ABSTRACT
Analyzing intrusions today is an arduous, largely manual task because system administrators lack the information and tools needed to understand easily the sequence of steps that occurred in an attack. The goal of BackTracker is to identify automatically potential sequences of steps that occurred in an intrusion. Starting with a single detection point (e.g., a suspicious file), BackTracker identifies files and processes that could have affected that detection point and displays chains of events in a dependency graph. We use BackTracker to analyze several real attacks against computers that we set up as honeypots. In each case, BackTracker is able to highlight effectively the entry point used to gain access to the system and the sequence of steps from that entry point to the point at which we noticed the intrusion. The logging required to support BackTracker added 9% overhead in running time and generated 1.2 GB per day of log data for an operating-system intensive workload.
- Steps for Recovering from a UNIX or NT System Compromise. Technical report, CERT Coordination Center, April 2000. http://www.cert.org/tech_tips/ win-UNIX-system_compromise.html.]]Google Scholar
- Detecting Signs of Intrusion. Technical Report CMU/SEI-SIM-009, CERT Coordination Center, April 2001. http://www.cert.org/security-improvement/modules/m09.html.]]Google Scholar
- L-133: Sendmail Debugger Arbitrary Code Execution Vulnerability. Technical report, Computer Incident Advisory Capability, August 2001. http://www.ciac.org/ciac/bulletins/l-133.shtml.]]Google Scholar
- CERT/CC Overview Incident and Vulnerability Trends. Technical report, CERT Coordination Center, April 2002. http://www.cert.org/present/cert-overview-trends/.]]Google Scholar
- Multiple Vulnerabilities In OpenSSL. Technical Report CERT Advisory CA-2002-23, CERT Coordination Center, July 2002. http://www.cert.org/advisories/CA-2002-23.html.]]Google Scholar
- Paul Ammann, Sushil Jajodia, and Peng Liu. Recovery from Malicious Transactions. IEEE Transactions on Knowledge and Data Engineering, 14(5):1167--1185, September 2002.]] Google ScholarDigital Library
- Ken Ashcraft and Dawson Engler. Using Programmer-Written Compiler Extensions to Catch Security Holes. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, May 2002.]] Google ScholarDigital Library
- Kerstin Buchacker and Volkmar Sieh. Framework for testing the fault-tolerance of systems including OS and network aspects. In Proceedings of the 2001 IEEE Symposium on High Assurance System Engineering (HASE), pages 95--105, October 2001.]] Google ScholarDigital Library
- Bill Cheswick. An Evening with Berferd in Which a Cracker is Lured, Endured, and Studied. In Proceedings of the Winter 1992 USENIX Technical Conference, pages 163--174, January 1992.]]Google Scholar
- Alan M. Christie. The Incident Detection, Analysis, and Response (IDAR) Project. Technical report, CERT Coordination Center, July 2002. http://www.cert.org/idar.]]Google Scholar
- Dorothy E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236--243, May 1976.]] Google ScholarDigital Library
- George W. Dunlap, Samuel T. King, Sukru Cinar, Murtaza Basrai, and Peter M. Chen. ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. In Proceedings of the 2002 Symposium on Operating Systems Design and Implementation (OSDI), pages 211--224, December 2002.]] Google ScholarDigital Library
- Dan Farmer. What are MACtimes? Dr. Dobb's Journal, October 2000.]]Google Scholar
- Dan Farmer. Bring out your dead. Dr. Dobb's Journal, January 2001.]]Google Scholar
- Dan Farmer and Wietse Venema. Forensic computer analysis: an introduction. Dr. Dobb's Journal, September 2000.]]Google Scholar
- Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. A sense of self for Unix processes. In Proceedings of 1996 IEEE Symposium on Computer Security and Privacy, 1996.]] Google ScholarDigital Library
- Tal Garfinkel and Mendel Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the 2003 Network and Distributed System Security Symposium (NDSS), February 2003.]]Google Scholar
- Ian Goldberg, David Wagner, Randi Thomas, and Eric A. Brewer. A Secure Environment for Untrusted Helper Applications. In Proceedings of the 1996 USENIX Technical Conference, July 1996.]] Google ScholarDigital Library
- Xie Huagang. Build a secure system with LIDS, 2000. http://www.lids.org/document/build_lids-0.2.html.]]Google Scholar
- Gene H. Kim and Eugene H. Spafford. The design and implementation of Tripwire: a file system integrity checker. In Proceedings of 1994 ACM Conference on Computer and Communications Security (CCS), November 1994.]] Google ScholarDigital Library
- Samuel T. King, George W. Dunlap, and Peter M. Chen. Operating System Support for Virtual Machines. In Proceedings of the 2003 USENIX Technical Conference, pages 71--84, June 2003.]] Google ScholarDigital Library
- Vladimir Kiriansky, Derek Bruening, and Saman Amarasinghe. Secure Execution Via Program Shepherding. In Proceedings of the 2002 USENIX Security Symposium, August 2002.]] Google ScholarDigital Library
- Leslie Lamport. Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM, 21(7):558--565, July 1978.]] Google ScholarDigital Library
- Butler W. Lampson. A Note on the Confinement Problem. Communications of the ACM, 16(10):613--615, October 1973.]] Google ScholarDigital Library
- The Honeynet Project, editor. Know your enemy: revealing the security tools, tactics, and motives of the blackhat community. Addison Wesley, August 2001.]]Google Scholar
- Frank Tip. A survey of program slicing techniques. Journal of Programming Languages, 3(3), 1995.]]Google Scholar
- W. M. Tyson. DERBI: Diagnosis, Explanation and Recovery from Computer Break-ins. Technical Report DARPA Project F30602-96-C-0295 Final Report, SRI International, Artificial Intelligence Center, January 2001. http://www.dougmoran.com/dmoran/publications.html.]]Google Scholar
- Larry Wall, Tom Christiansen, and Jon Orwant. Programming Perl, 3rd edition. O'Reilly & Associates, July 2000.]] Google ScholarDigital Library
- Ningning Zhu and Tzi-cker Chiueh. Design, Implementation, and Evaluation of Repairable File Service. In Proceedings of the 2003 International Conference on Dependable Systems and Networks (DSN), June 2003.]]Google Scholar
Index Terms
- Backtracking intrusions
Recommendations
Backtracking intrusions
SOSP '03Analyzing intrusions today is an arduous, largely manual task because system administrators lack the information and tools needed to understand easily the sequence of steps that occurred in an attack. The goal of BackTracker is to identify automatically ...
Backtracking intrusions
Analyzing intrusions today is an arduous, largely manual task because system administrators lack the information and tools needed to understand easily the sequence of steps that occurred in an attack. The goal of BackTracker is to identify automatically ...
Comments