The session token protocol for forensics and traceback-Reference-Cited by-同舟云学术

The session token protocol for forensics and traceback

Published:2004-08 Issue:3 Volume:7 Page:333-362
ISSN:1094-9224
Container-title:ACM Transactions on Information and System Security
language:en
Short-container-title:ACM Trans. Inf. Syst. Secur.

Author:

Carrier Brian¹,Shields Clay²

Affiliation:

1. Purdue University, West Lafayette, IN

2. Georgetown University, Washington, D.C.

Abstract

In this paper we present the Session Token Protocol (STOP), a new protocol that can assist in the forensic analysis of a computer involved in malicious network activity. It has been designed to help automate the process of tracing attackers who log on to a series of hosts to hide their identity. STOP utilizes the Identification Protocol infrastructure, improving both its capabilities and user privacy. On request, the STOP protocol saves user-level and application-level data associated with a particular TCP connection and returns a random token specifically related to that session. The saved data are not revealed to the requester unless the token is returned to the local administrator, who verifies the legitimacy of the need for the release of information. The protocol supports recursive traceback requests to gather information about the entire path of a connection. This allows an incident investigator to trace attackers to their home systems, but does not violate the privacy of normal users. This paper details the new protocol and presents implementation and performance results.

Publisher

Association for Computing Machinery (ACM)

Subject

Safety, Risk, Reliability and Quality,General Computer Science

Link

https://dl.acm.org/doi/pdf/10.1145/1015040.1015041

Reference42 articles.

1. Barros C. 2000. {LONG} A Proposal for ICMP Traceback Messages. Available at http://www.research.att.com/lists/ietf-itrace/2000/09/msg00044.html.]] Barros C. 2000. {LONG} A Proposal for ICMP Traceback Messages. Available at http://www.research.att.com/lists/ietf-itrace/2000/09/msg00044.html.]]

2. Bellare M. and Yee B. 1997. Forward integrity for secure audit logs. Tech. rep. (Nov.) Computer Science and Engineering Department University of California at San Diego.]] Bellare M. and Yee B. 1997. Forward integrity for secure audit logs. Tech. rep. (Nov.) Computer Science and Engineering Department University of California at San Diego.]]

3. Bellovin S. 2000. ICMP Traceback Messages. Tech. rep. draft-bellovin-itrace-00.txt (Mar.) IETF Internet draft.]] Bellovin S. 2000. ICMP Traceback Messages. Tech. rep. draft-bellovin-itrace-00.txt (Mar.) IETF Internet draft.]]

Cited by 7 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Network Forensic Attribution;Computer Communications and Networks;2016

2. An IP Traceback Model for Network Forensics;Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering;2011

3. Source attribution for network address translated forensic captures;Digital Investigation;2009-03

4. Designing Information Systems Which Manage or Avoid Privacy Incidents;Intelligence and Security Informatics;2008

5. MSP-system: Mobile Secure Passport System to detect Malicious Users;2007 IEEE SMC Information Assurance and Security Workshop;2007-06