TimeVM: A Framework for Online Intrusion Mitigation and Fast Recovery Using Multi-Time-Lag Traffic Replay

摘要

Network intrusions become a signification threat to network servers and its availability. A simple intrusion can suspend the organization's network services and can lead to a financial disaster. In this paper, we propose a framework called TimeVM to mitigate, or even eliminate, the infection of a network intrusion on-line as fast as possible. The framework is based on the virtual machine technology and traffic-replay-based recovery. TimeVM gives the illusion of "time machine". TimeVM logs only the network traffic to a server and replays the logged traffic to multiple "shadow" virtual machines (Shadow VM) after different time delays (time lags). Consequently, each Shadow VM will represent the server at different time in history. When attack/infection is detected, TimeVM enables navigating through the traffic history (logs), picking uninfected Shadow VM, removing the attack traffic, and then fast-replaying the entire traffic history to this Shadow VM. As a result, a typical up-to-date uninfected version of the original system can be constructed. The paper shows the implementation details for TimeVM. It also addresses many practical challenges related to how to configure and deploy TimeVM in a system in order to minimize the recovery time. We present analytical framework and extensive evaluation to validate our approach in different environments.