Article

Forensic Analysis of File System Intrusions Using Improved Backtracking

Authors:

Sriranjani Sitaraman,

S. VenkatesanAuthors Info & Claims

IWIA '05: Proceedings of the Third IEEE International Workshop on Information Assurance

Pages 154 - 163

https://doi.org/10.1109/IWIA.2005.9

Published: 23 March 2005 Publication History

Publisher Site

Abstract

Intrusion detection systems alert the system administrators of intrusions but, in most cases, do not provide details about which system events are relevant to the intrusion and how the system events are related. We consider intrusions of file systems. Existing tools, like BackTracker, help the system administrator backtrack from the detection point, which is a file with suspicious contents, to possible entry points of the intrusion by providing a graph containing dependency information between the various files and processes that could be related to the detection point. We improve such backtracking techniques by logging certain additional parameters of the file system during normal operations (real-time) and examining the logged information during the analysis phase. In addition, we use data flow analysis within the processes related to the intrusion to prune unwanted paths from the dependency graph. This results in significant reduction in search space, search time, and false positives. We also analyze the effort required in terms of storage space and search time.

Cited By

View all

Wang FKwon YMa SZhang XXu D(2018)LprovProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274751(605-617)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3274694.3274751
Tang YLi DLi ZZhang MJee KXiao XWu ZRhee JXu FLi QLie DMannan MBackes MWang X(2018)NodeMergeProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243763(1324-1337)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243763
(2017)A survey on forensic event reconstruction systemsInternational Journal of Information and Computer Security10.1504/IJICS.2017.0875659:4(337-360)Online publication date: 1-Jan-2017
https://dl.acm.org/doi/10.1504/IJICS.2017.087565
Show More Cited By

Index Terms

Forensic Analysis of File System Intrusions Using Improved Backtracking

Recommendations

Backtracking intrusions

Analyzing intrusions today is an arduous, largely manual task because system administrators lack the information and tools needed to understand easily the sequence of steps that occurred in an attack. The goal of BackTracker is to identify automatically ...
Backtracking intrusions
SOSP '03: Proceedings of the nineteenth ACM symposium on Operating systems principles

Analyzing intrusions today is an arduous, largely manual task because system administrators lack the information and tools needed to understand easily the sequence of steps that occurred in an attack. The goal of BackTracker is to identify automatically ...
Backtracking intrusions
SOSP '03

Analyzing intrusions today is an arduous, largely manual task because system administrators lack the information and tools needed to understand easily the sequence of steps that occurred in an attack. The goal of BackTracker is to identify automatically ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

IWIA '05: Proceedings of the Third IEEE International Workshop on Information Assurance

March 2005

167 pages

ISBN:076952317X

Publisher

IEEE Computer Society

United States

Publication History

Published: 23 March 2005

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Wang FKwon YMa SZhang XXu D(2018)LprovProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274751(605-617)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3274694.3274751
Tang YLi DLi ZZhang MJee KXiao XWu ZRhee JXu FLi QLie DMannan MBackes MWang X(2018)NodeMergeProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243763(1324-1337)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243763
(2017)A survey on forensic event reconstruction systemsInternational Journal of Information and Computer Security10.1504/IJICS.2017.0875659:4(337-360)Online publication date: 1-Jan-2017
https://dl.acm.org/doi/10.1504/IJICS.2017.087565
Xu ZWu ZLi ZJee KRhee JXiao XXu FWang HJiang GWeippl EKatzenbeisser SKruegel CMyers AHalevi S(2016)High Fidelity Data Reduction for Big Data Security Dependency AnalysesProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security10.1145/2976749.2978378(504-516)Online publication date: 24-Oct-2016
https://dl.acm.org/doi/10.1145/2976749.2978378
Xiao GWang JLiu PMing JWu DBertino ESandhu RPretschner A(2016)Program-object Level Data Flow Analysis with Applications to Data Leakage and Contamination ForensicsProceedings of the Sixth ACM Conference on Data and Application Security and Privacy10.1145/2857705.2857747(277-284)Online publication date: 9-Mar-2016
https://dl.acm.org/doi/10.1145/2857705.2857747
Ma SLee KKim CRhee JZhang XXu D(2015)Accurate, Low Cost and Instrumentation-Free Security Audit Logging for WindowsProceedings of the 31st Annual Computer Security Applications Conference10.1145/2818000.2818039(401-410)Online publication date: 7-Dec-2015
https://dl.acm.org/doi/10.1145/2818000.2818039
Ritzdorf HKarapanos NČapkun SPayne CHahn AButler KSherr M(2014)Assisted deletion of related contentProceedings of the 30th Annual Computer Security Applications Conference10.1145/2664243.2664287(206-215)Online publication date: 8-Dec-2014
https://dl.acm.org/doi/10.1145/2664243.2664287
Lee KZhang XXu DSadeghi AGligor VYung M(2013)LogGCProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516731(1005-1016)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2508859.2516731
Huang YStavrou AGhosh AJajodia SNieh JStavrou A(2008)Efficiently tracking application interactions using lightweight virtualizationProceedings of the 1st ACM workshop on Virtual machine security10.1145/1456482.1456486(19-28)Online publication date: 27-Oct-2008
https://dl.acm.org/doi/10.1145/1456482.1456486
Peisert SBishop MMarzullo K(2008)Computer forensics in forensisACM SIGOPS Operating Systems Review10.1145/1368506.136852142:3(112-122)Online publication date: 1-Apr-2008
https://dl.acm.org/doi/10.1145/1368506.1368521
Show More Cited By

Abstract

Cited By

Index Terms

Recommendations

Backtracking intrusions

Backtracking intrusions

Backtracking intrusions

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations