A Declarative Framework for Intrusion Analysis

  • Matt FredriksonEmail author
  • Mihai Christodorescu
  • Jonathon Giffin
  • Somesh Jhas
Part of the Advances in Information Security book series (ADIS, volume 46)


We consider the problems of computer intrusion analysis and understanding. We begin by presenting a survey of the literature in this area and extrapolate a set of common principles and characteristics present in the most promising techniques. Using these principles, we develop a comprehensive analysis solution based on a variety of system events and the causal dependencies among them. We then present a declarative language that gives a system administrator the facilities required to analyze the event information present in system logs, and we identify the subset of the event information pertinent to an intrusion in a vastly simplified view. Finally, we demonstrate the ability of the language to accurately return a simplified view of the relevant events in a realistic intrusion case study.


Virtual Machine Intrusion Detection System Call Situational Awareness Event Information 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.



This work was supported by National Science Foundation grants CNS-0627501, CCF-0524051, 0311808, 0433540, 0448452, CNS-0448476, CNS-0627551. We would also like to thank Remzi Arpaci-Dusseau, Drew Davidson, and Lorenzo Martignoni for their helpful comments and advice throughout the course of this work.


  1. 1.
    Bancilhon, F., Ramakrishnan, R.: An amateur’s introduction to recursive query processing strategies. In: Proceedings of the 1986 ACM SIGMOD international conference on Management of data, pp. 16–52. ACM, New York, NY, USA (1986)CrossRefGoogle Scholar
  2. 2.
    Bhatkar, S., Chaturvedi, A., Sekar, R.: Dataflow anomaly detection. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 48–62. IEEE Computer Society, Washington, DC, USA (2006)Google Scholar
  3. 3.
    Brewer, E.A.: Combining Systems and Databases: A Search Engine Retrospective, pp. 711–724. MIT Press (2005)Google Scholar
  4. 4.
    Buchholz, F.P., Shields, C.: Providing process origin information to aid in computer forensic investigations. Journal of Computer Security 12(5), 753–776 (2004)Google Scholar
  5. 5.
    Burtscher, M.: VPC3: a fast and effective trace-compression algorithm. In: Proceedings of the joint international conference on Measurement and modeling of computer systems, pp. 167–176. ACM, New York, NY, USA (2004)Google Scholar
  6. 6.
    CERT Coordination Center: Overview of attack trends. Retrieved February 16, 2009
  7. 7.
    Chen, P.M., Noble, B.D.: When virtual is better than real. In: Proceedings of the Eighth Workshop on Hot Topics in Operating Systems, p. 133. IEEE Computer Society, Washington, DC, USA (2001)CrossRefGoogle Scholar
  8. 8.
    Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M.: Understanding data lifetime via whole system simulation. In: 13th USENIX Security Symposium. San Diego, California (2004)Google Scholar
  9. 9.
    Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering, pp. 5–14. ACM, New York, NY, USA (2007)Google Scholar
  10. 10.
    Conradie, L., Mountzia, M.A.: A relational model for distributed systems monitoring using flexible agents. In: Proceedings of the 3rd Workshop on Services in Distributed and Networked Environments, p. 10. IEEE Computer Society, Washington, DC, USA (1996)CrossRefGoogle Scholar
  11. 11.
    Cretu-Ciocarlie, G.F., Budiu, M., Goldszmidt, M.: Hunting for problems with Artemis. In: G. Bronevetsky (ed.) First USENIX Workshop on the Analysis of System Logs. USENIX Association (2008)Google Scholar
  12. 12.
    Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, p. 202. IEEE Computer Society, Washington, DC, USA (2002)CrossRefGoogle Scholar
  13. 13.
    Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, pp. 85–103. Springer-Verlag, London, UK (2001)CrossRefGoogle Scholar
  14. 14.
    Dunlap, G., King, S., Cinar, S., Basrai, M., Chen, P.: ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In: 5th Symposium on Operating System Design and Implementation. Boston, Massachusetts (2002)Google Scholar
  15. 15.
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, p. 120. IEEE Computer Society, Washington, DC, USA (1996)CrossRefGoogle Scholar
  16. 16.
