TY - GEN
T1 - SHELF
T2 - 25th Annual Computer Conference Security Applications, ACSAC 2009
AU - Xiong, Xi
AU - Jia, Xiaoqi
AU - Liu, Peng
PY - 2009
Y1 - 2009
N2 - Recovering from intrusions for a compromised computer system is a challenging job, especially for systems that run continuous services. Current intrusion recovery techniques often do not preserve the accumulated useful state of running applications and have very limited system availability when performing recovery routines. In this paper, we propose SHELF, an on-the-fly intrusion recovery prototype system that provides a comprehensive solution to preserve business continuity, availability and recovery accuracy. SHELF preserves accumulated clean states for infected applications and files so that they can continue with the most recent pre-infection states after recovery. Moreover, SHELF leverages OS-aware taint tracking techniques to swiftly determine the sources of intrusion and assess system-wide damages caused by the intrusion. SHELF uses quarantine methods to prevent infection propagation so that uninfected and recovered objects can provide availability during the recovery phase. We integrate SHELF prototype in a virtualization environment to achieve user transparency and protection. Our evaluation shows that SHELF can perform accurate recovery on-the-fly effectively with an acceptable performance overhead.
AB - Recovering from intrusions for a compromised computer system is a challenging job, especially for systems that run continuous services. Current intrusion recovery techniques often do not preserve the accumulated useful state of running applications and have very limited system availability when performing recovery routines. In this paper, we propose SHELF, an on-the-fly intrusion recovery prototype system that provides a comprehensive solution to preserve business continuity, availability and recovery accuracy. SHELF preserves accumulated clean states for infected applications and files so that they can continue with the most recent pre-infection states after recovery. Moreover, SHELF leverages OS-aware taint tracking techniques to swiftly determine the sources of intrusion and assess system-wide damages caused by the intrusion. SHELF uses quarantine methods to prevent infection propagation so that uninfected and recovered objects can provide availability during the recovery phase. We integrate SHELF prototype in a virtualization environment to achieve user transparency and protection. Our evaluation shows that SHELF can perform accurate recovery on-the-fly effectively with an acceptable performance overhead.
UR - http://www.scopus.com/inward/record.url?scp=77950847824&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77950847824&partnerID=8YFLogxK
U2 - 10.1109/ACSAC.2009.52
DO - 10.1109/ACSAC.2009.52
M3 - Conference contribution
AN - SCOPUS:77950847824
SN - 9780769539195
T3 - Proceedings - Annual Computer Security Applications Conference, ACSAC
SP - 484
EP - 493
BT - 25th Annual Computer Conference Security Applications, ACSAC 2009
Y2 - 7 December 2009 through 11 December 2009
ER -