Conference Paper

Network forensics: towards a classification of traceback mechanisms

Dept. of Informatics, Piraeus Univ., Greece
DOI: 10.1109/SECCMW.2005.1588288 Conference: Security and Privacy for Emerging Areas in Communication Networks, 2005. Workshop of the 1st International Conference on
Source: IEEE Xplore

ABSTRACT The traceback problem is one of the hardest in information security and has always been the utmost solution to holding attackers accountable for their actions. This paper presents a brief overview of the traceback problem, while discussing the features of software, network and computer forensics. In the rest of this paper, various traceback mechanisms are examined while categorized according to their features and modes of operation. Finally, we propose a classification schema for all traceback methods in order to assess and combine their benefits so as to provide enough information for digital forensics analyses, thus getting -the right way- one step closer to the actual attacker.


Available from: Christos Douligeris, Apr 19, 2015
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: IP spoofing is one of the most common network threats today. While current IP Traceback techniques are capable of identifying the source of a message, they are limited by the huge number of messages that routers have to store to provide this facility. One way to reduce the storage overhead is to store the messages as indices in a Bloom filter. Current systems use Bloom filters at a router to know if a given message has gone through that router. However, often there is a need to know if a similar message has traversed through the router. This calls for similarity measures in the context of Bloom filters. In this paper, we develop such similarity measures (coefficients) in the context of two specialized Bloom filters-Hierarchical Bloom filter (HBF) and Winnowing Block Shingling (WBS). We compare the efficacy of these similarity measures with the Jaccard similarity coefficient. Simulations were carried out to evaluate the measures. The results indicate that HBF-measure is an optimistic metric and WBS-similarity is a pessimistic measure. Jaccard measure falls between the two. We propose a weighted metric that combines all the metrics and is more flexible than the individual measures.
    Information Forensics and Security (WIFS), 2010 IEEE International Workshop on; 01/2011
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Network forensics deals with the capture, recording and analysis of network events in order to discover evidential information about the source of security attacks in a court of law. This paper discusses the different tools and techniques available to conduct network forensics. Some of the tools discussed include: eMailTrackerPro to identify the physical location of an email sender; Web Historian to find the duration of each visit and the files uploaded and downloaded from the visited website; packet sniffers like Etherea to capture and analyze the data exchanged among the different computers in the network. The second half of the paper presents a survey of different IP traceback techniques like packet marking that help a forensic investigator to identify the true sources of the attacking IP packets. We also discuss the use of Honeypots and Honeynets that gather intelligence about the enemy and the tools and tactics of network intruders. Comment: 12Pages
  • [Show abstract] [Hide abstract]
    ABSTRACT: As the actual attacker carries out an indirect attack through compromised hosts on the Internet, solutions to distributed denial-of-service (DDoS) attacks have been nontrivial. According to a recent Forrester Survey Report, DDoS ranks first in the top security issues draining time and resources in organizations. Most of the proposals that claim to prevent these attacks, or detect and recover in real time from them, are not pragmatic until significant changes are made on the Internet. Until then, response mechanisms involving post attack forensics can be strategically useful in providing a strong deterrent. Though there is significant work reported in literature that traces the attack to agents from the victim, there is little work on tracing the master-handler from agents, which is the focus of this article. We do forensic analysis on the system and network information gathered from an emulated master-handler agent type DDoS attack and evolve a mechanism to trace back from the agent to the master-handler system used by the actual attacker who originated the attack. We verify the applicability of this approach by tracing prototype attacks launched by using publically available DDoS tools and datasets.
    Information Security Journal A Global Perspective 01/2012; 21(1):36-46. DOI:10.1080/19393555.2011.629339