Worm Infection Locality Supports for Efficient Traceback Forensics

Recently, the crackers use sophisticated “stepping stone” indirect attack methods launching DDoS or worm to breach their targets. It is very difficult to use raw traffic data to reconstruct the attack path and pinpoint the source of the attack such that the traceback problem becomes a challenging task for network forensics. Two network tracing problems were widely studied in network forensics: the IP traceback problem and the traceback across stepping-stone problem. Among researches that address the stepping-stone problem, the Random Moonwalk Trace-Back Algorithm (RMT) developed by the Carnegie Mellon University is one of the most effective approaches. However, RMT neglects to consider the locality features of the attacks. In this paper, we propose a more efficient “Locality Steering TraceBack (LST)” algorithm to improve the performance of the RMT with the locality features of worm infections. Such a technique can provide a key answer required for advancing the state-of-theart in DDoS mitigation and worm defenses in a realistic environment. KeywordsNetwork Forensics; IP traceback; Stepping-stones attacks; Locality