Providing Process Origin Information to Aid in Network Traceback

Get BibTex-formatted data

Download

PDF

Author

Florian Buchholz and Clay Shields

Tech report number

CERIAS TR 2002-22

Entry type

techreport

Abstract

It is desirable to hold network attackers accountable for their actions in both criminal investigatoins and information warfare situations. Currently, attackers are able to hide their location effectively by creating a chain of connections through a series of hosts. This method is effective because current host audit systems do not maintain enough information to allow association of incoming and outgoing network connections. In this paper, we introduce an inexpensive method that allows both on-line and forensic matching of incoming and outgoing network traffic. Our methd associates origin information with each process in the system process table, and enhances the audit information by logging the origin and destination of network sockets. We present implementation results and show that our methos can effecively record origin information abou the common cases of stepping stone connections and denial of service zombies, and describe the limitations of our approach.

Download

PDF

Date

2002 – July

URL

http://www.cerias.purdue.edu/i ... rchive/archive/2002-22.ps

How published

Proceedings of the 2002 USENIX Annual Technical Conference

Key alpha

Buchholz2002

Affiliation

CERIAS

Publication Date

1900-01-01

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Techreport{ Buchholz2002,
	title = "Providing Process Origin Information to Aid in Network Traceback",
	author = "Florian Buchholz and Clay Shields",
	year = "2002",
	month = "July",
	howpublished = "Proceedings of the 2002 USENIX Annual Technical Conference",
	abstract = "It is desirable to hold network attackers accountable for their actions in both criminal investigatoins and information warfare situations.  Currently, attackers are able to hide their location effectively by creating a chain of connections through a series of hosts.  This method is effective because current host audit systems do not maintain enough information to allow association of incoming and outgoing network connections.   In this paper, we introduce an inexpensive method that allows both on-line and forensic matching of incoming and outgoing network traffic.  Our methd associates origin information with each process in the system process table, and enhances the audit information by logging the origin and destination of network sockets.  We present implementation results and show that our methos can effecively record origin information abou the common cases of stepping stone connections and denial of service zombies, and describe the limitations of our approach.",
	affiliation = "CERIAS",
	url = "http://www.cerias.purdue.edu/infosec/bibtex_archive/archive/2002-22.ps",
}