System-level support for intrusion recovery

A. Bacs*, R. Vermeulen, J.M. Slowinska, H.J. Bos

*Corresponding author for this work

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review


Recovering from attacks is hard and gets harder as the time between the initial infection and its detection increases. Which files did the attackers modify? Did any of user data depend on malicious inputs? Can I still trust my own documents or binaries? When malcode has been active for some time and its actions are mixed with those of benign applications, these questions are impossible to answer on current systems. In this paper, we describe DiskDuster, an attack analysis and recovery system capable of recovering from complicated attacks in a semi-automated manner. DiskDuster traces malcode at byte-level granularity both in memory and on disk in a modified version of QEMU. Using taint analysis, DiskDuster also tracks all bytes written by the malcode, to provide a detailed view on what (bytes in) files derive from malicious data. Next, it uses this information to remove malicious actions at recovery time.

Original languageEnglish
Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment
Subtitle of host publication9th International Conference, DIMVA 2012, Heraklion, Crete, Greece, July 26-27, 2012, Revised Selected Papers
EditorsUlrich Flegel, Evangelos Markatos, William Robertson
PublisherSpringer Verlag
Number of pages20
ISBN (Electronic)9783642373008
ISBN (Print)9783642372995
Publication statusPublished - 2013
Event9th GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA 2012 - Heraklion, Crete, Greece
Duration: 26 Jul 201227 Jul 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7591 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference9th GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA 2012
CityHeraklion, Crete


  • Attack recovery
  • dynamic taint analysis


Dive into the research topics of 'System-level support for intrusion recovery'. Together they form a unique fingerprint.

Cite this