TimeVM: A framework for online intrusion mitigation and fast recovery using multi-time-lag traffic replay

Khalid Elbadawi; Ehab Al-Shaer

doi:10.1145/1533057.1533077

TimeVM: A framework for online intrusion mitigation and fast recovery using multi-time-lag traffic replay

Khalid Elbadawi^*, Ehab Al-Shaer

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

4 Scopus citations

Abstract

Network intrusions become a signification threat to network servers and its availability. A simple intrusion can suspend the organization's network services and can lead to a financial disaster. In this paper, we propose a framework called TimeVM to mitigate, or even eliminate, the infection of a network intrusion on-line as fast as possible. The framework is based on the virtual machine technology and traffic-replay-based recovery. TimeVM gives the illusion of "time machine". TimeVM logs only the network traffic to a server and replays the logged traffic to multiple "shadow" virtual machines (Shadow VM) after different time delays (time lags). Consequently, each Shadow VM will represent the server at different time in history. When attack/infection is detected, TimeVM enables navigating through the traffic history (logs), picking uninfected Shadow VM, removing the attack traffic, and then fast-replaying the entire traffic history to this Shadow VM. As a result, a typical up-to-date uninfected version of the original system can be constructed. The paper shows the implementation details for TimeVM. It also addresses many practical challenges related to how to configure and deploy TimeVM in a system in order to minimize the recovery time. We present analytical framework and extensive evaluation to validate our approach in different environments.

Original language	English
Title of host publication	Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09
Pages	135-145
Number of pages	11
DOIs	https://doi.org/10.1145/1533057.1533077
State	Published - 2009
Externally published	Yes
Event	4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09 - Sydney, NSW, Australia Duration: 10 Mar 2009 → 12 Mar 2009

Publication series

Name	Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09

Conference

Conference	4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09
Country/Territory	Australia
City	Sydney, NSW
Period	10/03/09 → 12/03/09

Keywords

Intrusion
Mitigation
Recovery
Replay
Traffic replay
Virtual machine

ASJC Scopus subject areas

Computational Theory and Mathematics
Computer Networks and Communications
Computer Science Applications

Access to Document

10.1145/1533057.1533077

Cite this

Elbadawi, K., & Al-Shaer, E. (2009). TimeVM: A framework for online intrusion mitigation and fast recovery using multi-time-lag traffic replay. In Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09 (pp. 135-145). (Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09). https://doi.org/10.1145/1533057.1533077

Elbadawi, Khalid ; Al-Shaer, Ehab. / TimeVM : A framework for online intrusion mitigation and fast recovery using multi-time-lag traffic replay. Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09. 2009. pp. 135-145 (Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09).

@inproceedings{4e994cac6189468e82a7afd3796ecabb,

title = "TimeVM: A framework for online intrusion mitigation and fast recovery using multi-time-lag traffic replay",

abstract = "Network intrusions become a signification threat to network servers and its availability. A simple intrusion can suspend the organization's network services and can lead to a financial disaster. In this paper, we propose a framework called TimeVM to mitigate, or even eliminate, the infection of a network intrusion on-line as fast as possible. The framework is based on the virtual machine technology and traffic-replay-based recovery. TimeVM gives the illusion of {"}time machine{"}. TimeVM logs only the network traffic to a server and replays the logged traffic to multiple {"}shadow{"} virtual machines (Shadow VM) after different time delays (time lags). Consequently, each Shadow VM will represent the server at different time in history. When attack/infection is detected, TimeVM enables navigating through the traffic history (logs), picking uninfected Shadow VM, removing the attack traffic, and then fast-replaying the entire traffic history to this Shadow VM. As a result, a typical up-to-date uninfected version of the original system can be constructed. The paper shows the implementation details for TimeVM. It also addresses many practical challenges related to how to configure and deploy TimeVM in a system in order to minimize the recovery time. We present analytical framework and extensive evaluation to validate our approach in different environments.",

keywords = "Intrusion, Mitigation, Recovery, Replay, Traffic replay, Virtual machine",

author = "Khalid Elbadawi and Ehab Al-Shaer",

year = "2009",

doi = "10.1145/1533057.1533077",

language = "English",

isbn = "9781605583945",

series = "Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09",

pages = "135--145",

booktitle = "Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09",

note = "4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09 ; Conference date: 10-03-2009 Through 12-03-2009",

