3 research outputs found
A Logarithmic and Exponentiation Based IP Traceback Scheme with Zero Logging and Storage Overhead
IP spoofing is sending Internet Protocol (IP) packets with a forged source IP address to conceal the identity of the sender. A Denial-of-Service attack is an attempt to make a machine unavailable to the intended users. This attack employs IP Spoofing to flood the victim with overwhelming traffic, thus bringing it down. To prevent such attacks, it is essential to find out the real source of these attacks. IP Traceback is a technique for reliably determining the true origin of a packet. To traceback, a marking and a traceback algorithm are proposed here which use logarithmic and exponentiation respectively. The time required for marking and traceback has been evaluated and compared with state-of-art techniques. The percentage of increase in marking information is found to be very less in the proposed system. It is also demonstrated that the proposed system does not require logging at any of the intermediate routers thus leading to zero logging and storage overhead. The system also provides 100% traceback accuracy
Wide spectrum attribution: Using deception for attribution intelligence in cyber attacks
Modern cyber attacks have evolved considerably. The skill level required to conduct
a cyber attack is low. Computing power is cheap, targets are diverse and plentiful.
Point-and-click crimeware kits are widely circulated in the underground economy, while
source code for sophisticated malware such as Stuxnet is available for all to download
and repurpose. Despite decades of research into defensive techniques, such as firewalls,
intrusion detection systems, anti-virus, code auditing, etc, the quantity of successful
cyber attacks continues to increase, as does the number of vulnerabilities identified.
Measures to identify perpetrators, known as attribution, have existed for as long as there
have been cyber attacks. The most actively researched technical attribution techniques
involve the marking and logging of network packets. These techniques are performed
by network devices along the packet journey, which most often requires modification of
existing router hardware and/or software, or the inclusion of additional devices. These
modifications require wide-scale infrastructure changes that are not only complex and
costly, but invoke legal, ethical and governance issues. The usefulness of these techniques
is also often questioned, as attack actors use multiple stepping stones, often innocent
systems that have been compromised, to mask the true source. As such, this thesis
identifies that no publicly known previous work has been deployed on a wide-scale basis
in the Internet infrastructure.
This research investigates the use of an often overlooked tool for attribution: cyber de-
ception. The main contribution of this work is a significant advancement in the field of
deception and honeypots as technical attribution techniques. Specifically, the design and
implementation of two novel honeypot approaches; i) Deception Inside Credential Engine
(DICE), that uses policy and honeytokens to identify adversaries returning from different
origins and ii) Adaptive Honeynet Framework (AHFW), an introspection and adaptive
honeynet framework that uses actor-dependent triggers to modify the honeynet envi-
ronment, to engage the adversary, increasing the quantity and diversity of interactions.
The two approaches are based on a systematic review of the technical attribution litera-
ture that was used to derive a set of requirements for honeypots as technical attribution
techniques. Both approaches lead the way for further research in this field
A Denial-of-Service-Resistant IP Traceback Approach
Identifying the origins of a Distributed Denial-of-Service (DDoS) attack is among the hardest research topics in the Internet security area. In this paper, we propose a multifunctional, secure, and DoS-resistant ICMP message scheme. This straightforward method allows victims not only to identify the sources of a DDoS attack but also to authenticate the ICMP Caddie messages received. Besides IP traceback, potential applications include packet dropping detection, feedback based routing, Traceroute, packet authentication and authorization, and confirmed anonymous communication. This paper describes the design of the iCaddie, and discusses its potentials. 1