|
Forensix
|
| Overview | We are developing a system for post-intusion analysis and reconstruction. The system uses three over-lapping phases of operation: data gathering, analysis, and reconstruction. During the data gathering phase, activity on a target machine, such as a web server, is logged at the system-call level. This log is streamed in real-time to a secure back-end machine and written to append-only storage. By writing the log out in a timely manner and by ensuring that it can not be modified post-facto, we are able to capture all the activity leading up to an attack as well as the effects of the attack itself. The analysis phase loads the log into a database so that it can be queried to search for suspicious activity, including the signatures of well-known attacks. Using this approach, Forensix can identify offending processes and all of their activities. This information can then be used by the reconstruction phase to undo (or uninstall the effects of) an attack. We believe this approach is a first step towards autonomic systems that are self-healing. |
| People |
Faculty:
Wuchang Feng,
Wuchi Feng,
Ashvin Goel
(U. Toronto),
David Maier,
and
Jonathan Walpole
Students: Jim Snow and Jin Choi |
| Papers | "Forensix: A Robust, High Performance Reconstruction System," Ashvin Goel, Mike Shea, Sourabh Ahuja, Wu-chang Feng, Wu-chi Feng, David Maier, and Jonathan Walpole, poster-abstract in proceedings of the Sympoium on Operating Systems Principles (SOSP), Bolton Landing, New York, October 2003. |
| Posters |
"Forensix: A Robust, High Performance Reconstruction System," Ashvin Goel, Mike Shea, Sourabh Ahuja, Wu-chang Feng, Wu-chi Feng, David Maier, and Jonathan Walpole, presented at the Sympoium on Operating Systems Principles (SOSP), Bolton Landing, New York, October 2003. |
| Software |
Forensix - latest Forensix source and required component systems. |
| Sponsors |
NSF $850,803, "Forensix: Large-scale Tamper-resistant Computer Forensic Systems," Wu-chang Feng (PI), Wu-chi Feng, David Maier and Jonathan Walpole, July 2002 - 2005. |
|
Back to Jonathan Walpole's home page |