Description: Intrusion recovery is the entire process associated with handling an intrusion. In addition to analyzing vulnerabilities that were exploited, it involves rebuilding machines. Currently, rebuilding exploited machines requires the installation of a new system image that includes the operating system and all applications, installation of software patches that fix known vulnerabilities and retrieval of uncorrupted user data. Each of the steps in this process is very time-intensive.
The goal of this project is to simplify and reduce the time needed to recover from intrusions. A simple recovery method is to use a snapshot taken before an attack to revert the effects of all system activities since the intrusion. This method gets rid of all corrupted data, but unfortunately, it also gets rid of all useful data generated since the attack that is not related to the intrusion. All such new data must then be retrieved and recovered separately.
In this project, we have designed and implemented a recovery system called Taser that helps automatically revert intrusion activity without affecting data that is unrelated to intrusions. Taser uses the Forensix system, described below, to collect a complete log of all system-level activities. Then it uses a taint analysis method on the log to determine suspicious sessions and activities that are related to the intrusion. Finally, it only reverts these suspicious activities.
We have released Taser under a GPL licence. The latest Taser release is available for downloaded via svn at the Taser sourceforge web site.
Funding: NSERC
Project Team: Ashvin Goel, Kenneth Po, Kamran Farhadi, Zheng Li, Eyal de Lara
Publications:
URL: http://forensix.sourceforge.net/
Status: Active.