PEDA: Comprehensive damage assessment for production environment server systems

Shengzhi Zhang, Xiaoqi Jia, Peng Liu, Jiwu Jing

Research output: Contribution to journalArticle

4 Scopus citations

Abstract

Analyzing the intrusion to production servers is an onerous and error-prone work for system security technicians. Existing tools or techniques are quite limited. For instance, system events tracking lacks completeness of intrusion propagation, while dynamic taint tracking is not feasible to be deployed due to significant runtime overhead. Thus, we propose production environment damage assessment (PEDA), a systematic approach to do postmortem intrusion analysis for production workload servers. PEDA replays the has-been-infected execution with high fidelity on a separate analyzing instrumentation platform to conduct the heavy workload analysis. Though the replayed execution runs atop the instrumentation platform (i.e., binary-translation-based virtual machine), PEDA allows the first-run execution to run atop the hardware-assisted virtual machine to ensure minimum runtime overhead. Our evaluation demonstrates the efficiency of the PEDA system with a runtime overhead as low as 5%. The real-life intrusion studies show the advantage of PEDA intrusion analysis over existing techniques.

Original languageEnglish (US)
Article number5954181
Pages (from-to)1323-1334
Number of pages12
JournalIEEE Transactions on Information Forensics and Security
Volume6
Issue number4
DOIs
Publication statusPublished - Dec 1 2011

    Fingerprint

All Science Journal Classification (ASJC) codes

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Cite this