    Giffin, J.T., Dagon, D., Jha, S., Lee, W., Miller, B.P.: Environment-sensitive intrusion detection. In: 8th International Symposium on Recent Advances in Intrusion Detection, Lecture Notes in Computer Science, vol. 3858, pp. 185–206. Springer (2005)Google Scholar
  17. 17.
    Giffin, J.T., Jha, S., Miller, B.P.: Automated discovery of mimicry attacks. In: Proceedings of the 9th International Symposium on Recent Advanced in Intrusion Detection, pp. 41–60 (2006)Google Scholar
  18. 18.
    Goel, A., Farhadi, K., Po, K., Feng, W.c.: Reconstructing system state for intrusion analysis. ACM SIGOPS Operating System Review 42(3), 21–28 (2008)CrossRefGoogle Scholar
  19. 19.
    Goel, A., Feng, W.c., Maier, D., Feng, W.c., Walpole, J.: Forensix: A robust, high-performance reconstruction system. In: Proceedings of the Second International Workshop on Security in Distributed Computing Systems, pp. 155–162. IEEE Computer Society, Washington, DC, USA (2005)Google Scholar
  20. 20.
    Goel, A., Po, K., Farhadi, K., Li, Z., de Lara, E.: The Taser intrusion recovery system. In: 20th ACM Symposium on Operating System Principles. Brighton, United Kingdom (2005)Google Scholar
  21. 21.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: Detecting malware infection through IDS-driven dialog correlation. In: Proceedings of the 16th USENIX Security Symposium (2007)Google Scholar
  22. 22.
    Jain, S., Shafique, F., Djeric, V., Goel, A.: Application-level isolation and recovery with solitude. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, pp. 95–107. ACM, New York, NY, USA (2008)CrossRefGoogle Scholar
  23. 23.
    Jiang, X., Buchholz, F., Walters, A., Xu, D., Wang, Y., Spafford, E.H.: Tracing worm break-in and contaminations via process coloring: A provenance-preserving approach. IEEE Transactions on Parallel and Distributed Systems 19(7) (2008)Google Scholar
  24. 24.
    Jiang, X., Walters, A., Buchholz, F., Xu, D., Wang, Y., Spafford, E.: Provenance-aware tracing of worm break-in and contaminations: A process coloring approach. In: 26th IEEE International Conference on Distributed Computing Systems. Lisboa, Portugal (2006)Google Scholar
  25. 25.
    Khanna, G., Yu Cheng, M., Varadharajan, P., Bagchi, S., Correia, M.P., Veríssimo, P.J.: Automated rule-based diagnosis through a distributed monitor system. IEEE Transactions on Dependable and Secure Computing 4(4), 266–279 (2007)CrossRefGoogle Scholar
  26. 26.
    King, S.T., Chen, P.M.: Backtracking intrusions. In: Proceedings of the nineteenth ACM symposium on Operating systems principles. ACM, New York, NY, USA (2003)Google Scholar
  27. 27.
    Kruger, L., Wang, H., Jha, S., McDaniel, P., Lee, W.: Towards discovering and containing privacy violations in software. Tech. rep., University of Wisconsin – Madison (2005)Google Scholar
  28. 28.
    Lakkaraju, K., Yurcik, W., Lee, A.J.: NVisionIP: netflow visualizations of system state for security situational awareness. In: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pp. 65–72. ACM, New York, NY, USA (2004)CrossRefGoogle Scholar
  29. 29.
    Liu, P., Jajodia, S., McCollum, C.D.: Intrusion confinement by isolation in information systems. In: Proceedings of the IFIP WG 11.3 Thirteenth International Conference on Database Security, pp. 3–18. Kluwer, B.V., Deventer, The Netherlands, The Netherlands (2000)Google Scholar
  30. 30.
    Loo, B.T., Condie, T., Hellerstein, J.M., Maniatis, P., Roscoe, T., Stoica, I.: Implementing declarative overlays. SIGOPS Operating System Review 39(5), 75–90 (2005)CrossRefGoogle Scholar
  31. 31.
    Marzullo, K., Peisert, S., Bishop, M., Kevin, S.: Analysis of computer intrusions using sequences of function calls. IEEE Transactions on Dependable and Secure Computing 4(2), 137–150 (2007)Google Scholar
  32. 32.
    Muniswamy-Reddy, K.K., Wright, C.P., Himmer, A., Zadok, E.: A versatile and user-oriented versioning file system. In: Proceedings of the 3rd USENIX Conference on File and Storage Technologies, pp. 115–128. USENIX Association, Berkeley, CA, USA (2004)Google Scholar
  33. 33.
    Mysore, S., Mazloom, B., Agrawal, B., Sherwood, T.: Understanding and visualizing full systems with data flow tomography. SIGARCH Computer Architecture News 36(1), 211–221 (2008)CrossRefGoogle Scholar
  34. 34.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the Network and Distributed System Security Symposium (2005)Google Scholar
  35. 35.
