Essay on Postmortem Intrusion Analysis

1626 Words 7 Pages
1 Introduction
Today, postmortem intrusion analysis is an all too familiar problem. Our devices are repeatedly compro- mised while performing seemingly benign activities like browsing the Web [33], interacting on social- networking websites, or by malicious actors that use botnets as platforms for various nefarious activities [12]. Sometimes, the threats can also arise from the inside (e.g., corporate espionage) and often leading to sub- stantial financial losses1. Underscoring each of these security breaches is the need to reconstruct past events to know what happened and to better understand how a particular compromise may have occurred. Sadly, although there has been significant improvements in computer systems over the last few
…show more content…
1See Bloomberg’s report on “Goldman May Lose Millions From Ex-Worker’s Code Theft”, July 2009, for a case in point. 1
In this paper we propose an approach for monitoring accesses to data in a virtualized environment while bridging the semantic gap issue. Specifically, we provide an approach for monitoring accesses to data that originated from disk, and capture subsequent accesses to that data in memory—even across different pro- cesses. Our approach achieves this goal without any monitoring code resident in the virtual machine, and operates purely on the abstractions provided by the hypervisor. Operating at this layer mandates that we access the disk at the block layer, memory at the physical frame layer and system calls at the instruction layer—all of which offer substantial engineering challenges of their own. In that regard, our main contribu- tions are in the design and implementation of a highly accurate monitoring and reconstruction mechanism that collates and stores events collected at different levels of abstraction. We also provide a rich query inter- face for mining the captured information, and in doing so, provide forensic analysts with far more detailed information to aide in understanding what transpired after a compromise (be it a suspicious transfer of data or modification of

Related Documents