Automatic high-performance reconstruction and recovery

Self-protecting systems require the ability to instantaneously detect malicious activity at run-time and prevent execution. We argue that it is impossible to perfectly self-protect systems without false positives due to the limited amount of information one might have at run-time and that eventually some undesirable activity will occur that will need to be rolled back. As a consequence of this, it is important that self-protecting systems have the ability to completely and automatically roll back malicious activity which has occurred. As the cost of human resources currently dominates the cost of CPU, network, and storage resources, we contend that computing systems should be built with automated analysis and recovery as a primary goal. Towards this end, we describe the design, implementation, and evaluation of Forensix: a robust, high-precision analysis and recovery system for supporting self-healing. The Forensix system records all activity of a target computer and allows for efficient, automated reconstruction of activity when needed. Such a system can be used to automatically detect patterns of malicious activity and selectively undo their operations. Forensix uses three key mechanisms to improve the accuracy and reduce the human overhead of performing analysis and recovery. First, it performs comprehensive monitoring of the execution of a target system at the kernel event level, giving a high-resolution, application-independent view of all activity. Second, it streams the kernel event information, in real-time, to append-only storage on a separate, hardened, logging machine, making the system resilient to a wide variety of attacks. Third, it uses database technology to support high-level querying of the archived log, greatly reducing the human cost of performing analysis and recovery. 2006 Elsevier B.V. All rights reserved.