Skip to main content
SpringerLink
Log in

Network Forensic Attribution

  • Chapter
  • First Online:
Fundamentals of Network Forensics

Part of the book series: Computer Communications and Networks ((CCN))

Abstract

Attribution is the process to investigate and attribute the attacks. In this chapter the attribution phase of network forensics is discussed. IP traceback mechanism is discussed with relevance to network forensics. Topics such as autonomous system-based traceback, router and interface marking, and network forensic traceback are discussed. In network forensic traceback technique relation between various traceback mechanisms is also discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

References

  1. Aljifri H (2003) IP traceback: a new denial-of-service deterrent? IEEE Secur Priv 1(3):24–31

    Article  Google Scholar 

  2. Belenky A, Ansari N (2003) On IP traceback. IEEE Commun Mag 41(7):142–153

    Article  Google Scholar 

  3. Gao Z, Ansari N (2005) Tracing cyber attacks from the practical perspective. IEEE Commun Mag 43(5):123–131

    Article  Google Scholar 

  4. Garfinkel SL (2010) Digital forensics research: the next 10 years. Digit Investig 7(Supplement 1):S64–S73

    Google Scholar 

  5. Santhanam L, Kumar A, Agrawal DP (2006) Taxonomy of IP traceback. J Inf Assur Secur 1(1):79–94

    Google Scholar 

  6. Stone R (2000) CenterTrack: an IP overlay network for tracking DoS floods. In: Proc. 9th Usenix Security Symposium, Denver, USA

    Google Scholar 

  7. Burch H, Cheswick B (2000) Tracing anonymous packets to their approximate source. In: Proc. 14th systems administration conference (LISA 2000), New Orleans, Louisiana, USA, pp 319–327

    Google Scholar 

  8. Snoeren AC, Partridge C, Sanchez LA, Jones CE, Tchakountio F, Kent ST, Strayer WT (2001) Hash-based IP traceback. In: Proc. ACM annual conference of the special interest group on data communication (SIGCOMM’ 01), San Diego, California, USA, pp 3–14

    Google Scholar 

  9. Baba T, Matsuda S (2002) Tracing network attacks to their sources. IEEE Internet Comput 6(2):20–26

    Article  Google Scholar 

  10. Zhang L, Guan Y (2006) TOPO: a topology-aware single packet attack traceback scheme. In: Proc. workshop of the 1st international conference on security and privacy for emerging areas in communication networks (SecureComm’ 06), pp 1–10

    Google Scholar 

  11. Savage S, Wetherall D, Karlin A, Anderson T (2001) Network support for IP traceback. IEEE/ACM Trans Networking 9(3):226–237

    Article  Google Scholar 

  12. Song DX, Perrig (2001) Advanced and authenticated marking schemes for IP traceback. In: Proc. twentieth annual joint conference of the IEEE computer and communications societies (INFOCOM 01), Anchorage, Alaska, pp 878–886

    Google Scholar 

  13. Dean D, Franklin M, Stubblefield A (2002) An algebraic approach to IP traceback. ACM Trans Inf Syst Secur (TISSEC) 5(2):119–137

    Article  Google Scholar 

  14. Aljifri H, Smets M, Pons A (2003) IP traceback using header compression. Comput Secur 22(2):136–151

    Article  Google Scholar 

  15. Yaar A, Perrig A, Song D (2005) FIT: fast internet traceback. In: Proc. 24th annual joint conference of the IEEE computer and communications societies (INFOCOM 05), vol 2, Miami, FL, USA, pp 1395–1406

    Google Scholar 

  16. Al-Duwairi B, Govindarasu M (2006) Novel hybrid schemes employing packet marking and logging for IP traceback. IEEE Trans Parallel Distrib Syst 17(5):403–418

    Article  Google Scholar 

  17. Jing YN, Tu P, Wang XP, Zhang GD (2005) Distributed-log-based scheme for IP traceback. In: Proc. the fifth international conference on computer and information technology (CIT’ 05), Shanghai, China, pp 711–715

    Google Scholar 

  18. Gong C, Sarac K (2008) A more practical approach for single-packet IP traceback using packet logging and marking. IEEE Trans Parallel Distrib Syst 19(10):1310–1324

    Article  Google Scholar 

  19. Jing WX, Lin XY (2009) IP traceback based on deterministic packet marking and logging. In: Proc. eighth international conference on embedded computing, Scalable Computing and Communications (SCALCOM-EMBEDDEDCOM ’09), Dalian, China, pp 178–182

    Google Scholar 

  20. Bellovin SM, Leech M, Taylor T (2000) ICMP traceback messages. Internet Draft: draft-bellovin-itrace-00. txt 2000

    Google Scholar 

  21. Mankin A, Massey D, Chien-Lung W,. Wu SF, Lixia Z (2001) On design and evaluation of “intention-driven” ICMP traceback. In: Proc. tenth international conference on computer communications and networks (ICCCN 01), Arizona, USA, pp 159–165

    Google Scholar 

  22. Belenky A, Ansari N (2003) IP traceback with deterministic packet marking. IEEE Commun Lett 7(4):162–164

    Article  Google Scholar 

  23. Belenky A, Ansari N (2007) On deterministic packet marking. Comput Netw 51(10):2677–2700

    Article  MATH  Google Scholar 

  24. Rayanchu S, Barua G (2005) Tracing attackers with deterministic edge router marking (DERM). In: Ghosh R, Mohanty H (eds) Distributed computing and internet technology, vol 3347. Springer, Berlin/Heidelberg, pp 400–409

