Tracing worm break-in and contaminations via process coloring: A provenance-preserving approach

IEEE Transactions on Parallel and Distributed Systems

Volumn 19, Issue 7, 2008, Pages 890-902

  Jiang, Xuxian ^a   Buchholz, Florian ^b   Walters, Aaron ^c   Xu, Dongyan ^c   Wang, Yi Min ^d   Spafford, Eugene H ^c  

^a Krasnow Institute for Advanced Study   (United States)

^b JAMES MADISON UNIVERSITY   (United States)

^c Purdue University   (United States)

^d MICROSOFT   (United States)

Author keywords

Computer forensics; Internet worm; Networked server; Process coloring; System monitoring

Indexed keywords

COMPUTER FORENSICS; INTERNET WORM; NETWORKED SERVER; PROCESS COLORING; SYSTEM MONITORING;

COLOR; COLORING; COMPUTER WORMS; DATA STORAGE EQUIPMENT; INTERNET;

SERVERS;

EID: 64349114055     PISSN: 10459219     EISSN: None     Source Type: Journal    
DOI: 10.1109/TPDS.2007.70765     Document Type: Article

References (49)

1. Linux Adore Worms, http://securityresponse.symantec.com/avcenter/ venc/data/linux.adore.worm.htm, 2007.
2. Linux Ramen Worm, http://service1.symantec.com/sarc/sarc.nsf/html/ pf/linux.ramen.worm.html, 2007.
3. SANS Institute: Lion Worm, http://www.sans.com/y2k/lion.htm, 2007.
4. Sebek, http://www.honeynet.org/tools/sebek/, 2007.
5. The Honeynet Project, http://www.honeynet.org, 2007.
6. The Strange Decline of Computer Worms, http:// www.theregister.co.uk/2005/03/17/f-secure_websec/print.html, 2007.
7. Virus Writers Get Stealthy, http://news.zdnet.co.uk/internet/ security/0,39020375,39191840,00.htm, 2007.
8. SARS Worms, http://www.xfocus.net/tools/200306/413.html, June 2003.
9. P. Ammann, S. Jajodia, and P. Liu, "Recovery from Malicious Transactions," IEEE Trans. Knowledge and Data Eng., vol. 14, no. 5, pp. 1167-1185, Sept. 2002.
10. D. Bell and L. LaPadula, "MITRE Technical Report 2547 (Secure Computer System): Volume II," J. Computer Security, vol. 4, nos. 2/3, pp. 239-263, 1996.
11. F. Buchholz, "Pervasive Binding of Labels to System Processes," PhD dissertation, Purdue Univ., also as CERIAS Technical Report 2005-54, 2005.
12. F. Buchholz and E.H. Spafford, "On the Role of File System Metadata in Digital Forensics," J. Digital Investigation, Dec. 2004.
13. J. Butler, Direct Kernel Object Manipulation (DKOM), http:// www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf, 2004.
14. J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum, "Understanding Data Lifetime via Whole System Simulation," Proc. 13th Usenix Security Symp., Aug. 2004.
15. J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum, "Shredding Your Garbage: Reducing Data Lifetime through Secure Deallocation," Proc. 14th Usenix Security Symp., Aug. 2005.
16. D.R. Clark and D.R. Wilson, "A Comparison of Commercial and Military Computer Security Policies," Proc. IEEE Symp. Security and Privacy (S&P '87), pp. 184-194, 1987.
17. D.E. Denning, "A Lattice Model of Secure Information Flow," Comm. ACM, vol. 19, pp. 236-243, May 1976.
18. J. Dike, User Mode Linux, http://user-mode-linux.sourceforge.net, 2007.
19. M. Dornseif, T. Holz, and C. Klein, "NoSEBrEaK - Attacking Honeynets," Proc. Fifth Ann. IEEE Information Assurance Workshop, June 2004.
20. B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer, "Xen and the Art of Virtualization," Proc. 19th ACM Symp. Operating Systems Principles (SOSP '03), Oct. 2003.
21. G.W. Dunlap, S.T. King, S. Cinar, M.A. Basrai, and P.M. Chen, "ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay," Proc. Fifth Symp. Operating Systems Design and Implementation (OSDI '02), Dec. 2002.
22. R. Uhlig et al., "Intel Virtualization Technology," Computer, special issue on virtualization technology, May 2005.
23. T. Garfinkel and M. Rosenblum, "A Virtual Machine Introspection Based Architecture for Intrusion Detection," Proc. Network and Distributed System Security Symp. (NDSS '03), Feb. 2003.
24. A. Goel, W.-C. Feng, D. Maier, W.-C. Feng, and J. Walpole, "Forensix: A Robust, High-Performance Reconstruction System," Proc. Second Int'l Workshop Security in Distributed Computing Systems (SDCS '05), June 2005.
25. A. Goel, K. Po, K. Farhadi, Z. Li, and E. de Lara, "The Taser Intrusion Recovery System," Proc. 20th ACM Symp. Operating Systems Principles (SOSP '05), Oct. 2005.
