Analyzing intrusions using operating system level information flow
作者: Peter M. Chen , Samuel T. King
DOI:
关键词: Process (computing) 、 State (computer science) 、 Object (computer science) 、 Computer security 、 Local area network 、 Sequence 、 Set (psychology) 、 Executable 、 Information flow (information theory) 、 Engineering
摘要: Computers continue to get broken into, so intrusion analysis is a part of most system administrators' job description. System administrators must answer two main questions when analyzing intrusions: "how did the attacker gain access my system?", and "what do after they broke in?". Current tools for intrusions fall short because have insufficient information fully track cannot separate actions attackers from legitimate users. We designed implemented by using OS-level flow highlight activities an attacker. collection causal events which connect operating objects. These can be linked form information-flow graph highlights objects that are attack. Information graphs used help determine how intruder into what compromise. We developed BackTracker system. starts with suspicious object (e.g., malicious process, trojaned executable file) follows attack back in time, events, sequence lead state. Showing these causally-connected provides system-wide view significantly reduces amount data administrator examine order application was originally exploited. also ForwardTracker attacker's exploited tracks forward time display result intrusion. Furthermore, we Bi-directional Distributed (BDB) continues backward across network set computers on local likely been compromised
acm.org 参考文章(58)
Dominic G. Lucchetti, Peter M. Chen, Zhuoqing Morley Mao, Samuel T. King, Enriching Intrusion Alerts Through Multi-Host Causality. network and distributed system security symposium. ,(2005)
Vern Paxson, Yin Zhang, Detecting stepping stones usenix security symposium. pp. 13- 13 ,(2000)
Frank Tip, A survey of program slicing techniques. Journal of Programming Languages. ,vol. 3, ,(1995)
Aleksey Kurchuk, Angelos D. Keromytis, RECURSIVE SANDBOXES: EXTENDING SYSTRACE TO EMPOWER APPLICATIONS information security conference. pp. 473- 487 ,(2004) , 10.1007/1-4020-8143-X_31
Tal Garfinkel, Mendel Rosenblum, Kevin Christopher, Ben Pfaff, Jim Chow, Understanding data lifetime via whole system simulation usenix security symposium. pp. 22- 22 ,(2004)
Robert Firth, Gary Ford, Barbara Fraser, John Kochmar, Suresh Konda, Detecting Signs of Intrusion. Defense Technical Information Center. ,(1997) , 10.21236/ADA329629
Nicholas Nethercote, Julian Seward, Valgrind: A Program Supervision Framework Electronic Notes in Theoretical Computer Science. ,vol. 89, pp. 44- 66 ,(2003) , 10.1016/S1571-0661(04)81042-9
Niels Provos, Improving host security with system call policies usenix security symposium. pp. 18- 18 ,(2003)
Sandeep Bhatkar, R. Sekar, Wei Xu, Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks usenix security symposium. pp. 9- ,(2006)
K. Ashcraft, D. Engler, Using programmer-written compiler extensions to catch security holes ieee symposium on security and privacy. pp. 143- 159 ,(2002) , 10.1109/SECPRI.2002.1004368