Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
IEEE/ACM Transactions on Networking (TON)
WWW '03 Proceedings of the 12th international conference on World Wide Web
On the Resemblance and Containment of Documents
SEQUENCES '97 Proceedings of the Compression and Complexity of Sequences 1997
Winnowing: local algorithms for document fingerprinting
Proceedings of the 2003 ACM SIGMOD international conference on Management of data
Holding intruders accountable on the Internet
SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Payload attribution via hierarchical bloom filters
Proceedings of the 11th ACM conference on Computer and communications security
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Finding similar files in a large file system
WTEC'94 Proceedings of the USENIX Winter 1994 Technical Conference on USENIX Winter 1994 Technical Conference
Highly efficient techniques for network forensics
Proceedings of the 14th ACM conference on Computer and communications security
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Toward efficient querying of compressed network payloads
USENIX ATC'12 Proceedings of the 2012 USENIX conference on Annual Technical Conference
| Hi-index | 0.00 |
Payload attribution can be an important element in network forensics. Given a history of packet transmissions and an excerpt of a possible packet payload, a payload attribution system (PAS) makes it feasible to identify the sources, destinations, and the times of appearance on a network of all the packets that contained the specified payload excerpt. A PAS, as one of the core components in a network forensics system, enables investigating cybercrimes on the Internet by, for example, tracing the spread of worms and viruses, identifying who has received a phishing e-mail in an enterprise, or discovering which insider allowed an unauthorized disclosure of sensitive information. Due to the increasing volume of network traffic in today's networks, it is infeasible to effectively store and query all the actual packets for extended periods of time in order to allow analysis of network events for investigative purposes; therefore, we focus on extremely compressed digests of the packet activity. We propose several new methods for payload attribution, which utilize Rabin fingerprinting, shingling, and winnowing. Our best methods allow building practical payload attribution systems, which provide data reduction ratios greater than 100:1 while supporting efficient queries with very low false positive rates. We demonstrate the properties of the proposed methods and specifically analyze their performance and practicality when used as modules of a network forensics system ForNet. Our experimental results outperform current state-of-the-art methods both in terms of false positives and data reduction ratio. Finally, these approaches directly allow the collected data to be stored and queried by an untrusted party without disclosing any payload information nor the contents of queries.