FloTracker

Log-free and instantaneous host-based intrusion root-cause analysis

Saman Zonouz, Ahmad Seyfi, Alejandro Mesa, Gabriel Salles-Loustau

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Preserving the availability and integrity of security-critical computer systems in a fast-spreading sophisticated intrusions environment, requires advance algorithms, accurate and efficient intrusion diagnosis, along side with root-cause analysis techniques. In this paper we introduce FloTracker that is an online log-free host-based root-cause analysis detection engine, with instantaneous forensics capabilities. FloTracker presents security administrators as well as automated response systems, with immediate forensics information. For instance, it will identify a system's entry point of intrusion as soon as a critical security incident occurs, e.g., a sensitive system file modification is detected within the target system. To this end, FloTracker automatically defines an access control policy set (possibly with no access restriction) for the target system that facilitates real-time backtracking of an intrusion, given a detection point. Our experimental results on a real-world SE-Linux test-bed showed that the FloTracker could efficiently update the system's configuration thus modifications will not affect the functionalities of the system, yet providing a log-free and instantaneous root-cause analysis capability.

Original languageEnglish
Title of host publicationProceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC
PublisherIEEE Computer Society
Pages246-255
Number of pages10
ISBN (Print)9780769551302
DOIs
StatePublished - Jan 1 2013
Event19th IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2013 - Vancouver, BC, Canada
Duration: Dec 2 2013Dec 4 2013

Other

Other19th IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2013
CountryCanada
CityVancouver, BC
Period12/2/1312/4/13

Fingerprint

Access control
Computer systems
Availability
Engines
Linux

ASJC Scopus subject areas

  • Computational Theory and Mathematics
  • Computer Science Applications
  • Hardware and Architecture
  • Software

Cite this

Zonouz, S., Seyfi, A., Mesa, A., & Salles-Loustau, G. (2013). FloTracker: Log-free and instantaneous host-based intrusion root-cause analysis. In Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC (pp. 246-255). [6820872] IEEE Computer Society. https://doi.org/10.1109/PRDC.2013.46

FloTracker : Log-free and instantaneous host-based intrusion root-cause analysis. / Zonouz, Saman; Seyfi, Ahmad; Mesa, Alejandro; Salles-Loustau, Gabriel.

Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC. IEEE Computer Society, 2013. p. 246-255 6820872.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Zonouz, S, Seyfi, A, Mesa, A & Salles-Loustau, G 2013, FloTracker: Log-free and instantaneous host-based intrusion root-cause analysis. in Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC., 6820872, IEEE Computer Society, pp. 246-255, 19th IEEE Pacific Rim International Symposium on Dependable Computing, PRDC 2013, Vancouver, BC, Canada, 12/2/13. https://doi.org/10.1109/PRDC.2013.46
Zonouz S, Seyfi A, Mesa A, Salles-Loustau G. FloTracker: Log-free and instantaneous host-based intrusion root-cause analysis. In Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC. IEEE Computer Society. 2013. p. 246-255. 6820872 https://doi.org/10.1109/PRDC.2013.46
Zonouz, Saman ; Seyfi, Ahmad ; Mesa, Alejandro ; Salles-Loustau, Gabriel. / FloTracker : Log-free and instantaneous host-based intrusion root-cause analysis. Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC. IEEE Computer Society, 2013. pp. 246-255
@inproceedings{4f4d59e695ce4463b3ff7aa5c1a1b25d,
title = "FloTracker: Log-free and instantaneous host-based intrusion root-cause analysis",
abstract = "Preserving the availability and integrity of security-critical computer systems in a fast-spreading sophisticated intrusions environment, requires advance algorithms, accurate and efficient intrusion diagnosis, along side with root-cause analysis techniques. In this paper we introduce FloTracker that is an online log-free host-based root-cause analysis detection engine, with instantaneous forensics capabilities. FloTracker presents security administrators as well as automated response systems, with immediate forensics information. For instance, it will identify a system's entry point of intrusion as soon as a critical security incident occurs, e.g., a sensitive system file modification is detected within the target system. To this end, FloTracker automatically defines an access control policy set (possibly with no access restriction) for the target system that facilitates real-time backtracking of an intrusion, given a detection point. Our experimental results on a real-world SE-Linux test-bed showed that the FloTracker could efficiently update the system's configuration thus modifications will not affect the functionalities of the system, yet providing a log-free and instantaneous root-cause analysis capability.",
author = "Saman Zonouz and Ahmad Seyfi and Alejandro Mesa and Gabriel Salles-Loustau",
year = "2013",
month = "1",
day = "1",
doi = "10.1109/PRDC.2013.46",
language = "English",
isbn = "9780769551302",
pages = "246--255",
booktitle = "Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC",
publisher = "IEEE Computer Society",

}

TY - GEN

T1 - FloTracker

T2 - Log-free and instantaneous host-based intrusion root-cause analysis

AU - Zonouz, Saman

AU - Seyfi, Ahmad

AU - Mesa, Alejandro

AU - Salles-Loustau, Gabriel

PY - 2013/1/1

Y1 - 2013/1/1

N2 - Preserving the availability and integrity of security-critical computer systems in a fast-spreading sophisticated intrusions environment, requires advance algorithms, accurate and efficient intrusion diagnosis, along side with root-cause analysis techniques. In this paper we introduce FloTracker that is an online log-free host-based root-cause analysis detection engine, with instantaneous forensics capabilities. FloTracker presents security administrators as well as automated response systems, with immediate forensics information. For instance, it will identify a system's entry point of intrusion as soon as a critical security incident occurs, e.g., a sensitive system file modification is detected within the target system. To this end, FloTracker automatically defines an access control policy set (possibly with no access restriction) for the target system that facilitates real-time backtracking of an intrusion, given a detection point. Our experimental results on a real-world SE-Linux test-bed showed that the FloTracker could efficiently update the system's configuration thus modifications will not affect the functionalities of the system, yet providing a log-free and instantaneous root-cause analysis capability.

AB - Preserving the availability and integrity of security-critical computer systems in a fast-spreading sophisticated intrusions environment, requires advance algorithms, accurate and efficient intrusion diagnosis, along side with root-cause analysis techniques. In this paper we introduce FloTracker that is an online log-free host-based root-cause analysis detection engine, with instantaneous forensics capabilities. FloTracker presents security administrators as well as automated response systems, with immediate forensics information. For instance, it will identify a system's entry point of intrusion as soon as a critical security incident occurs, e.g., a sensitive system file modification is detected within the target system. To this end, FloTracker automatically defines an access control policy set (possibly with no access restriction) for the target system that facilitates real-time backtracking of an intrusion, given a detection point. Our experimental results on a real-world SE-Linux test-bed showed that the FloTracker could efficiently update the system's configuration thus modifications will not affect the functionalities of the system, yet providing a log-free and instantaneous root-cause analysis capability.

UR - http://www.scopus.com/inward/record.url?scp=84906748839&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84906748839&partnerID=8YFLogxK

U2 - 10.1109/PRDC.2013.46

DO - 10.1109/PRDC.2013.46

M3 - Conference contribution

SN - 9780769551302

SP - 246

EP - 255

BT - Proceedings of IEEE Pacific Rim International Symposium on Dependable Computing, PRDC

PB - IEEE Computer Society

ER -