TY - JOUR
T1 - PEDA
T2 - Comprehensive damage assessment for production environment server systems
AU - Zhang, Shengzhi
AU - Jia, Xiaoqi
AU - Liu, Peng
AU - Jing, Jiwu
N1 - Funding Information:
Manuscript received October 15, 2010; revised June 25, 2011; accepted July 06, 2011. Date of publication July 14, 2011; date of current version November 18, 2011. This work was supported by AFOSR FA9550-07-1-0527 (MURI), by ARO W911NF-09-1-0525 (MURI), by NSF CNS-0905131, and by AFRL FA8750-08-C-0137. The work of X. Jia was supported in part by NSFC 61073179. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. R. Sekar.
PY - 2011/12
Y1 - 2011/12
N2 - Analyzing the intrusion to production servers is an onerous and error-prone work for system security technicians. Existing tools or techniques are quite limited. For instance, system events tracking lacks completeness of intrusion propagation, while dynamic taint tracking is not feasible to be deployed due to significant runtime overhead. Thus, we propose production environment damage assessment (PEDA), a systematic approach to do postmortem intrusion analysis for production workload servers. PEDA replays the has-been-infected execution with high fidelity on a separate analyzing instrumentation platform to conduct the heavy workload analysis. Though the replayed execution runs atop the instrumentation platform (i.e., binary-translation-based virtual machine), PEDA allows the first-run execution to run atop the hardware-assisted virtual machine to ensure minimum runtime overhead. Our evaluation demonstrates the efficiency of the PEDA system with a runtime overhead as low as 5%. The real-life intrusion studies show the advantage of PEDA intrusion analysis over existing techniques.
AB - Analyzing the intrusion to production servers is an onerous and error-prone work for system security technicians. Existing tools or techniques are quite limited. For instance, system events tracking lacks completeness of intrusion propagation, while dynamic taint tracking is not feasible to be deployed due to significant runtime overhead. Thus, we propose production environment damage assessment (PEDA), a systematic approach to do postmortem intrusion analysis for production workload servers. PEDA replays the has-been-infected execution with high fidelity on a separate analyzing instrumentation platform to conduct the heavy workload analysis. Though the replayed execution runs atop the instrumentation platform (i.e., binary-translation-based virtual machine), PEDA allows the first-run execution to run atop the hardware-assisted virtual machine to ensure minimum runtime overhead. Our evaluation demonstrates the efficiency of the PEDA system with a runtime overhead as low as 5%. The real-life intrusion studies show the advantage of PEDA intrusion analysis over existing techniques.
UR - http://www.scopus.com/inward/record.url?scp=82055197202&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=82055197202&partnerID=8YFLogxK
U2 - 10.1109/TIFS.2011.2162062
DO - 10.1109/TIFS.2011.2162062
M3 - Article
AN - SCOPUS:82055197202
SN - 1556-6013
VL - 6
SP - 1323
EP - 1334
JO - IEEE Transactions on Information Forensics and Security
JF - IEEE Transactions on Information Forensics and Security
IS - 4
M1 - 5954181
ER -