Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Untraceable electronic mail, return addresses, and digital pseudonyms
Communications of the ACM
Time, clocks, and the ordering of events in a distributed system
Communications of the ACM
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Providing Process Origin Information to Aid in Network Traceback
ATEC '02 Proceedings of the General Track of the annual conference on USENIX Annual Technical Conference
Holding intruders accountable on the Internet
SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Reference models for the concealment and observation of origin identity in store-and-forward networks
| Hi-index | 0.00 |
Determining the originating node of network traffic is a key problem in network forensics. As a network attacker may leave little direct evidence of his identity, it is useful to find his point of entry into the network. This, along with further host-based investigation, can tie a given suspect to an attack. Past work at the origin identification problem has assumed cooperative users (authentication), simple mechanisms of origin concealment (i.e. correlating spoofing or island hopping traffic), modifying network protocols (traffic marking), or host-based protocols (e.g. Carrier's STOP protocol). As this work is usually specific to a single type of origin concealment, we know little in general about the origin identification problem. In this paper, we discuss passive approaches that do not modify traffic, but rather, they store observations for later analysis. We present a general reference model of passive origin identification. The reference model defines features of all passive origin identification systems known. It is a functional model as it defines the components in terms of their general behavior and goals. The reference model is useful for reasoning about the behavior and flaws of origin identification systems. The model is also quite useful for discussing and teaching origin identification techniques. The model leads to several necessary and sufficient conditions for some level of passive origin identification in general. The first is separation of the network by monitors. The second is sufficient storage to permit later analysis. Furthermore, the model leads to several additional mutually sufficient conditions for passive origin identification in general. These are accurate correlation of traffic outputs to corresponding inputs and a trusted communication path between the analysis agent and the network monitors. By examining each of these conditions in the context of their applicability to forensic evidence, we suggest that passive origin identification will remain a preliminary investigation tool unless monitors are widely deployed in network hosts. This work is the first general theoretical framework for network forensics using passive monitors. It facilitates comparison of origin identification techniques and suggests new problems facing the field.