OPUS: preventing weak password choices
Computers and Security
Summary cache: a scalable wide-area Web cache sharing protocol
Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Proceedings of the twentieth annual ACM symposium on Principles of distributed computing
The Packet Vault: Secure Storage of Network Data
Proceedings of the Workshop on Intrusion Detection and Network Monitoring
WWW '03 Proceedings of the 12th international conference on World Wide Web
Mnemosyne: Designing and Implementing Network Short-Term Memory
ICECCS '02 Proceedings of the Eighth International Conference on Engineering of Complex Computer Systems
Holding intruders accountable on the Internet
SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Tracing Anonymous Packets to Their Approximate Source
LISA '00 Proceedings of the 14th USENIX conference on System administration
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
String matching on the internet
CAAN'04 Proceedings of the First international conference on Combinatorial and Algorithmic Aspects of Networking
Highly efficient techniques for network forensics
Proceedings of the 14th ACM conference on Computer and communications security
Efficient access enforcement in distributed role-based access control (RBAC) deployments
Proceedings of the 14th ACM symposium on Access control models and technologies
New payload attribution methods for network forensic investigations
ACM Transactions on Information and System Security (TISSEC)
Computer Networks: The International Journal of Computer and Telecommunications Networking
String matching on the internet
CAAN'04 Proceedings of the First international conference on Combinatorial and Algorithmic Aspects of Networking
Network monitoring for security and forensics
ICISS'06 Proceedings of the Second international conference on Information Systems Security
Survey: DNA-inspired information concealing: A survey
Computer Science Review
Multi-resolution similarity hashing
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Source attribution for network address translated forensic captures
Digital Investigation: The International Journal of Digital Forensics & Incident Response
md5bloom: Forensic filesystem hashing revisited
Digital Investigation: The International Journal of Digital Forensics & Incident Response
"Better than nothing" privacy with bloom filters: to what extent?
PSD'12 Proceedings of the 2012 international conference on Privacy in Statistical Databases
Survey Bloom filter applications in network security: A state-of-the-art survey
Computer Networks: The International Journal of Computer and Telecommunications Networking
| Hi-index | 0.00 |
Payload attribution is an important problem often encountered in network forensics. Given an excerpt of a payload, finding its source and destination is useful for many security applications such as identifying sources and victims of a worm or virus. Although IP traceback techniques have been proposed in the literature, these techniques cannot help when we do not have the entire packet or when we only have an excerpt of the payload. In this paper, we present a payload attribution system (PAS) that attributes reasonably long excerpts of payloads to their source and/or destination hosts. The system we propose is based on a novel data structure called a Hierarchical Bloom Filter (HBF). An HBF creates compact digests of payloads and provides probabilistic answers to membership queries on the excerpts of payloads. We also present the performance analysis of the method and experimental results from a prototype demonstrating the practicality and efficacy of the system. The system can reliably work with certain packet transformations and is flexible enough to be used if the query string is spread across several packets. The system, however, can be evaded by splitting or by "stuffing" the payload. Future work focuses on making the system robust against such evasions.