Abstract
Intruders usually log in through a chain of multiple computer systems to hide their origins before breaking into their targets, which makes tracing difficult. In this paper we present a method to find the connection chain of an intruder for tracing back to the origin. We focus on telnet and rlogin as interactive applications intruders use to log in through hosts.
The method involves setting up packet monitors at as many traffic points as possible on the Internet to record the activities of intruders at the packet level. When a host is compromised and used as a step-through host to access another host, we compare the packet logs of the intruder at that host to logs we have recorded all over the Internet to find the closest match. We define the ‘deviation’ for one packet stream on a connection from another, and implement a system to compute deviations. If a deviation is small, the two connections must be in the same connection chain. We present some experimental results showing that the deviation for two unrelated packet streams is large enough to be distinguished from the deviation for packet streams on connections in the same chain.
Chapter PDF
References
Jung, H.T., et al.: Caller Identification System in the Internet Environment. In: Proceedings of the 4th Usenix Security Symposium (1993)
Kantor, B.: BSD Rlogin. Request For Comments RFC 1282 (1991)
Postel, J.: Transmission Control Protocol. Internet Standards STD 7 (1981)
Postel, J., Reynolds, J.: Telnet Protocol. Internet Standards STD 8 (1983)
Snapp, S., et al.: DIDS (Distributed Intrusion Detection System) - Motivation, Architecture, and An Early Prototype. In: Proceedings of the 14th National Computer Security Conference (1991)
Staniford-Chen, S., Heberlein, L.T.: Holding Intruders Accountable on the Internet. In: Proceedings of the 1995 IEEE Symposium on Security and Privacy (1995)
Stevens, W.R.: TCP/IP Illustrated, vol. 1. Addison Wesley, Reading (1994)
Stoll, C.: The Cukoo’s Egg. Doubleday (1987)
Tsutsui, H.: Distributed Computer Networks for Tracking The Access Path of A User. United States Patent 5220655, Date of Patent June 15 (1993)
Wadell, S.: Private Communications (1994)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yoda, K., Etoh, H. (2000). Finding a Connection Chain for Tracing Intruders. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds) Computer Security - ESORICS 2000. ESORICS 2000. Lecture Notes in Computer Science, vol 1895. Springer, Berlin, Heidelberg. https://doi.org/10.1007/10722599_12
Download citation
DOI: https://doi.org/10.1007/10722599_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41031-7
Online ISBN: 978-3-540-45299-7
eBook Packages: Springer Book Archive