}

Elbadawi, K & Al-Shaer, E 2009, TimeVM: A framework for online intrusion mitigation and fast recovery using multi-time-lag traffic replay. in Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09. Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09, pp. 135-145, 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09, Sydney, NSW, Australia, 10/03/09. https://doi.org/10.1145/1533057.1533077

TimeVM: A framework for online intrusion mitigation and fast recovery using multi-time-lag traffic replay. / Elbadawi, Khalid; Al-Shaer, Ehab.
Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09. 2009. p. 135-145 (Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - TimeVM

T2 - 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09

AU - Elbadawi, Khalid

AU - Al-Shaer, Ehab

PY - 2009

Y1 - 2009

N2 - Network intrusions become a signification threat to network servers and its availability. A simple intrusion can suspend the organization's network services and can lead to a financial disaster. In this paper, we propose a framework called TimeVM to mitigate, or even eliminate, the infection of a network intrusion on-line as fast as possible. The framework is based on the virtual machine technology and traffic-replay-based recovery. TimeVM gives the illusion of "time machine". TimeVM logs only the network traffic to a server and replays the logged traffic to multiple "shadow" virtual machines (Shadow VM) after different time delays (time lags). Consequently, each Shadow VM will represent the server at different time in history. When attack/infection is detected, TimeVM enables navigating through the traffic history (logs), picking uninfected Shadow VM, removing the attack traffic, and then fast-replaying the entire traffic history to this Shadow VM. As a result, a typical up-to-date uninfected version of the original system can be constructed. The paper shows the implementation details for TimeVM. It also addresses many practical challenges related to how to configure and deploy TimeVM in a system in order to minimize the recovery time. We present analytical framework and extensive evaluation to validate our approach in different environments.

AB - Network intrusions become a signification threat to network servers and its availability. A simple intrusion can suspend the organization's network services and can lead to a financial disaster. In this paper, we propose a framework called TimeVM to mitigate, or even eliminate, the infection of a network intrusion on-line as fast as possible. The framework is based on the virtual machine technology and traffic-replay-based recovery. TimeVM gives the illusion of "time machine". TimeVM logs only the network traffic to a server and replays the logged traffic to multiple "shadow" virtual machines (Shadow VM) after different time delays (time lags). Consequently, each Shadow VM will represent the server at different time in history. When attack/infection is detected, TimeVM enables navigating through the traffic history (logs), picking uninfected Shadow VM, removing the attack traffic, and then fast-replaying the entire traffic history to this Shadow VM. As a result, a typical up-to-date uninfected version of the original system can be constructed. The paper shows the implementation details for TimeVM. It also addresses many practical challenges related to how to configure and deploy TimeVM in a system in order to minimize the recovery time. We present analytical framework and extensive evaluation to validate our approach in different environments.

KW - Intrusion

KW - Mitigation

KW - Recovery

KW - Replay

KW - Traffic replay

KW - Virtual machine

UR - http://www.scopus.com/inward/record.url?scp=77952365722&partnerID=8YFLogxK

U2 - 10.1145/1533057.1533077

DO - 10.1145/1533057.1533077

M3 - Conference contribution

AN - SCOPUS:77952365722

SN - 9781605583945

T3 - Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09

SP - 135

EP - 145

BT - Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09

Y2 - 10 March 2009 through 12 March 2009

ER -

Elbadawi K, Al-Shaer E. TimeVM: A framework for online intrusion mitigation and fast recovery using multi-time-lag traffic replay. In Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09. 2009. p. 135-145. (Proceedings of the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09). doi: 10.1145/1533057.1533077

TimeVM: A framework for online intrusion mitigation and fast recovery using multi-time-lag traffic replay

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this