| Recovery from intrusions is typically a very time-consuming and error-prone task because the precise details of an attack may not be known. The wide availability of attack toolkits that install modified utility programs and erase log files to hide an attack further complicates this problem. This thesis explores a fast and accurate method for determining intrusion activity for file-system recovery. Given an audit log of all system activities, our approach uses dependency analysis to determine the set of intrusion-related activities. This approach effectively detects all attack-related activities, but it can falsely mark legitimate activities as related to an intrusion. Hence, we propose various enhancements to improve the accuracy of the analysis. This approach is implemented as part of the Taser intrusion recovery system. Our evaluation shows that Taser is effective in recovering from the damage caused by a wide range of intrusions and system management errors. |
