Providing process origin information to aid in computer forensic investigations

The number of computer attacks has been growing dramatically as the Internet has grown. Attackers currently have little or no disincentive to conducting attacks because they are able to hide their location effectively by creating a chain of connections through a series of hosts. This method is effective because most current host audit systems do not maintain enough information to allow association of incoming and outgoing network connections. In this paper, we introduce an inexpensive method that allows both on-line and forensic matching of incoming and outgoing network traffic. Our method makes small modifications to the operating system that associate origin information with each process in the system process table, and enhances the audit information by logging the origin and destination of network sockets. We present implementation results, show that our method can effectively record origin information about a variety of attacks, and describe the limitations of our approach.

[1]  Sang Lyul Min,et al.  Caller Identification System in the Internet Environment , 1993 .

[2]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[3]  Samuel J. Leffler,et al.  The design and implementation of the 4.3 BSD Unix operating system , 1991, Addison-Wesley series in computer science.

[4]  Philip N. Klein,et al.  Using router stamping to identify the source of IP packets , 2000, CCS.

[5]  Craig A. Knoblock,et al.  Advanced Programming in the UNIX Environment , 1992, Addison-Wesley professional computing series.

[6]  Keith Bostic,et al.  The design and implementa-tion of the 4.4BSD operating system , 1996 .

[7]  Jeff Rowe Intrusion Detection and Isolation Protocol: Automated Response to Attacks , 1999, Recent Advances in Intrusion Detection.

[8]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[9]  Brian D. Carrier,et al.  A recursive session token protocol for use in computer forensics and TCP traceback , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[10]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[11]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[12]  Thomas E. Daniels,et al.  Packet Tracker Final Report , 2001 .

[13]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[14]  Clay Shields,et al.  Providing Process Origin Information to Aid in Network Traceback , 2002, USENIX Annual Technical Conference, General Track.

[15]  Jeffrey Picciotto The Design of an Effective Auditing Subsystem , 1987, 1987 IEEE Symposium on Security and Privacy.

[16]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[17]  K. Juszkiewicz,et al.  UNIX Network Programming, Volume 1: The Sockets Networking , 2004, IEEE Communications Magazine.

[18]  Brian Neil Levine,et al.  Hordes: a Multicast-Based Protocol for Anonymity , 2002, J. Comput. Secur..

[19]  Dan Massey,et al.  Intention-Driven ICMP Trace-Back , 2001 .

[20]  Sang Lyul Min,et al.  Caller ID System in the Internet Environment , 1993, USENIX Security Symposium.

[21]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[22]  Virgil D. Gligor,et al.  A guide to understanding covert channel analysis of trusted systems , 1993 .

[23]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[24]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[25]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[26]  Andrew J. T. Colin,et al.  The Implementation , 1972, Softw. Pract. Exp..

[27]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[28]  Robert Morris A Weakness in the 4.2BSD Unix† TCP/IP Software , 1999 .

[29]  Heejo Lee,et al.  On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets , 2001, SIGCOMM '01.

[30]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[31]  W. Richard Stevens,et al.  Unix network programming , 1990, CCRV.

[32]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[33]  Clay Shields,et al.  Tracing the Source of Network Attack: A Technical, Legal and Societal Problem , 2001 .

[34]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[35]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[36]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[37]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[38]  W. Richard Stevens,et al.  TCP/IP Illustrated, Volume 2: The Implementation , 1995 .

[39]  Micah Adler Tradeoffs in probabilistic packet marking for IP traceback , 2002, STOC '02.

[40]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[41]  Heejo Lee,et al.  On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).