    Reynolds, P., Killian, C., Wiener, J.L., Mogul, J.C., Shah, M.A., Vahdat, A.: Pip: detecting the unexpected in distributed systems. In: Proceedings of the 3rd conference on Networked Systems Design & Implementation, pp. 9–9. USENIX Association, Berkeley, CA, USA (2006)Google Scholar
  36. 36.
    Sagonas, K., Swift, T., Warren, D.S.: XSB as an efficient deductive database engine. SIGMOD Rec. 23(2), 442–453 (1994)CrossRefGoogle Scholar
  37. 37.
    Santry, D.J., Feeley, M.J., Hutchinson, N.C., Veitch, A.C.: Elephant: The file system that never forgets. Workshop on Hot Topics in Operating Systems 0, 2 (1999)Google Scholar
  38. 38.
    Schneier, B., Kelsey, J.: Secure audit logs to support computer forensics. ACM Transactions on Information System Security 2(2), 159–176 (1999)CrossRefGoogle Scholar
  39. 39.
    Shen, W., Doan, A., Naughton, J.F., Ramakrishnan, R.: Declarative information extraction using datalog with embedded extraction predicates. In: Proceedings of the 33rd international conference on Very large data bases, pp. 1033–1044. VLDB Endowment (2007)Google Scholar
  40. 40.
    Singh, A., Maniatis, P., Roscoe, T., Druschel, P.: Using queries for distributed monitoring and forensics. Proceedings of the 1st ACM SIGOPS/EuroSys European Conference on Computer Systems 2006 pp. 389–402 (2006)Google Scholar
  41. 41.
    Sitaraman, S., Venkatesan, S.: Forensic analysis of file system intrusions using improved backtracking. In: Proceedings of the Third IEEE International Workshop on Information Assurance, pp. 154–163. IEEE Computer Society, Washington, DC, USA (2005)CrossRefGoogle Scholar
  42. 42.
    Stinson, E., Mitchell, J.C.: Characterizing bot’s remote control behavior. In: 4th International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment. Lucerne, Switzerland (2007)Google Scholar
  43. 43.
    Sun, W., Liang, Z., Sekar, R., Venkatakrishnan, V.N.: One-way isolation: An effective approach for realizing safe execution environments. In: Proceedings of the Network and Distributed System Security Symposium, pp. 265–278 (2005)Google Scholar
  44. 44.
    The Honeynet Project: Forensic challenge. Retrieved February 16, 2009
  45. 45.
    Verbowski, C., Kiciman, E., Kumar, A., Daniels, B., Lu, S., Lee, J., Wang, Y.M., Roussev, R.: Flight data recorder: monitoring persistent-state interactions to improve systems management. In: Proceedings of the 7th symposium on Operating systems design and implementation, pp. 117–130. USENIX Association, Berkeley, CA, USA (2006)Google Scholar
  46. 46.
    VMware, Inc.: VMware Server [Computer Software]. Available from Retrieved February 16, 2009
  47. 47.
    Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM conference on Computer and communications security, pp. 255–264. ACM, New York, NY, USA (2002)CrossRefGoogle Scholar
  48. 48.
    Whitaker, A., Cox, R.S., Gribble, S.D.: Using time travel to diagnose computer problems. In: Proceedings of the 11th workshop on ACM SIGOPS European workshop, p. 16. ACM, New York, NY, USA (2004)CrossRefGoogle Scholar
  49. 49.
    Whitaker, A., Shaw, M., Gribble, S.D.: Denali: Lightweight virtual machines for distributed and networked applications. In: Proceedings of the USENIX Annual Technical Conference (2002)Google Scholar
  50. 50.
    Yin, H., Liang, Z., Song, D.: HookFinder: Identifying and understanding malware hooking behaviors. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008)Google Scholar
  51. 51.
    Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: Capturing system-wide information flow for malware detection and analysis. In: ACM Symposium on Computer and Communications Security. Alexandria, Virginia (2007)Google Scholar
  52. 52.
    Zhang, X., Gupta, R., Zhang, Y.: Efficient forward computation of dynamic slices using reduced ordered binary decision diagrams. In: Proceedings of the 26th International Conference on Software Engineering, pp. 502–511. IEEE Computer Society, Washington, DC, USA (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag US 2010

Authors and Affiliations

  • Matt Fredrikson
    • 1
    Email author
  • Mihai Christodorescu
    • 2
  • Jonathon Giffin
    • 3
  • Somesh Jhas
    • 1
  1. 1.Computer Sciences DepartmentUniversity of WisconsinMadisonUSA
  2. 2.IBM T.J. Watson Research CenterPlease Provide CityPlease Provide Country
  3. 3.School of Computer Science, Georgia Institute of TechnologyPlease Provide CityUSA

Personalised recommendations