The world of network security is an arms race where attackers

constantly change the signatures of their attacks to avoid

detection. Aiding the white-hats in this race is one fundamental

invariant across all network attacks (present and

future): for the attack to progress there must be communication

among attacker, the associated set of compromised

hosts and the victim(s), and this communication is visible to

the network. We argue that the Internet architecture should

be extended to include auditing mechanisms that enable the

forensic analysis of network data, with a goal of identifying

the true originator of each attack — even if the attacker recruits

innocent hosts as zombies or stepping stones to propagate

the attack. In this paper we outline an approach to the

problem of Attacker Identification and Attack Reconstruction,

describe the challenges involved, and explain our efforts

that show the promise of this approach.

In  Proceedings of the ACM SIGCOMM Hot Topics in Networks (HotNets) 2004

Details