A cop on the beat: collecting and appraising intrusion evidence
Communications of the ACM
Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
A protocol for anonymous communication over the Internet
Proceedings of the 7th ACM conference on Computer and communications security
Network traffic tracking systems: folly in the large?
Proceedings of the 2000 workshop on New security paradigms
Network support for IP traceback
IEEE/ACM Transactions on Networking (TON)
Abstraction-based intrusion detection in distributed environments
ACM Transactions on Information and System Security (TISSEC)
Sleepy watermark tracing: an active network-based intrusion response framework
Sec '01 Proceedings of the 16th international conference on Information security: Trusted information: the new decade challenge
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hordes: a multicast based protocol for anonymity
Journal of Computer Security
Computer Networks: The International Journal of Computer and Telecommunications Networking
Intruder tracing through dynamic extension of a security domain
Journal of Network and Computer Applications
Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones
ESORICS '02 Proceedings of the 7th European Symposium on Research in Computer Security
Providing Process Origin Information to Aid in Network Traceback
ATEC '02 Proceedings of the General Track of the annual conference on USENIX Annual Technical Conference
Real-Time Intruder Tracing through Self-Replication
ISC '02 Proceedings of the 5th International Conference on Information Security
Journal of Computer Security
Proceedings of the 10th ACM conference on Computer and communications security
The loop fallacy and serialization in tracing intrusion connections through stepping stones
Proceedings of the 2004 ACM symposium on Applied computing
The session token protocol for forensics and traceback
ACM Transactions on Information and System Security (TISSEC)
Payload attribution via hierarchical bloom filters
Proceedings of the 11th ACM conference on Computer and communications security
The predecessor attack: An analysis of a threat to anonymous communications systems
ACM Transactions on Information and System Security (TISSEC)
A real-time algorithm to detect long connection chains of interactive terminal sessions
InfoSecu '04 Proceedings of the 3rd international conference on Information security
Providing process origin information to aid in computer forensic investigations
Journal of Computer Security
Tracking anonymous peer-to-peer VoIP calls on the internet
Proceedings of the 12th ACM conference on Computer and communications security
Semi-automated discovery of application session structure
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Detecting Denial-of-Service attacks using the wavelet transform
Computer Communications
Highly efficient techniques for network forensics
Proceedings of the 14th ACM conference on Computer and communications security
Logging based IP Traceback in switched ethernets
Proceedings of the 1st European Workshop on System Security
International Journal of Security and Networks
Profiling distributed connection chains
International Journal of Communication Networks and Distributed Systems
SRUTI'07 Proceedings of the 3rd USENIX workshop on Steps to reducing unwanted traffic on the internet
Detecting Stepping-Stone Intrusion and Resisting Evasion through TCP/IP Packets Cross-Matching
ATC '08 Proceedings of the 5th international conference on Autonomic and Trusted Computing
ODISET: On-line distributed session tracing using agents
IJCAI'03 Proceedings of the 18th international joint conference on Artificial intelligence
Neural networks-based detection of stepping-stone intrusion
Expert Systems with Applications: An International Journal
New payload attribution methods for network forensic investigations
ACM Transactions on Information and System Security (TISSEC)
The sisterhood of the traveling packets
NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
Detecting long connection Chains of interactive terminal sessions
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
A modular architecture for distributed IDS in MANET
ICCSA'03 Proceedings of the 2003 international conference on Computational science and its applications: PartIII
Network-based real-time connection traceback system (NRCTS) with packet marking technology
ICCSA'03 Proceedings of the 2003 international conference on Computational science and its applications: PartII
Distributed detection of multi-hop information flows with fusion capacity constraints
IEEE Transactions on Signal Processing
Evading stepping-stone detection under the cloak of streaming media with SNEAK
Computer Networks: The International Journal of Computer and Telecommunications Networking
Packet scheduling against stepping-stone attacks with chaff
MILCOM'06 Proceedings of the 2006 IEEE conference on Military communications
An efficient TCP/IP packet matching algorithm to detect stepping-stone intrusion
2009 Information Security Curriculum Development Conference
Exposing invisible timing-based traffic watermarks with BACKLIT
Proceedings of the 27th Annual Computer Security Applications Conference
Resistance analysis to intruders' evasion of detecting intrusion
ISC'06 Proceedings of the 9th international conference on Information Security
PDCAT'04 Proceedings of the 5th international conference on Parallel and Distributed Computing: applications and Technologies
Resistance analysis to intruders’ evasion of a novel algorithm to detect stepping-stone
ATC'06 Proceedings of the Third international conference on Autonomic and Trusted Computing
Constructing correlations in attack connection chains using active perturbation
AAIM'05 Proceedings of the First international conference on Algorithmic Applications in Management
Improved thumbprint and its application for intrusion detection
ICCNMC'05 Proceedings of the Third international conference on Networking and Mobile Computing
Constructing correlations of perturbed connections under packets loss and disorder
ICCNMC'05 Proceedings of the Third international conference on Networking and Mobile Computing
Interval-based flow watermarking for tracing interactive traffic
Computer Networks: The International Journal of Computer and Telecommunications Networking
Rate-Based watermark traceback: a new approach
ISPEC'10 Proceedings of the 6th international conference on Information Security Practice and Experience
Probabilistic proof of an algorithm to compute TCP packet round-trip time for intrusion detection
ACNS'06 Proceedings of the 4th international conference on Applied Cryptography and Network Security
Finding TCP packet round-trip time for intrusion detection: algorithm and analysis
CANS'06 Proceedings of the 5th international conference on Cryptology and Network Security
Modeling requests among cooperating intrusion detection systems
Computer Communications
Design and implementation of a decentralized prototype system for detecting distributed attacks
Computer Communications
A functional reference model of passive systems for tracing network traffic
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Stepping-stone detection via request-response traffic analysis
ATC'07 Proceedings of the 4th international conference on Autonomic and Trusted Computing
| Hi-index | 0.02 |
Abstract: This paper addresses the problem of tracing intruders who obscure their identity by logging through a chain of multiple machines. After discussing previous approaches to this problem, we introduce thumbprints which are short summaries of the content of a connection. These can be compared to determine whether two connections contain the same text and are therefore likely to be part of the same connection chain. We enumerate the properties a thumbprint needs to have to work in practice, and then define a class of local thumbprints which have the desired properties. A methodology from multivariate statistics called principal component analysis is used to infer the best choice of thumbprinting parameters from data. Currently our thumbprints require 24 bytes per minute per connection. We develop an algorithm to compare these thumbprints which allows for the possibility that data may leak from one time-interval to the next. We present experimental data showing that our scheme works on a local area network.