Network-based intrusion has become a serious threat to today's highly networked information systems, yet the overwhelming majority of current network security mechanisms are " passive" in response to network-based attacks. In particular, tracing and detection of the source of network-based intrusion has been left largely untouched in existing intrusion detection mechanisms. The fact that intruders can log in through a series of hosts before attacking the final target makes it extremely difficult to trace the real source of network (---) based instrusions. In this paper, we apply active networking principles to address the problem of tracing net-work-based intrusion with such chained connections, and propose a novel intrusion response framework: Sleepy Watermark Tracing (SWT). SWT is "sleepy" in that it does not introduce overhead when no intrusion is detected. Yet it is "active" in that when an intrusion is detected, the target will inject a watermark into the backward connection of the intrusion, and wake up and collaborate with intermediate routers along the intrusion path. By integrating a sleepy intrusion response scheme. A watermark correlation technique and an active tracing protocol, SWT provides a highly efficient and accurate source tracing on interactive intrusions through chained telnet of rlongin. Our prototype shows that SWT can trace back to the farthest trustworthy security gateway to the origin of intrusion, within one keystroke. With its unique active tracing, SWT can even trace when intrusion connections are idle by the intruder.
[1]
Dan Schnackenburg.
Dynamic, Cooperating Boundary Controllers
,
2002
.
[2]
Stuart Staniford-Chen,et al.
Holding intruders accountable on the Internet
,
1995,
Proceedings 1995 IEEE Symposium on Security and Privacy.
[3]
Hiroaki Etoh,et al.
Finding a Connection Chain for Tracing Intruders
,
2000,
ESORICS.
[4]
John D. Howard,et al.
An analysis of security incidents on the Internet 1989-1995
,
1998
.
[5]
Yin Zhang,et al.
Detecting Stepping Stones
,
2000,
USENIX Security Symposium.
[6]
John V. Guttag,et al.
ANTS: a toolkit for building and dynamically deploying network protocols
,
1998,
1998 IEEE Open Architectures and Network Programming.
[7]
Walter Bender,et al.
Techniques for Data Hiding
,
1996,
IBM Syst. J..
[8]
Kenneth L. Calvert,et al.
Directions in active networks
,
1998
.
[9]
Biswanath Mukherjee,et al.
DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype
,
1997
.
[10]
Sang Lyul Min,et al.
Caller Identification System in the Internet Environment
,
1993
.