TY - GEN
T1 - System-level support for intrusion recovery
AU - Bacs, A.
AU - Vermeulen, R.
AU - Slowinska, J.M.
AU - Bos, H.J.
PY - 2013
Y1 - 2013
N2 - Recovering from attacks is hard and gets harder as the time between the initial infection and its detection increases. Which files did the attackers modify? Did any of user data depend on malicious inputs? Can I still trust my own documents or binaries? When malcode has been active for some time and its actions are mixed with those of benign applications, these questions are impossible to answer on current systems. In this paper, we describe DiskDuster, an attack analysis and recovery system capable of recovering from complicated attacks in a semi-automated manner. DiskDuster traces malcode at byte-level granularity both in memory and on disk in a modified version of QEMU. Using taint analysis, DiskDuster also tracks all bytes written by the malcode, to provide a detailed view on what (bytes in) files derive from malicious data. Next, it uses this information to remove malicious actions at recovery time.
AB - Recovering from attacks is hard and gets harder as the time between the initial infection and its detection increases. Which files did the attackers modify? Did any of user data depend on malicious inputs? Can I still trust my own documents or binaries? When malcode has been active for some time and its actions are mixed with those of benign applications, these questions are impossible to answer on current systems. In this paper, we describe DiskDuster, an attack analysis and recovery system capable of recovering from complicated attacks in a semi-automated manner. DiskDuster traces malcode at byte-level granularity both in memory and on disk in a modified version of QEMU. Using taint analysis, DiskDuster also tracks all bytes written by the malcode, to provide a detailed view on what (bytes in) files derive from malicious data. Next, it uses this information to remove malicious actions at recovery time.
KW - Attack recovery
KW - dynamic taint analysis
UR - http://www.scopus.com/inward/record.url?scp=84875647663&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84875647663&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-37300-8_9
DO - 10.1007/978-3-642-37300-8_9
M3 - Conference contribution
SN - 9783642372995
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 144
EP - 163
BT - Detection of Intrusions and Malware, and Vulnerability Assessment
A2 - Flegel, Ulrich
A2 - Markatos, Evangelos
A2 - Robertson, William
PB - Springer Verlag
T2 - 9th GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA 2012
Y2 - 26 July 2012 through 27 July 2012
ER -