Abstract: Intrusion detection has been studied extensively from different perspectives in the last three decades. In this paper, we have developed a tool called Malfor (short for MALware FORensics), which avoids some drawbacks in the existing systems by using experimental methods. The proposed system, Malfor, captures events (processes in our case) as the system is running. As soon as a break-in is detected, Malfor uses these events to replay the system partially. By cleverly choosing which events to repeat, we isolate those relevant to the break-in. Thus, this system uses experimental methods to analyse intrusions automatically. It can be used on production systems and is especially suitable for the analysis of targeted attacks. |
References: [1] Dunlap, George W., King, Samuel T., Cinar, Sukru, Basrai, Murtaza A., Chen, Peter M. (2002). ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In: Proceedings of the 5th Symposium on Operating Systems Design and Implementation (pp. 211–224). ACM Press. [2] Farmer, Dan. (2005, January). Frequently asked questions about the coroner’s toolkit. Retrieved from http://www.fish.com/tct/FAQ.html [3] Hildebrandt, Ralf., Zeller, Andreas. (2002). Simplifying and isolating failure-inducing input. IEEE Transactions on Software Engineering, 26(2), 183–200. [4] King, Samuel T., Chen, Peter M. (2003). Backtracking intrusions. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles (pp. 223–236). ACM Press. [5] Neuhaus, Stephan., Zeller, Andreas. (2006). Isolating intrusions by automatic experiments. In: Proceedings of the 13th Annual Network and Distributed System Security Symposium (pp. 71–80). Internet Society. [6] Provos, Niels. (2003). Improving host security with system call policies. In: Proceedings of the 12th Usenix Security Symposium (pp. 257–272). Usenix Association. |