Thomas Daniels

Abstract

Determining the originating node of network traffic is a key problem in network forensics. As it is unlikely that a network attacker will leave direct evidence of his identity, it is useful to find his point of entry into the network. This, along with further host-based investigation, can tie a given suspect to an attack. Past work at this origin identification problem has assumed cooperative users (authentication), simple mechanismss of origin concealment (i.e. Carrier's STOP protocol). As this work is usually specific to a single type of origin concealment, we know little in general about the origin identific ation problem. In this paper, we discuss passive approaches that do not modify traffic, but rather, they store observationss for later analysis.