Toward a Framework For Internet Forensic Analysis
- Yinglian Xie ,
- Dave Maltz ,
- Vyas Sekar ,
- Michael K. Reiter ,
- Hui Zhang
Proceedings of the ACM SIGCOMM Hot Topics in Networks (HotNets) 2004 |
The world of network security is an arms race where attackers
constantly change the signatures of their attacks to avoid
detection. Aiding the white-hats in this race is one fundamental
invariant across all network attacks (present and
future): for the attack to progress there must be communication
among attacker, the associated set of compromised
hosts and the victim(s), and this communication is visible to
the network. We argue that the Internet architecture should
be extended to include auditing mechanisms that enable the
forensic analysis of network data, with a goal of identifying
the true originator of each attack — even if the attacker recruits
innocent hosts as zombies or stepping stones to propagate
the attack. In this paper we outline an approach to the
problem of Attacker Identification and Attack Reconstruction,
describe the challenges involved, and explain our efforts
that show the promise of this approach.