论文信息 - Correlating Temporal Thumbprints for Tracing Intruders

Correlating Temporal Thumbprints for Tracing Intruders

The Design of TCP/IP protocol makes it difficult to reliably traceback to the original attackers if they obscure their identities by logging through a chain of multiple hosts. A thumbprint method based on connection content was proposed in 1995 to traceback attackers, but this method is limited to non-encrypted sessions. In this paper, we propose a thumbprint based on time intervals, T-thumbprint, to identify a connection. T-thumbprint is a sequence of time gaps between adjacent TCP ‘Send’ packets of an interactive terminal session. An algorithm is presented to correlate two T-thumbprints to see if they belong to the same connection chain. We also discuss how to use T-thumbprints to traceback an attacker on the Internet, and how to defeat attacker’s manipulation. T-thumbprint has advantages of: (1) It can be applied to encrypt sessions; (2) It does not require tightly synchronized clocks; (3) It can defeat attacker’s manipulation to some extent; and (4) It is efficient, can be used to trace attackers in real time.

Shou-Hsuan Stephen Huang | Jianhua Yang

[1] Shou-Hsuan Stephen Huang,et al. A real-time algorithm to detect long connection chains of interactive terminal sessions , 2004, InfoSecu '04.

[2] Tatu Ylonen,et al. SSH: secure login connections over the internet , 1996 .

[3] Biswanath Mukherjee,et al. Analysis of an algorithm for distributed recognition and accountability , 1993, CCS '93.

[4] Stuart Staniford-Chen,et al. Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[5] Hiroaki Etoh,et al. Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[6] Kwong H. Yung. Detecting Long Connection Chains of Interactive Terminal Sessions , 2002, RAID.

[7] J. Elliott,et al. Distributed denial of service attacks and the zombie ant effect , 2000 .

[8] Anna R. Karlin,et al. Network support for IP traceback , 2001, TNET.

[9] Craig Partridge,et al. Single-packet IP traceback , 2002, TNET.

[10] Yin Zhang,et al. Detecting Stepping Stones , 2000, USENIX Security Symposium.

[11] Dirk Fox. Computer Emergency Response Team (CERT) , 2002, Datenschutz und Datensicherheit.

[12] Biswanath Mukherjee,et al. DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype , 1997 .