Abstract
Network forensics deals with capture, recording, analysis and investigation of network traffic to traceback the attackers. Its ultimate goal is to provide sufficient evidence to allow the perpetrator to be prosecuted. IP traceback is an important aspect in the investigation process where the real attacker is identified by tracking source address of the attack packets. In this paper we classify the various approaches to network forensics to list the requirements of the traceback. We propose a novel model for traceback based on autonomous systems (AS) and deterministic packet marking (DPM) to enable traceback even with a single packet. The model is analyzed against various evaluation metrics. The traceback solution will be a major step in the direction of attack attribution and investigation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Lee, S.C., Shields, C.: Tracing the Source of Network Attack: A Technical, Legal and Societal Problem. In: IEEE Workshop IAS, New York, pp. 239–246 (2001)
Palmer, G.: A Road Map for Digital Forensic Research. In: Proc. 1st Digital Forensic Research Workshop (DFRWS), pp. 27–30 (2001)
Pilli, E.S., Joshi, R.C., Niyogi, R.: Network forensic frameworks: Survey and research challenges. Digit. Investig, available online March (2010) (in press)
Gao, Z., Ansari, N.: Tracing Cyber Attacks from the Practical Perspective. IEEE Communications Magazine 43(5), 123–131 (2005)
Santhanam, L., Kumar, A., Agrawal, D.P.: Taxonomy of IP Traceback. J. Info. Assurance and Security 1, 79–94 (2006)
Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakoutio, F., Kent, S.T., Strayer, S.T.: Hash-Based IP Traceback. In: Proceedings of ACM SIGCOMM (2001)
Baba, T., Matsuda, S.: Tracing Network Attacks to Their Sources. IEEE Internet Computing, 20–26 (March/April 2002)
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network Support for IP Traceback. IEEE/ACM Transactions on Networking 9(3), 226–237 (2001)
Song, D., Perrig, A.: Advanced and Authenticated Marking Schemes for IP Traceback. In: Proceedings of the IEEE INFOCOM 2001, Arkansas, USA (2001)
Dean, D., Franklin, M., Stubblefield, A.: An Algebraic Approach to IP Traceback. ACM Transactions on Information and System Security 5, 119–137 (2002)
Yaar, A., Perrig, A., Song, D.: FIT: Fast Internet Traceback. In: Proc. IEEE 24th Ann. Joint Conf. Computer and Comm. Societies (INFOCOMM 2005), pp. 1395–1407 (2005)
Belenky, A., Ansari, N.: On Deterministic Packet Marking. Computer Networks 51, 732–750 (2006)
Rayanchu, S.K., Barua, G.: Tracing Attackers with Deterministic Edge Router Marking (DERM). In: Ghosh, R.K., Mohanty, H. (eds.) ICDCIT 2004. LNCS, vol. 3347, pp. 400–409. Springer, Heidelberg (2004)
Duwairi, A., Manimaran, G.: Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback. IEEE Trans. Parallel and Dist. Sys. 17(5), 403–418 (2006)
Jing, Y.N., Tu, P., Wang, X.P., Zhang, G.D.: Distributed log based scheme. In: Proc of 5th Int’l. Conf. on Computer and Information Technology (2005)
Gong, C., Sarac, K.: A More Practical Approach for Single-Packet IP Traceback using Packet Marking and Logging. IEEE Trans. Parallel and Dist. Sys. 19(10), 1310–1324 (2008)
Jing, W.X., Lin, X.Y.: IP Traceback based on Deterministic Packet Marking and Logging. In: Proc. IEEE Int’l. Conf. on Scalable Computing and Comm., pp. 178–182 (2009)
Paruchuri, V., Durresi, A., Kannan, R., Iyengar, S.S.: Authentic Autonomous Traceback. In: Proc. 18th Int’l Conf. Adv. Info. Networking and Appln., pp. 406–413 (2004)
Gao, Z., Ansari, N.: A practical and robust inter-domain marking scheme for IP traceback. Computer Networks 51(3), 732–750 (2007)
Korkmaz, T., et al.: Single packet IP traceback in AS-level partial deployment scenario. Int. J. Security and Networks 2(1/2), 95–108 (2007)
Castelucio, A., Ziviani, A., Salles, R.M.: An AS-level Overlay Network for IP Traceback. IEEE Network, 36–41 (2009)
Carrier, B., Shields, C.: The Session Token Protocol for Forensics and Traceback. ACM Trans. on Info. System Security 7(3), 333–362 (2004)
Demir, O., Ping, J., Kim, J.: Session Based Packet Marking and Auditing for Network Forensics. Int’l. Journal of Digital Evidence 6(1), 1–15 (2007)
Cohen, M.I.: Source attribution for network address translated forensic captures. Digit. Investig. 5(3-4), 138–145 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Pilli, E.S., Joshi, R.C., Niyogi, R. (2011). An IP Traceback Model for Network Forensics. In: Baggili, I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 53. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19513-6_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-19513-6_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19512-9
Online ISBN: 978-3-642-19513-6
eBook Packages: Computer ScienceComputer Science (R0)