26. J.A. Goguen and J. Meseguer, "Security Policies and Security Models," Proc. IEEE Symp. Security and Privacy (S&P '82), pp. 11-20, 1982.
27. J. Grizzard, J. Levine, and H. Owen, "Re-Establishing Trust in Compromised Systems: Recovering from Rootkits that Trojan the System Call Table," Proc. Ninth European Symp. Research in Computer Security (ESORICS '04), Sept. 2004.
28. V. Halder, D. Chandra, and M. Franz, "Practical, Dynamic Information Flow for Virtual Machines," Proc. Second Int'l Workshop Programming Language Interference and Dependence (PLID '05), 2005.
29. X. Jiang, D. Xu, H.J. Wang, and E.H. Spafford, "Virtual Playgrounds for Worm Behavior Investigation," Proc. Eighth Int'l Symp. Recent Advances in Intrusion Detection (RAID '05), Sept. 2005.
30. X. Jiang and D. Xu, "Collapsar: A VM-Based Architecture for Network Attack Detention Center," Proc. 13th Usenix Security Symp., Aug. 2004.
31. S.T. King and P.M. Chen, "Backtracking Intrusions," Proc. 19th ACM Symp. Operating Systems Principles (SOSP '03), Oct. 2003.
32. S.T. King, G.W. Dunlap, and P.M. Chen, "Debugging Operating Systems with Time-Traveling Virtual Machines," Proc. Usenix Ann. Technical Conf., Apr. 2005.
33. S.T. King, Z.M. Mao, D.G. Lucchetti, and P.M. Chen, "Enriching Intrusion Alerts through Multi-Host Causality," Proc. Network and Distributed System Security Symp. (NDSS '05), Feb. 2005.
34. B. Lampson, "Protection," Proc. Fifth Princeton Conf. Information Sciences and Systems, pp. 437-443, 1971.
35. Z. Liang, V.N. Venkatakrishnan, and R. Sekar, "Isolated Program Execution: An Application Transparent Approach for Executing Untrusted Programs," Proc. 19th Ann. Computer Security Applications Conf. (ACSAC '03), Dec. 2003.
36. L. McVoy and C. Staelin, "LMbench: Portable Tools for Performance Analysis," Proc. Usenix Ann. Technical Conf., 1996.
37. A.C. Myers, "JFlow: Practical Mostly-Static Information Flow Control," Proc. 26th ACM SIGPLAN-SIGACT Symp. Principles of Programming Languages (POPL '99), 1999.
38. J. Newsome and D. Song, "Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software," Proc. Network and Distributed System Security Symp. (NDSS '05), Feb. 2005.
39. F. Perriot and P. Szor, An Analysis of the Slapper Worm Exploit, white paper, Symantec, http://securityresponse.symantec.com/avcenter/ reference/analysis.slapper.worm.pdf, 2007.
40. N.L. Petroni, T. Fraser, J. Molina, and W.A. Arbaugh, "Copilot - A Coprocessor-Based Kernel Runtime Integrity Monitor," Proc. 13th Usenix Security Symp., Aug. 2004.
41. N. Provos, "Improving Host Security with System Call Policies," Proc. 12th Usenix Security Symp., Aug. 2003.
42. A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla, "Pioneer: Verifying Integrity and Guaranteeing Execution of Code on Legacy Platforms," Proc. 20th ACM Symp. Operating Systems Principles (SOSP '05), Oct. 2005.
43. A. Stavrou, A.D. Keromytis, J. Nieh, V. Misra, and D. Rubenstein, "MOVE: An End-to-End Solution to Network Denial of Service," Proc. Symp. Network and Distributed System Security (NDSS '05), Feb. 2005.
44. A.M. Turing, "On Computable Numbers, with an Application to the Entscheidungs Problem," Proc. London Math. Soc. Series 2, vol. 42, pp. 230-265, 1937.
45. A. Whitaker, R.S. Cox, and S.D. Gribble, "Configuration Debugging as Search: Finding the Needle in the Haystack," Proc. Sixth Symp. Operating Systems Design and Implementation (OSDI '04), Dec. 2004.
46. A. Whitaker, R.S. Cox, and S.D. Gribble, "Using Time Travel to Diagnose Computer Problems," Proc. 11th ACM SIGOPS European Workshop, Sept. 2004.
47. W. Xu, S. Bhatkar, and R. Sekar, "Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks," Proc. 15th Usenix Security Symp., 2006.
48. N. Zhu and T. Chiueh, "Design, Implementation and Evaluation of Repairable File Service," Proc. Int'l Conf. Dependable Systems and Networks (DSN '03)., June 2003.
49. X. Jiang, A. Walters, F. Buchholz, D. Xu, Y.M. Wang, and E.H. Spafford, "Provenance-Aware Tracing of Worm Break-in and Contaminations: A Process Coloring Approach," Proc. 26th IEEE Int'l Conf. Distributed Computing Systems (ICDCS '06), July 2006.