Internet Ballistics: Retrieving Forensic Data From Network Scans

Bryan Parno and Tony Bartoletti

Abstract

Network scanners constantly probe the Livermore network looking for vulnerabilities. Analyzing packet arrival timing data reveals highly distinctive patterns that may correlate with the attacker's choice of tools, physical platform and/or network location. Consistent identification will improve network security and aid counterintelligence efforts. We have developed tools to preprocess scan data, using wavelet techniques to achieve over 1,000x compression ratio while still preserving the essential features. Initial experiments indicate our methods consistently identify patterns in the data.

Details

Publication typeMiscellaneous
Book title13th USENIX Security Symposium
PublisherUSENIX
> Publications > Internet Ballistics: Retrieving Forensic Data From Network Scans