Modern web application recovery presents a critical dilemma. Coarse-grained snapshot rollbacks cause unacceptable data loss for legitimate users. Surgically removing an attack's impact is hindered by a fundamental challenge in high-concurrency environments: it is difficult to attribute resulting file and database modifications to a specific attack-related request. We present Ancora, a system for precise intrusion recovery in web applications without invasive instrumentation. Ancora first isolates the full sequence of syscalls triggered by a single malicious request. Based on this sequence, Ancora addresses file and database modifications separately. To trace file changes, it builds a provenance graph that reveals all modifications, including those by exploit-spawned processes. To attribute database operations, a more difficult challenge due to connection pooling, Ancora introduces a novel spatiotemporal anchor. This anchor uses the request's network connection tuple and active time window to pinpoint exact database operations. With all malicious file and database operations precisely identified, Ancora performs a unified rewind and selective replay recovery. It reverts the system to a clean snapshot taken before the attack, then selectively re-applies only legitimate operations to both the file system and database. This completely removes the attack's effects while preserving concurrent legitimate data. We evaluated Ancora on 10 web applications and 20 CVE-based attack scenarios with concurrency up to 150 connections. Experiments demonstrate Ancora achieves 99.9% recovery accuracy with manageable overhead: up to 19.8% response latency increase and 17.8% QPS decrease in worst cases, and recovery throughput of 110.7 database operations per second and 27.2 affected files per second, effectively preserving legitimate data.

翻译：现代Web应用恢复面临一个关键困境。粗粒度的快照回滚会给合法用户带来不可接受的数据丢失。而在高并发环境中，精准消除攻击影响受到一个根本性挑战的阻碍：难以将最终产生的文件和数据库修改归因于特定的攻击相关请求。本文提出Ancora，一种无需侵入式插装的Web应用精准入侵恢复系统。Ancora首先隔离由单个恶意请求触发的完整系统调用序列。基于此序列，Ancora分别处理文件和数据库修改。为追踪文件变更，它构建了一个溯源图，以揭示所有修改，包括由攻击衍生的进程所执行的修改。针对数据库操作归因这一因连接池机制而更为困难的挑战，Ancora引入了一种新颖的时空锚点。该锚点利用请求的网络连接元组和活动时间窗口来精确定位具体的数据库操作。在精确识别所有恶意文件和数据库操作后，Ancora执行统一的回滚与选择性重放恢复。它将系统恢复到攻击前获取的干净快照状态，然后仅对文件系统和数据库选择性地重放合法操作。这能彻底消除攻击影响，同时保留并发的合法数据。我们在10个Web应用和20个基于CVE的攻击场景（并发连接数高达150）上评估了Ancora。实验表明，Ancora实现了99.9%的恢复准确率，且开销可控：最坏情况下响应延迟增加最高19.8%，QPS下降最高17.8%，恢复吞吐量达到每秒110.7个数据库操作和每秒27.2个受影响文件，有效保留了合法数据。