2013 | OriginalPaper | Buchkapitel
System-Level Support for Intrusion Recovery
verfasst von : Andrei Bacs, Remco Vermeulen, Asia Slowinska, Herbert Bos
Erschienen in: Detection of Intrusions and Malware, and Vulnerability Assessment
Verlag: Springer Berlin Heidelberg
Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden. powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden. powered by
Recovering from attacks is hard and gets harder as the time between the initial infection and its detection increases. Which files did the attackers modify? Did any of user data depend on malicious inputs? Can I still trust my own documents or binaries? When malcode has been active for some time and its actions are mixed with those of benign applications, these questions are impossible to answer on current systems. In this paper, we describe
DiskDuster
, an attack analysis and recovery system capable of recovering from complicated attacks in a semi-automated manner.
DiskDuster
traces malcode at byte-level granularity both in memory and on disk in a modified version of QEMU. Using taint analysis,
DiskDuster
also tracks all bytes written by the malcode, to provide a detailed view on what (bytes in) files derive from malicious data. Next, it uses this information to remove malicious actions at recovery time.