Analyzing computer intrusions

摘要: Concern is growing about the misuse of computers and their resources. Although most efforts in computer security focus on detecting violations, understanding what misuser's interest methods are used, aids detection, assessment, recovery. In case misuse, determining if actions involved destruction or falsification data would affect response, e.g., legal prosecution fortifying precautionary recovery procedures. an intrusion knowing specific flaw exploited could allow prevention detection future exploits. An accurate assessment intruder's skill potential threat based his her provides for site to use bolster protective measures system auditing. We present method reconstructing offender's actions. This requires modelling order understand how it evolves, residual information enables derivation (parts of) prior states state transitions. The major questions addressed relevant transitions can be reconstructed, much session needed complete reconstruction. As part reconstruction, we may need recover deleted files. intrusion, critical routinely deleted, tools used attack log We model a general file techniques characterizing identifying data. provide ordering identified addition that structure being recovered. Recovering these files useful exercise applying principles reconstruction. We apply our results UNIX operating system, as popular originally designed friendly environment. explore memory traces left wake they used. A real world example highlights application. discuss various recovering files, modifications enable more reliable Techniques augmenting logging auditing presented.