Conference Paper

Network forensics: towards a classification of traceback mechanisms

Dept. of Informatics, Piraeus Univ., Greece
DOI: 10.1109/SECCMW.2005.1588288 Conference: Security and Privacy for Emerging Areas in Communication Networks, 2005. Workshop of the 1st International Conference on
Source: IEEE Xplore

ABSTRACT

The traceback problem is one of the hardest in information security and has always been the utmost solution to holding attackers accountable for their actions. This paper presents a brief overview of the traceback problem, while discussing the features of software, network and computer forensics. In the rest of this paper, various traceback mechanisms are examined while categorized according to their features and modes of operation. Finally, we propose a classification schema for all traceback methods in order to assess and combine their benefits so as to provide enough information for digital forensics analyses, thus getting -the right way- one step closer to the actual attacker.

Download full-text

Full-text

Available from: Christos Douligeris
  • Source
    • "Then, the IP traceback problem is defined as: Given the IP address h n , identify the actual IP addresses of hosts h n-1 , …, h 1 . If h 1 is the source and h n is the victim machine of a security attack, then C is called the attack path [9]. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Network forensics deals with the capture, recording and analysis of network events in order to discover evidential information about the source of security attacks in a court of law. This paper discusses the different tools and techniques available to conduct network forensics. Some of the tools discussed include: eMailTrackerPro to identify the physical location of an email sender; Web Historian to find the duration of each visit and the files uploaded and downloaded from the visited website; packet sniffers like Etherea to capture and analyze the data exchanged among the different computers in the network. The second half of the paper presents a survey of different IP traceback techniques like packet marking that help a forensic investigator to identify the true sources of the attacking IP packets. We also discuss the use of Honeypots and Honeynets that gather intelligence about the enemy and the tools and tactics of network intruders. Comment: 12Pages
    Full-text · Article · Jan 2010
  • Source
    • "Then, the IP traceback problem is defined as: Given the IP address h n , identify the actual IP addresses of hosts h n-1 , …, h 1 . If h 1 is the source and h n is the victim machine of a security attack, then C is called the attack path [9]. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Network forensics deals with the capture, recording and analysis of network events in order to discover evidential information about the source of security attacks in a court of law. This paper discusses thedifferent tools and techniques available to conduct network forensics. Some of the tools discussed include: eMailTrackerPro – to identify the physical location of an email sender; Web Historian – to find the duration of each visit and the files uploaded and downloaded from the visited website; packet sniffers like Ethereal – to capture and analyze the data exchanged among the different computers in the network. The second half of the paper presents a survey of different IP traceback techniques like packet marking that help a forensic investigator to identify the true sources of the attacking IP packets. We also discuss the use of Honeypots and Honeynets that gather intelligence about the enemy and the tools and tactics ofnetwork intruders.
    Full-text · Article · Jan 2009
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Purpose – Security information management systems (SIMs) have been providing a unified distributed platform for the efficient management of security information produced by corresponding mechanisms within an organization. However, these systems currently lack the capability of producing and enforcing response policies, mainly due to their limited incident response (IR) functionality. This paper explores the nature of SIMs while proposing a set of requirements that could be satisfied by SIMs for the efficient and effective handling of security incidents. Design/methodology/approach – These requirements are presented in a high-level architectural concept and include policy visualization, system intelligence to enable automated policy management, as well as, data mining elements for inspection, evaluation and enhancements of IR policies. Findings – A primitive mechanism that could guarantee the freshness and accuracy of state information that SIMs provide in order to launch solid response alarms and actions for a specific incident or a series of incidents is proposed, along with a role based access control administrative model (ARBAC) based on a corporate model for IR. Basic forensic and trace-back concepts that should be integrated into SIMs in order to provide the rich picture of the IR puzzle are also examined. Practical implications – The support of policy compliance and validation tools to SIMs is also addressed. Originality/value – The aforementioned properties could greatly assist in automating the IR capability within an organization.
    Full-text · Article · Jun 2007 · Information Management & Computer Security
Show more