Subject: Computer Science
; Engineering
Title: peda: comprehensive damage assessment for production environment server systems
Author: Zhang Shengzhi
; Jia Xiaoqi
; Liu Peng
; Jing Jiwu
Keyword: Computer simulation
Source: IEEE Transactions on Information Forensics and Security
Issued Date: 2011
Volume: 6, Issue: 4, Pages: 1323-1334 Indexed Type: EI
; SCI
Department: (1) Department of Computer Science and Engineering Pennsylvania State University University Park PA 16802 United States; (2) State Key Laboratory of Information Security Institute of Software Chinese Academy of Sciences Beijing 100190 China; (3) College of Information Sciences and Technology Pennsylvania State University University Park PA 16802 United States; (4) State Key Laboratory of Information Security Graduate University of Chinese Academy of Sciences Beijing 100049 China
Sponsorship: AFOSRFA9550-07-1-0527; AROW911NF-09-1-0525; NSFCNS-0905131; AFRLFA8750-08-C-0137; NSFC61073179
Abstract: Analyzing the intrusion to production servers is an onerous and error-prone work for system security technicians. Existing tools or techniques are quite limited. For instance, system events tracking lacks completeness of intrusion propagation, while dynamic taint tracking is not feasible to be deployed due to significant runtime overhead. Thus, we propose production environment damage assessment (PEDA), a systematic approach to do postmortem intrusion analysis for production workload servers. PEDA replays the has-been-infected execution with high fidelity on a separate analyzing instrumentation platform to conduct the heavy workload analysis. Though the replayed execution runs atop the instrumentation platform (i.e., binary-translation-based virtual machine), PEDA allows the first-run execution to run atop the hardware-assisted virtual machine to ensure minimum runtime overhead. Our evaluation demonstrates the efficiency of the PEDA system with a runtime overhead as low as 5%. The real-life intrusion studies show the advantage of PEDA intrusion analysis over existing techniques. © 2006 IEEE. English Abstract: Analyzing the intrusion to production servers is an onerous and error-prone work for system security technicians. Existing tools or techniques are quite limited. For instance, system events tracking lacks completeness of intrusion propagation, while dynamic taint tracking is not feasible to be deployed due to significant runtime overhead. Thus, we propose production environment damage assessment (PEDA), a systematic approach to do postmortem intrusion analysis for production workload servers. PEDA replays the has-been-infected execution with high fidelity on a separate analyzing instrumentation platform to conduct the heavy workload analysis. Though the replayed execution runs atop the instrumentation platform (i.e., binary-translation-based virtual machine), PEDA allows the first-run execution to run atop the hardware-assisted virtual machine to ensure minimum runtime overhead. Our evaluation demonstrates the efficiency of the PEDA system with a runtime overhead as low as 5%. The real-life intrusion studies show the advantage of PEDA intrusion analysis over existing techniques. © 2006 IEEE. Language: 英语
WOS ID: WOS:000297344200012
Citation statistics:
Content Type: 期刊论文
URI: http://ir.iscas.ac.cn/handle/311060/16067
Appears in Collections: 软件所图书馆_期刊论文
There are no files associated with this item.
Recommended Citation:
Zhang Shengzhi,Jia Xiaoqi,Liu Peng,et al. peda: comprehensive damage assessment for production environment server systems[J]. IEEE Transactions on Information Forensics and Security,2011-01-01,6(4):1323-1334.
