FloTracker: Log-Free and Instantaneous Host-Based Intrusion Root-Cause Analysis

Preserving the availability and integrity of security-critical computer systems in a fast-spreading sophisticated intrusions environment, requires advance algorithms, accurate and efficient intrusion diagnosis, along side with root-cause analysis techniques. In this paper we introduce FloTracker that is an online log-free host-based root-cause analysis detection engine, with instantaneous forensics capabilities. FloTracker presents security administrators as well as automated response systems, with immediate forensics information. For instance, it will identify a system´s entry point of intrusion as soon as a critical security incident occurs, e.g., a sensitive system file modification is detected within the target system. To this end, FloTracker automatically defines an access control policy set (possibly with no access restriction) for the target system that facilitates real-time backtracking of an intrusion, given a detection point. Our experimental results on a real-world SE-Linux test-bed showed that the FloTracker could efficiently update the system´s configuration thus modifications will not affect the functionalities of the system, yet providing a log-free and instantaneous root-cause analysis capability.