. Chong, Temporal search: detecting hidden malware timebombs with virtual machines, ACM SIGPLAN Notices, v.41 n.11, November 2006
Edmund B. Nightingale , Peter M. Chen , Jason Flinn, Speculative execution in a distributed file system, ACM Transactions on Computer Systems (TOCS), v.24 n.4, p.361-392, November 2006
Andrew Whitaker , Richard S. Cox , Steven D. Gribble, Using time travel to diagnose computer problems, Proceedings of the 11th workshop on ACM SIGOPS European workshop: beyond the PC, September 19-22, 2004, Leuven, Belgium
Xuxian Jiang , Dongyan Xu , Yi-Min Wang, Collapsar: a VM-based honeyfarm and reverse honeyfarm architecture for network attack capture and detention, Journal of Parallel and Distributed Computing, v.66 n.9, p.1165-1180, September 2006
Atul Singh , Petros Maniatis , Timothy Roscoe , Peter Druschel, Using queries for distributed monitoring and forensics, ACM SIGOPS Operating Systems Review, v.40 n.4, October 2006
Michael Bailey , Evan Cooke , Farnam Jahanian , Niels Provos , Karl Rosaen , David Watson, Data reduction for the scalable automated analysis of distributed darknet traffic, Proceedings of the Internet Measurement Conference 2005 on Internet Measurement Conference, p.21-21, October 19-21, 2005, Berkeley, CA
Xuxian Jiang , Dongyan Xu, Collapsar: a VM-based architecture for network attack detention center, Proceedings of the 13th conference on USENIX Security Symposium, p.2-2, August 09-13, 2004, San Diego, CA
Andrew Warfield , Russ Ross , Keir Fraser , Christian Limpach , Steven Hand, Parallax: managing storage for a million machines, Proceedings of the 10th conference on Hot Topics in Operating Systems, p.4-4, June 12-15, 2005, Santa Fe, NM
Brent ByungHoon Kang , Vikram Sharma , Pratik Thanki, RegColl: centralized registry framework for infrastructure system management, Proceedings of the 19th conference on Large Installation System Administration Conference, p.8-8, December 04-09, 2005, San Diego, CA
Stelios Sidiroglou , Michael E. Locasto , Stephen W. Boyd , Angelos D. Keromytis, Building a reactive immune system for software services, Proceedings of the USENIX Annual Technical Conference 2005 on USENIX Annual Technical Conference, p.11-11, April 10-15, 2005, Anaheim, CA
Maxwell Krohn, Building secure high-performance web services with OKWS, Proceedings of the USENIX Annual Technical Conference 2004 on USENIX Annual Technical Conference, p.15-15, June 27-July 02, 2004, Boston, MA
Swapnil Patil , Anand Kashyap , Gopalan Sivathanu , Erez Zadok, FS: An In-Kernel Integrity Checker and Intrusion Detection File System, Proceedings of the 18th USENIX conference on System administration, November 14-19, 2004, Atlanta, GA
Ashvin Goel , Wu-chang Feng , Wu-chi Feng , David Maier, Automatic high-performance reconstruction and recovery, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.5, p.1361-1377, April, 2007
Jake Wires , Michael J. Feeley, Secure file system versioning at the block level, ACM SIGOPS Operating Systems Review, v.41 n.3, June 2007
Shvetank Jain , Fareha Shafique , Vladan Djeric , Ashvin Goel, Application-level isolation and recovery with solitude, ACM SIGOPS Operating Systems Review, v.42 n.4, May 2008
Ramakrishna Kotla , Lorenzo Alvisi , Mike Dahlin , Allen Clement , Edmund Wong, Zyzzyva: speculative byzantine fault tolerance, ACM SIGOPS Operating Systems Review, v.41 n.6, December 2007
Olivier Crameri , Nikola Knezevic , Dejan Kostic , Ricardo Bianchini , Willy Zwaenepoel, Staged deployment in mirage, an integrated software upgrade testing and distribution system, ACM SIGOPS Operating Systems Review, v.41 n.6, December 2007
Jon Oberheide , Evan Cooke , Farnam Jahanian, CloudAV: N-version antivirus in the network cloud, Proceedings of the 17th conference on Security symposium, p.91-106, July 28-August 01, 2008, San Jose, CA
Ashvin Goel , Kamran Farhadi , Kenneth Po , Wu-chang Feng, Reconstructing system state for intrusion analysis, ACM SIGOPS Operating Systems Review, v.42 n.3, April 2008
Ya-Yunn Su , Mona Attariyan , Jason Flinn, AutoBash: improving configuration management with operating system causality analysis, ACM SIGOPS Operating Systems Review, v.41 n.6, December 2007
Jisoo Yang , Kang G. Shin, Using hypervisor to provide data secrecy for user applications on a per-page basis, Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, March 05-07, 2008, Seattle, WA, USA
Heng Yin , Dawn Song , Manuel Egele , Christopher Kruegel , Engin Kirda, Panorama: capturing system-wide information flow for malware detection and analysis, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
Chad Verbowski , Emre Kiciman , Arunvijay Kumar , Brad Daniels , Shan Lu , Juhan Lee , Yi-Min Wang , Roussi Roussev, Flight data recorder: monitoring persistent-state interactions to improve systems management, Proceedings of the 7th symposium on Operating systems design and implementation, November 06-08, 2006, Seattle, Washington
Gunjan Khanna , Mike Yu Cheng , Padma Varadharajan , Saurabh Bagchi , Miguel P. Correia , Paulo J. Veríssimo, Automated Rule-Based Diagnosis through a Distributed Monitor System, IEEE Transactions on Dependable and Secure Computing, v.4 n.4, p.266-279, October 2007
Alexander V. Mirgorodskiy , Barton P. Miller, Diagnosing distributed systems with self-propelled instrumentation, Proceedings of the 9th ACM/IFIP/USENIX International Conference on Middleware, December 01-05, 2008, Leuven, Belgium
Pablo Montesinos , Matthew Hicks , Samuel T. King , Josep Torrellas, Capo: a software-hardware interface for practical deterministic multiprocessor replay, ACM SIGPLAN Notices, v.44 n.3, March 2009
Kiran-Kumar Muniswamy-Reddy , David A. Holland, Causality-based versioning, Proccedings of the 7th conference on File and stroage technologies, p.15-28, February 24-27, 2009, San Francisco, California
Mark W. Storer , Kevin M. Greenan , Ethan L. Miller , Kaladhar Voruganti, POTSHARDS—a secure, recoverable, long-term archival storage system, ACM Transactions on Storage (TOS), v.5 n.2, p.1-35, June 2009

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Information flow controls

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Invasive software (e.g., viruses, worms, Trojan horses)

  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.4 System Management
          Subjects: Management audit
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Invasive software (e.g., viruses, worms, Trojan horses); Unauthorized access (e.g., hacking, phreaking)


General Terms:
Management, Security


Keywords:
computer forensics, information flow, intrusion analysis

Collaborative Colleagues:
Samuel T. King: colleagues
Peter M. Chen: colleagues
This Article has also been published in:

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player