Summary by Cristina Abad - cabad@uiuc.edu Discussed in the Security Reading Group (Dec 1, 2003) This paper presents and describes BackTracker, a tool to help Security Administrators in understanding intrusions. BackTracker logs events in a system and is able to relate them and visually present them in a dependency graph. The user has to tell the tool a single detection point (e.g. suspicious file) and BackTracker automatically generates a dependency graph that shows what previous events could be related to the point being analyzed. BackTracker has two parts: an on-line logger and an off-line graph generator. The logger logs events that induce dependency relations, each identified by a source object, a sink object and a time interval. Dependencies can be of type process/process, process/file and process/filename. Analyzing the dependency graphs can be time consuming, so the tool provides filtering mechanisms to reduce the size of the graphs. The authors also provide some simple intuition on what kinds of dependencies can be safely filtered. They "evaluated" the tool by using it to generate the dependency graphs for three real attacks and one simulated attack. Pros: * Good idea, well explained * It raises interesting (implementation) issues * Is a good step forward in tools for forensic analysis of intrusion detection * Overhead is reasonable for some uses (but not all) * Very well motivated Cons: * Evaluation section is not very strong * It is unclear if some design decisions apply only to the selected attacks * Its effectiveness is unclear * Processing overhead may be overwhelming for some uses * Attacks that span through several days may be hard/impossible to track * Dependency filtering: - It seems that they could filter effectively because they knew what they were looking for * They mention that backtracker currently logs and analyzes only high-control events... but, it seems that the classification of events as "high-control events" was done by just analyzing a couple of attacks. Votes: 9 accept, 2 weak accepts -CA