    Google Scholar 

  25. Lin I, Lee TH (2006) Robust and scalable deterministic packet marking scheme for IP traceback. In: Proc. IEEE Global Telecommunications Conference (GLOBECOM ’06), San Francisco, California, USA, pp 1–6

    Google Scholar 

  26. Jin G, Yang J (2006) Deterministic packet marking based on redundant decomposition for IP traceback. IEEE Commun Lett 10(3):204–206

    Article  Google Scholar 

  27. Xiang Y, Zhou W, Guo M (2009) Flexible deterministic packet marking: an IP traceback system to find the real source of attacks. IEEE Trans Parallel Distrib Syst 20(4):567–580

    Article  Google Scholar 

  28. Hawkinson J, Bates T (1996) RFC 1930: guidelines for creation, selection, and registration of an Autonomous System (AS). Available: http://tools.ietf.org/html/rfc1930, 30 Apr 2011

  29. IANA (2008) 16-bit autonomous system numbers. Available: http://www.iana.org/assignments/as-numbers/as-numbers.xml, 30 Apr 2011

  30. Paruchuri V, Durresi A, Kannan R, Iyengar SS (2004) Authenticated autonomous system traceback. In: Proc. 18th international conference on advanced information networking and applications (AINA 04), Fukuoka, Japan, pp 406–413

    Google Scholar 

  31. Gao Z, Ansari N (2007) A practical and robust inter-domain marking scheme for IP traceback. Comput Netw 51(3):732–750

    Article  MATH  Google Scholar 

  32. Udaya Kiran T, Vijay V, Srini Rao P (2009) DoSTRACK: a system for defending against DoS attacks. In: Proc. ACM symposium on applied computing (SAC’ 09), Honolulu, Hawaii, pp 47–53

    Google Scholar 

  33. Korkmaz T, Gong C, Sarac K, Dykes SG (2007) Single packet IP traceback in AS-level partial deployment scenario. Int J Secur Netw 2(1):95–108

    Article  Google Scholar 

  34. Castelucio A, Ziviani A, Salles R (2009) An AS-level overlay network for IP traceback. IEEE Netw 23(1):36–41

    Article  Google Scholar 

  35. Chen R, Park JM, Randolph M (2006) RIM: router interface marking for IP traceback. In: Proc. IEEE global telecommunications conference (GLOBECOM ’06), San Francisco, California, USA, pp 1–5

    Google Scholar 

  36. Chen R, Park JM, Marchany R (2007) A divide-and-conquer strategy for thwarting distributed denial-of-service attacks. IEEE Trans Parallel Distrib Syst 18(5):577–588

    Article  Google Scholar 

  37. Yi S, Xinyu Y, Ning L, Yong Q (2006) Deterministic packet marking with link signatures for IP traceback. In: Lipmaa H, Yung M, Lin D (eds) Information security and cryptology, vol 4318. Springer, Berlin/Heidelberg, pp 144–152

    Google Scholar 

  38. Peng D, Shi Z, Tao L, Ma W (2007) Enhanced and authenticated deterministic packet marking for IP traceback. In: Xu M, Zhan Y, Cao J, Liu Y (eds) Advanced parallel processing technologies, vol 4847. Springer, Berlin/Heidelberg, pp 508–517

    Google Scholar 

  39. Mitropoulos S, Patsos D, Douligeris C (2005) Network forensics: towards a classification of traceback mechanisms. In: Proc. workshop of the 1st international conference on security and privacy for emerging areas in communication networks (SecureComm’ 05), Athens, Greece, pp 9–16

    Google Scholar 

  40. Carrier B, Shields C (2004) The session token protocol for forensics and traceback. ACM Trans Inf Syst Secur (TISSEC) 7(3):333–362

    Article  Google Scholar 

  41. Daniels TE (2004) A functional reference model of passive systems for tracing network traffic. Digit Investig 1(1):69–81

    Article  Google Scholar 

  42. Demir O, Ji P, Kim J (2007) Session based packet marking and auditing for network forensics. Int J Digit Evid 6(1):1–15

    Google Scholar 

  43. Cohen MI (2009) Source attribution for network address translated forensic captures. Digit Investig 5(3–4):138–145

    Article  Google Scholar 

  44. Ponec M, Giura P, Wein J, Bronnimann H (2010) New payload attribution methods for network forensic investigations. ACM Trans Inf Syst Secur (TISSEC) 13(2):1–32

    Article  Google Scholar 

  45. Guan Y, Zhang L (2008) Attack traceback and attribution. In: Voeller JG (ed) Wiley handbook of science and technology for homeland ecurity. Wiley, New York

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Graphic Era University, Dehradun, Uttarakhand, India

    R. C. Joshi

  2. Malaviya National Institute of Technology, Jaipur, Rajasthan, India

    Emmanuel S. Pilli

Authors
  1. R. C. Joshi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Emmanuel S. Pilli
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer-Verlag London

About this chapter

Cite this chapter

Joshi, R.C., Pilli, E.S. (2016). Network Forensic Attribution. In: Fundamentals of Network Forensics. Computer Communications and Networks. Springer, London. https://doi.org/10.1007/978-1-4471-7299-4_7

Download citation

  • DOI: https://doi.org/10.1007/978-1-4471-7299-4_7

  • Published:

  • Publisher Name: Springer, London

  • Print ISBN: 978-1-4471-7297-0

  • Online ISBN: 978-1-4471-7299-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation