The document proposes a system to provide rapid recovery from cyber attacks and protect user data on computers. The system would use virtual machines (VMs) and isolate user data and applications in separate VMs. It would allow automatic checkpoints of system state to enable rollback to a trusted state if an attack is detected. The proposal outlines a prototype architecture, evaluates defenses against common attack categories and behaviors, and provides a plan to construct and integrate separate VM components for network and file system monitoring and control.

1. System Support for Rapid Recovery and Attack Resistance A Proposal Defense by Todd Deshane Advisor: Jeanna Matthews

4. "New methods are being invented, new tricks, and every year it gets worse... We are losing the battle... Most companies don't know they have been attacked." - Bruce Schneier "The average top executive doesn't understand security, but we have to change that... Security is an imperative. It's no longer just a good idea." - Allen Kerr "Virus incidences had surged between 2003, when they detected just over 10,000, and 2006, when they found 80,000. Criminal activity accounted for most of that increase." - Kaspersky Labs

5. "Very sophisticated tools are commercially available in black markets... This has made [the Internet] more attractive for organized crime: [criminals] no longer have to be geeks." - James Lewis "Although security awareness continues to improve, hackers and malicious code authors are releasing threats faster than ever before, with approximately 200 per cent more malicious threats per day than two years ago." - Stuart McClure "Over one third [of IT Companies] hit by a denial-of-service attack while over 44 percent had experienced either a pharming or cache poisoning attack." - Recent Secure64 Survey

11. Prototype Architecture

18. Evaluation of Prototype: Performance

21. Plan: Modified Architecture

24. Plan: File System Rule Language # Example file system rule set for an email client. fs_rule = [ 'id=1, read, 1024, 5' ] # read at most 1024 bytes of data in 5 seconds fs_rule = [ 'id=2, append, 1024, 3' ] # append at most 1024 bytes of data in 3 seconds. fs_rule = [ 'id=3, write, 320, 3' ] # write at most 320 bytes in 3 seconds # The email mount point is accessible to the email client, and fs_rules # with id=1 and id=2 are applied disk = [ 'fsvm:/mnt/email, /home/user/mail,fs_rule=1:2' ] # The email mount point is accessible to the email client, and fs_rules # with id=1 and id=3 are applied. disk = [ 'fsvm:/mnt/email, /home/user/attachments,fs_rule=1:3' ]

25. Plan: Network Rule Language #Email client example continued network_rule = ['id=1, iptables, file=/etc/iptables/email_client'] network_rule = ['id=2, snort, file=/etc/snort/rules/email_client'] vif = [ 'rate=2Mb/s, network_rule=1:2' ]

28. Questions/Comments?