Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage
The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage
Efficient packet marking for large-scale IP traceback
Proceedings of the 9th ACM conference on Computer and communications security
Finding a Connection Chain for Tracing Intruders
ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones
ESORICS '02 Proceedings of the 7th European Symposium on Research in Computer Security
Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework
IFIP/Sec '01 Proceedings of the IFIP TC11 Sixteenth Annual Working Conference on Information Security: Trusted Information: The New Decade Challenge
Holding intruders accountable on the Internet
SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Proceedings of the 10th ACM conference on Computer and communications security
The loop fallacy and serialization in tracing intrusion connections through stepping stones
Proceedings of the 2004 ACM symposium on Applied computing
Remote Physical Device Fingerprinting
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Detecting long connection Chains of interactive terminal sessions
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
IEEE 802.11 user fingerprinting and its applications for intrusion detection
Computers & Mathematics with Applications
The effect of leaders on the consistency of group behaviour
International Journal of Sensor Networks
Security and Communication Networks
Temporal accountability and anonymity in medical sensor networks
Mobile Networks and Applications - Special issue on Wireless and Personal Communications
Accountability and Q-Accountable Logging in Wireless Networks
Wireless Personal Communications: An International Journal
Hi-index | 0.00 |
In order to conceal their identity and origin, network based intruders seldom attack directly from their own hosts, but rather stage their attacks through intermediate 'stepping stones'. To identify attackers behind stepping stones, it is necessary to be able to trace and correlate attack traffic through the stepping stones and construct the correct intrusion connection chain. A complete solution to the stepping stones tracing problem consists of two complementary parts. Firstly, the set of correlated connections that belongs to the same intrusion connection chain has to be identified; secondly, those correlated connections need to be serialised in order to construct the accurate and complete intrusion connection chain. Existing approaches to the tracing problem of intrusion connections through stepping stones have focused on identifying the set of correlated connections that belong to the same connection chain and have overlooked the serialisation of those correlated connections. In this paper, we use set theoretic approach to analyse the theoretical limits of the correlation-only approach, demonstrate the gap between the perfect stepping stone correlation solution and the perfect solution to the stepping stones tracing problem, and we show what it takes to fill the gap. Firstly, we identify the serialisation problem and the loop fallacy in tracing connections through stepping stones. We formally demonstrate that even the perfect correlation solution, which gives us all and only those connections that belong to the same connection chain, does not guarantee to be able to serialise the correlated connections deterministically. Secondly, we show that the complete set of correlated connections, even with loops, could be serialised deterministically without synchronised clock.We present an efficient intrusion path construction method based on adjacent correlated connection pairs. Finally, we show that the incomplete set of correlated connections due to limited observing area of stepping stones only provides enough information to construct a partial-order of subsequences of the connection chain in general, and we present an efficient way to determine when the incomplete set of correlated connections could be serialised deterministically.