XLRF: A Cross-Layer Intrusion Recovery Framework for Damage Assessment and Recovery Plan Generation

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8233)


Recovering mission-critical systems from intrusion is very challenging, where fast and accurate damage assessment and recovery is vital to ensure business continuity. Existing intrusion recovery approaches mostly focus on a single abstraction layer. OS level recovery cannot fully meet the correctness criteria defined by business process semantics, while business workflow level recovery usually results in non-executable recovery plans. In this paper, we propose a cross-layer recovery framework, called XRLF, for fast and effective post-intrusion diagnosis and recovery of compromised systems using the dependencies captured at different levels of abstraction; business workflow level and OS level. The goal of our approach is two-fold: first, to bridge the semantic gap between workflow-level and system-level recovery, thus enable comprehensive intrusion analysis and recovery; second, to automate damage assessment and recovery plan generation, thus expedite the recovery process, an otherwise time-consuming and error-prone task.


cross-layer intrusion recovery recovery plan dependency graph system calls 


  1. 1.
    Ammann, P., Jajodia, S., Liu, P.: Recovery from malicious transactions. IEEE Trans. on Knowl. and Data Eng. 14(5), 1167–1185 (2002)CrossRefGoogle Scholar
  2. 2.
    Atluri, V., Ae Chun, S., Mazzoleni, P.: Chinese wall security for decentralized workflow management systems. J. Comput. Secur. 12(6), 799–840 (2004)Google Scholar
  3. 3.
    Balzarotti, D., Cova, M., Felmetsger, V.V., Vigna, G.: Multi-module vulnerability analysis of web-based applications. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 25–35. ACM, New York (2007)CrossRefGoogle Scholar
  4. 4.
    Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC-FSE 2007, pp. 5–14. ACM, New York (2007)Google Scholar
  5. 5.
    Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: Revirt: enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev. 36(SI), 211–224 (2002)CrossRefGoogle Scholar
  6. 6.
    Eder, J., Liebhart, W.: Workflow recovery. In: Proceedings of the First IFCIS International Conference on Cooperative Information Systems, COOPIS 1996, pp. 124–134. IEEE Computer Society, Washington, DC (1996)CrossRefGoogle Scholar
  7. 7.
    Gessiou, E., Pappas, V., Athanasopoulos, E., Keromytis, A.D., Ioannidis, S.: Towards a universal data provenance framework using dynamic instrumentation. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 103–114. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. 8.
    Goel, A., Po, K., Farhadi, K., Li, Z., de Lara, E.: The taser intrusion recovery system. In: Proceedings of the Twentieth ACM Symposium on Operating Systems Principles, SOSP 2005, pp. 163–176. ACM, New York (2005)CrossRefGoogle Scholar
  9. 9.
    Hsu, F., Chen, H., Ristenpart, T., Li, J., Su, Z.: Back to the future: A framework for automatic malware removal and system repair. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC 2006, pp. 257–268. IEEE Computer Society, Washington, DC (2006)Google Scholar
  10. 10.
    Jain, S., Shafique, F., Djeric, V., Goel, A.: Application-level isolation and recovery with solitude. In: Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008, Eurosys 2008, pp. 95–107. ACM, New York (2008)CrossRefGoogle Scholar
  11. 11.
    Kim, D., Rinard, M.C.: Verification of semantic commutativity conditions and inverse operations on linked data structures. In: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011, pp. 528–541. ACM, New York (2011)CrossRefGoogle Scholar
  12. 12.
    Kim, T., Wang, X., Zeldovich, N., Kaashoek, M.F.: Intrusion recovery using selective re-execution. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010, pp. 1–9. USENIX Association, Berkeley (2010)Google Scholar
  13. 13.
    King, S.T., Chen, P.M.: Backtracking intrusions. In: Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles, SOSP 2003, pp. 223–236. ACM, New York (2003)CrossRefGoogle Scholar
  14. 14.
    Mahajan, P., Kotla, R., Marshall, C.C., Ramasubramanian, V., Rodeheffer, T.L., Terry, D.B., Wobber, T.: Effective and efficient compromise recovery for weakly consistent replication. In: Proceedings of the 4th ACM European Conference on Computer Systems, EuroSys 2009, pp. 131–144. ACM, New York (2009)Google Scholar
  15. 15.
    Paleari, R., Martignoni, L., Passerini, E., Davidson, D., Fredrikson, M., Giffin, J., Jha, S.: Automatic generation of remediation procedures for malware infections. In: Proceedings of the 19th USENIX Conference on Security, USENIX Security 2010, p. 27. USENIX Association, Berkeley (2010)Google Scholar
  16. 16.
    van der Aalst, W., Weijters, T., Maruster, L.: Workflow mining: Discovering process models from event logs. IEEE Trans. on Knowl. and Data Eng. 16(9), 1128–1142 (2004)CrossRefGoogle Scholar
  17. 17.
    Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, pp. 255–264. ACM, New York (2002)Google Scholar
  18. 18.
    Xiong, X., Jia, X., Liu, P.: Shelf: Preserving business continuity and availability in an intrusion recovery system. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC 2009, pp. 484–493. IEEE Computer Society, Washington, DC (2009)CrossRefGoogle Scholar
  19. 19.
    Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 116–127. ACM, New York (2007)CrossRefGoogle Scholar
  20. 20.
    Yu, M., Liu, P., Zang, W.: Self-healing workflow systems under attacks. In: Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS 2004), pp. 418–4025. IEEE Computer Society, Washington, DC (2004)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2013

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringPennsylvania State UniversityUSA
  2. 2.College of Information Sciences and TechnologyPennsylvania State UniversityUSA

Personalised recommendations