Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Peng, Yihao, Ma, Biao, Wan, Hai, Zhao, Xibin
Format: Preprint
Veröffentlicht: 2025
Schlagworte:
Online-Zugang:https://arxiv.org/abs/2510.07806
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
_version_ 1866909979554873344
author Peng, Yihao
Ma, Biao
Wan, Hai
Zhao, Xibin
author_facet Peng, Yihao
Ma, Biao
Wan, Hai
Zhao, Xibin
contents Modern web application recovery presents a critical dilemma. Coarse-grained snapshot rollbacks cause unacceptable data loss for legitimate users. Surgically removing an attack's impact is hindered by a fundamental challenge in high-concurrency environments: it is difficult to attribute resulting file and database modifications to a specific attack-related request. We present Ancora, a system for precise intrusion recovery in web applications without invasive instrumentation. Ancora first isolates the full sequence of syscalls triggered by a single malicious request. Based on this sequence, Ancora addresses file and database modifications separately. To trace file changes, it builds a provenance graph that reveals all modifications, including those by exploit-spawned processes. To attribute database operations, a more difficult challenge due to connection pooling, Ancora introduces a novel spatiotemporal anchor. This anchor uses the request's network connection tuple and active time window to pinpoint exact database operations. With all malicious file and database operations precisely identified, Ancora performs a unified rewind and selective replay recovery. It reverts the system to a clean snapshot taken before the attack, then selectively re-applies only legitimate operations to both the file system and database. This completely removes the attack's effects while preserving concurrent legitimate data. We evaluated Ancora on 10 web applications and 20 CVE-based attack scenarios with concurrency up to 150 connections. Experiments demonstrate Ancora achieves 99.9% recovery accuracy with manageable overhead: up to 19.8% response latency increase and 17.8% QPS decrease in worst cases, and recovery throughput of 110.7 database operations per second and 27.2 affected files per second, effectively preserving legitimate data.
format Preprint
id arxiv_https___arxiv_org_abs_2510_07806
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Ancora: Accurate Intrusion Recovery for Web Applications
Peng, Yihao
Ma, Biao
Wan, Hai
Zhao, Xibin
Cryptography and Security
Modern web application recovery presents a critical dilemma. Coarse-grained snapshot rollbacks cause unacceptable data loss for legitimate users. Surgically removing an attack's impact is hindered by a fundamental challenge in high-concurrency environments: it is difficult to attribute resulting file and database modifications to a specific attack-related request. We present Ancora, a system for precise intrusion recovery in web applications without invasive instrumentation. Ancora first isolates the full sequence of syscalls triggered by a single malicious request. Based on this sequence, Ancora addresses file and database modifications separately. To trace file changes, it builds a provenance graph that reveals all modifications, including those by exploit-spawned processes. To attribute database operations, a more difficult challenge due to connection pooling, Ancora introduces a novel spatiotemporal anchor. This anchor uses the request's network connection tuple and active time window to pinpoint exact database operations. With all malicious file and database operations precisely identified, Ancora performs a unified rewind and selective replay recovery. It reverts the system to a clean snapshot taken before the attack, then selectively re-applies only legitimate operations to both the file system and database. This completely removes the attack's effects while preserving concurrent legitimate data. We evaluated Ancora on 10 web applications and 20 CVE-based attack scenarios with concurrency up to 150 connections. Experiments demonstrate Ancora achieves 99.9% recovery accuracy with manageable overhead: up to 19.8% response latency increase and 17.8% QPS decrease in worst cases, and recovery throughput of 110.7 database operations per second and 27.2 affected files per second, effectively preserving legitimate data.
title Ancora: Accurate Intrusion Recovery for Web Applications
topic Cryptography and Security
url https://arxiv.org/abs/2510.07806