Dartmouth Technical Report TR2011-710 – John F Williamson
Date: December 2011
Abstract:
We believe that we can use active probing for compromise recovery. Our intent is to exploit the differences in behavior between compromised and uncompromised systems and use that information to identify those which are not behaving as expected. Those differences may indicate a deviation in either con figuration or implementation from what we expect on the network, either of which suggests that the misbehaving entity might not be trustworthy. In this work, we propose and build a case for a method for using altered behavior directly resulting from or introduced as a side-effect of the compromise of a network service to detect the presence of such a compromise. We use several case studies to illustrate our technique, and demonstrate its feasibility with a software tool developed using our method.
Note:
Originally submitted November 2011
To obtain an electronic copy, point your web browser to the URL
<http://www.cs.dartmouth.edu/reports/abstracts/TR2011-710/>.
To order a paper copy, write to reports@cs.dartmouth.edu.
Ask for technical report TR2011-710, and be sure to include your own
mailing address.