Determining the originating node of network traffic is a key problem in network forensics. As a network attacker may leave little direct evidence of his identity, it is useful to find his point of entry into the network. This, along with further host-based investigation, can tie a given suspect to an attack. Past work at the origin identification problem has assumed cooperative users (authentication), simple mechanisms of origin concealment (i.e. correlating spoofing or island hopping traffic), modifying network protocols (traffic marking), or host-based protocols (e.g. Carrier's STOP protocol). As this work is usually specific to a single type of origin concealment, we know little in general about the origin identification problem. In this paper, we discuss passive approaches that do not modify traffic, but rather, they store observations for later analysis. We present a general reference model of passive origin identification. The reference model defines features of all passive origin identification systems known. It is a functional model as it defines the components in terms of their general behavior and goals. The reference model is useful for reasoning about the behavior and flaws of origin identification systems. The model is also quite useful for discussing and teaching origin identification techniques. The model leads to several necessary and sufficient conditions for some level of passive origin identification in general. The first is separation of the network by monitors. The second is sufficient storage to permit later analysis. Furthermore, the model leads to several additional mutually sufficient conditions for passive origin identification in general. These are accurate correlation of traffic outputs to corresponding inputs and a trusted communication path between the analysis agent and the network monitors. By examining each of these conditions in the context of their applicability to forensic evidence, we suggest that passive origin identification will remain a preliminary investigation tool unless monitors are widely deployed in network hosts. This work is the first general theoretical framework for network forensics using passive monitors. It facilitates comparison of origin identification techniques and suggests new problems facing the field.
[1]
Stuart G Staniford-Chen.
Distributed Tracing of Intruders
,
1995
.
[2]
Thomas E. Daniels,et al.
Reference models for the concealment and observation of origin identity in store -and -forward networks
,
2002
.
[3]
Clay Shields,et al.
Providing Process Origin Information to Aid in Network Traceback
,
2002,
USENIX Annual Technical Conference, General Track.
[4]
Jeff Rowe.
Intrusion Detection and Isolation Protocol: Automated Response to Attacks
,
1999,
Recent Advances in Intrusion Detection.
[5]
Stuart Staniford-Chen,et al.
Holding intruders accountable on the Internet
,
1995,
Proceedings 1995 IEEE Symposium on Security and Privacy.
[6]
Anna R. Karlin,et al.
Practical network support for IP traceback
,
2000,
SIGCOMM.
[7]
Dan Schnackenberg,et al.
Infrastructure for intrusion detection and response
,
2000,
Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.
[8]
David Chaum,et al.
Untraceable electronic mail, return addresses, and digital pseudonyms
,
1981,
CACM.
[9]
Ian Hacking,et al.
The Emergence of Probability. A Philosophical Study of Early Ideas about Probability, Induction and Statistical Inference
,
1979
.
[10]
Nei Kato,et al.
Towards trapping wily intruders in the large
,
2000,
Recent Advances in Intrusion Detection.
[11]
Leslie Lamport,et al.
Time, clocks, and the ordering of events in a distributed system
,
1978,
CACM.
[12]
D. Kahn.
The codebreakers : the story of secret writing
,
1968
.