USENIX 2002 Annual Conference - Technical Program Abstract
Providing Process Origin Information to Aid in Network Traceback
Florian P. Buchholz,
CERIAS, Purdue University; Clay Shields, Department of Computer Science, Georgetown University
Abstract
It is desirable to hold network attackers accountable for their
actions in both criminal investigations and information warfare
situations. Currently, attackers are able to hide their location
effectively by creating a chain of connections through a series of
hosts. This method is effective because current host audit systems do
not maintain enough information to allow association of incoming and
outgoing network connections. In this paper, we introduce an
inexpensive method that allows both on-line and forensic matching of
incoming and outgoing network traffic. Our method associates origin
information with each process in the system process table, and
enhances the audit information by logging the origin and destination
of network sockets. We present implementation results and show that
our method can effectively record origin information about the common
cases of stepping stone connections and denial of service zombies, and
describe the limitations of our approach.
- View the full text of this paper in
HTML,
PDF, and
PostScript.
The Proceedings are published as a collective work, © 2002 by the USENIX Association. All Rights Reserved. Rights
to individual papers remain with the author or the author's employer.
Permission is granted for the noncommercial reproduction of the complete
work for educational or research purposes. USENIX acknowledges all
trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.
|