10.4230/OASICS.TRUSTWORTHYSW.2006.696
Neuhaus, Stephan
Stephan
Neuhaus
Isolating Intrusions by Automatic Experiments
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
2006
Article
Intrusion Analysis
Malware
Experimentation
Autexier, Serge
Serge
Autexier
Merz, Stephan
Stephan
Merz
van der Torre, Leon
Leon
van der Torre
Wilhelm, Reinhard
Reinhard
Wilhelm
Wolper, Pierre
Pierre
Wolper
2006
2006-09-26
2006-09-26
2006-09-26
en
urn:nbn:de:0030-drops-6960
10.4230/OASIcs.TrustworthySW.2006
978-3-939897-02-6
2190-6807
10.4230/OASIcs.TrustworthySW.2006
OASIcs, Volume 3, TrustworthySW 2006
Workshop on Trustworthy Software
2012
3
7
1
3
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Autexier, Serge
Serge
Autexier
Merz, Stephan
Stephan
Merz
van der Torre, Leon
Leon
van der Torre
Wilhelm, Reinhard
Reinhard
Wilhelm
Wolper, Pierre
Pierre
Wolper
2190-6807
Open Access Series in Informatics (OASIcs)
2006
3
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
3 pages
24325 bytes
application/pdf
Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported license
info:eu-repo/semantics/openAccess
When dealing with malware infections, one of the first tasks is to find the processes that were involved in the attack. We introduce Malfor, a system that isolates those processes automatically. In contrast to other methods that help analyze attacks, Malfor works by experiments: first, we record the interaction of the system under attack; after the intrusion has been detected, we replay the recorded events in slightly different configurations to see which processes were relevant for the intrusion. This approach has three advantages over deductive approaches: first, the processes that are thus found have been experimentally shown to be relevant for the attack; second, the amount of evidence that must then be analyzed to find the attack vector is greatly reduced; and third, Malfor itself cannot make wrong deductions. In a first experiment, Malfor was able to extract the three processes responsible for an attack from 32 candidates in about six minutes.
OASIcs, Vol. 3, Workshop on Trustworthy Software, pages 1-3