Analyzing intrusions today is an arduous, largely manual task because system administrators lack the information and tools needed to understand easily the sequence of steps that occurred in an attack. The goal of BackTracker is to identify automatically potential sequences of steps that occurred in an intrusion. Starting with a single detection point (e.g., a suspicious file), BackTracker identifies files and processes that could have affected that detection point and displays chains of events in a dependency graph. We use BackTracker to analyze several real attacks against computers that we set up as honeypots. In each case, BackTracker is able to highlight effectively the entry point used to gain access to the system and the sequence of steps from that entry point to the point at which we noticed the intrusion. The logging required to support BackTracker added 9 % overhead in running time and generated 1.2 GB per day of log data for an operating-system intensive workload.

Self-securing storage turns storage devices into active parts of an intrusion survival strategy. From behind a thin storage interface (e.g., SCSI or CIFS), a self-securing storage sen,er can watch storage requests, keep a record of all storage activity, and prevent compromised clients from destroying stored data. This paper describes three ways selfsecuring storage enhances an administrator's ability to detect, diagnose, and recover from client system intrusions. First, storage-based intrusion detection offers a new obsen,ation point for noticing suspect activity. Second, post-hoc intrusion diagnosis starts with a plethora of normally-unavailable information. Finally, post-intrusion recovery is reduced to restarting the system with a pre-intrusion storage image retained by the sensor. Combined, these features can improve an organization's ability to survive successful digital intrusions.

For my wife Sam and my son Eli. ii a PhD. ACKNOWLEDGEMENTS I would like to thank some of the people who helped me in my journey towards getting First, I would like to thank my PhD advisor, Peter Chen. He was literally an ideal advisor and was the greatest influence in my development as a researcher. We spent count-less hours in his office discussing the topics in this dissertation, and these interactions are what made my graduate student life so enjoyable and convinced me to become a faculty member myself. I would like to thank my committee, Pete, Vineet, Morley, and Brian for their valuable insight and feedback. I would like to thank Morley and Dom for helping out with some of the multi-host experiments in this dissertation. I would like to thank the other members of the CoVirt group: Ashlesha, Dom, George,

Analyzing intrusions today is an arduous, largely manual task because system administrators lack the information and tools needed to understand easily the sequence of steps that occurred in an attack. The goal of BackTracker is to identify automatically potential sequences of steps that occurred in an intrusion. Starting with a single detection point (e.g., a suspicious file), BackTracker identifies files and processes that could have affected that detection point and displays chains of events in a dependency graph. We use BackTracker to analyze several real attacks against computers that we set up as honeypots. In each case, BackTracker is able to highlight effectively the entry point used to gain access to the system and the sequence of steps from that entry point to the point at which we noticed the intrusion. The logging required to support BackTracker added 9 % overhead in running time and generated 1.2 GB per day of log data for an operating-system intensive workload.

Flaws in system security may persist for the foreseeable future. Yet, software developers and system administrators are not learning from security mistakes because identifying the cause of a computer intrusion is time-consuming, tedious and unlikely to yield definitive results. Investigations are fraught with data volatility, privacy and legal issues as well. When intrusions are detected, computer forensics analysts are swamped in evidence because of the large volume of data encountered, the dearth of trained investigators and the lack of automated techniques to analyze computer crime data. An expert system with a decision tree that uses predetermined invariant relationships between redundant digital objects (like an application log entry and an audit trail) to detect semantic incongruities could augment a computer crime investigator's efforts. By analyzing data from a system and searching for violations of known data relationships, an attacker's changes to the system may be automatically identified. Examples of such invariant data relationships are provided, as are techniques to identify new, useful ones. A requirement for such a system is to have the evidence available in a standard machine-readable format. A prototype of this general approach has been written, integrating The Coroner's Toolkit and JESS, The Expert System Shell for the Java Platform, that automatically identifies files that have been modified, accessed or changed when their owners were not logged in. By automatically identifying relevant evidence, experts can focus on the relevant files, users, times and other facts first.

This work presents a framework for automation of administrative tasks and deployment of protection mechanisms to facilitate a future forensic analysis. The main goal is to disclose and supply measures for a fast configuration of Microsoft Windows 2000 networks, when deploying incident response procedures.