Session Based Packet Marking and Auditing for Network Forensics Abstract

The widely acknowledged problem of reliably identifying the origin of network data has been the subject of many research works. Due to the nature of Internet Protocol, a source IP can be easily falsified which results in numerous problems, including the infamous denial of service attacks. In this paper, two light-weight novel approaches are proposed to solve this problem by providing simple and effective logging and IP-Traceback mechanism: Session Based Packet Logging (SBL) and SYN Based Packet Marking (SYNPM). The contribution of these schemes lies in the fact that they are easy to be implemented with little overhead and are practical under sensitive privacy regulations, since they do not need to access detailed contents of each individual communication session. Currently, SBL and SYNPM approaches support only TCP sessions. I