Backtracking Intrusions

Analyzing intrusions today is an arduous, largely manual task because system administrators lack the information and tools needed to understand easily the sequence of steps that occurred in an attack. The goal of BackTracker is to identify automatically potential sequences of steps that occurred in an intrusion. Starting with a single detection point (e.g., a suspicious file), BackTracker
identifies files and processes that could have affected that detection
point and displays chains of events in a dependency graph. We use
BackTracker to analyze several real attacks against computers that
we set up as honeypots. In each case, BackTracker is able to highlight
effectively the entry point used to gain access to the system
and the sequence of steps from that entry point to the point at
which we noticed the intrusion. The logging required to support
BackTracker added 9% overhead in running time and generated
1.2 GB per day of log data for an operating-system intensive workload.