Trading elephants for ants: Efficient post-attack reconstitution

Abstract

While security has become a first-class consideration in systems' design and operation, most of the commercial and research efforts have been focused on detection, prevention, and forensic analysis of attacks. Relatively little work has gone into efficient recovery of application and data after a compromise. Administrators and end-users are faced with the arduous task of cleansing the affected machines. Restoring the system using snapshot is disruptive and it can lead to data loss. In this paper, we present a reconstitution framework that records inter-application communications; by logging only inter-application events, we trade our capability for data provenance and recovery within an application, for performance and the capability to recover long after the intrusion. To achieve this, we employ novel algorithms that compute the data provenance dependencies from the application interactions while minimizing the required state we maintain for system reconstitution. Our experiments show that our prototype requires two to three orders of magnitude less storage for recovery. © 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering.