MIT researchers tout network intrusion recovery system
MIT Computer Science and Artificial Intelligence Laboratory researchers will next week detail a system they say will make it easier for companies to recover from nasty security intrusions.
The system, known as RETRO, lets administrators specify offending actions, such as a TCP connection or an HTTP request from an adversary, that they want to undo. RETRO then repairs the computer's file system by selectively undoing the offending actions-that is, constructing a new system state, as if the offending actions never took place, but all legitimate actions remained. By selectively undoing the adversary's changes while preserving user data, RETRO makes intrusion recovery more practical, the researchers state in a paper to be presented at next week's 9th USENIX Symposium on Operating Systems Design and Implementation.
"Even if the user diligently makes a complete backup of their system every day, recovering from the attack requires rolling back to the most recent backup before the attack, thereby losing any changes made since then. Since many adversaries go to great lengths to prevent the compromise from being discovered, it can take days or weeks for a user to discover that their machine has been broken into, resulting in a loss of all user work from that period of time," the researchers stated.