Using Probing Packets to Repair The Incomplete IP Traceback

Huang, Ming-Cheng

23 June 2004

An enhancement of probability packet marking (PPM) used to trace back the DoS attacker is proposed by this paper. Our work is based on the probabilistic packet marking algorithm by Savage[1] in which an attack graph can be reconstructed by a victim site. Furthermore, we discuss some routers which do not support PPM in attacked path called non-PPM router. We use algorithm to recover one and two successive non-PPM routers. Recover three and four successive non-PPM routers by using IP RR (record routing) option. Five successive non-PPM routers and above are between two PPM routers, we discuss about Loosen Source Routing that record all traveled IP addresses into IP header. The temp table record edges which produced by proposed algorithm. And the hop table records which path the packet come from. Before the PPM system run, routers send probe packets we proposed above to recover the incomplete attack path.

DoS

IP traceback

A method to enhance the accuracy of digital forensics in the absence of complete evidence in Saudi Arabia

Alanazi, Fahad Mosalm

January 2017

The tremendous increase in the use of digital devices has led to their involvement in the vast majority of current criminal investigations. As a result, digital forensics has increasingly become one of the most important aspects of criminal investigations. The digital forensics process involves consideration of a number of important phases in order to achieve the required level of accuracy and to reach a successful conclusion of the investigation into the digital aspects of crimes; through obtaining acceptable evidence for use in a court of law. There have been a number of models developed and produced since 1984 to support the digital investigation processes. In this submission, I introduce a proposed model for the digital investigation processes which is based on the scope of the Saudi Arabia investigation process, which has been integrated with existing models of digital investigation processes and has produced a new phase to deal with a situation where there is insufficient evidence. In this research, grounded theory has been adopted as a research method to investigate and explore the participant’s perspectives and their opinions regarding the adoption of a method of a digital forensics investigation process in the absence of complete evidence in the Saudi Arabian context. The interaction of investigators with digital forensics processes involves the social aspect of digital investigation which is why it was suitable to adopt a grounded theory approach. A semi-structured data collection approach has been adopted, to enable the participants to express their visions, concerns, opinions and feelings related to factors that impact the adoption of the DF model for use in cases where there is an absence of sufficient evidence in Saudi Arabia. The proposed model emerged after conducting a number of interviews and analysing the data of this research. The researcher developed the proposed model based on the answers of the participant which helped the researcher to find a solution for dealing with cases where there is insufficient evidence, through adding a unique step in the investigation process, the “TraceBack” Phase. This study is the first in Saudi Arabia to be developed to enhance the accuracy of digital forensics in the absence of sufficient evidence, which opens a new method of research. It is also the first time has been employed a grounded theory in a digital forensics study in the Saudi context, where it was used in a digital forensics study, which indicates the possibility of applying this methodology to this field.

600

Denial of Service Traceback: an Ant-Based Approach

Yang, Chia-Ru

14 July 2005

The Denial-of-Service (DoS) attacks with the source IP address spoofing techniques has become a major threat to the Internet. An intrusion detection system is often used to detect DoS attacks and to coordinate with the firewall to block them. However, DoS attack packets consume and may exhaust all the resources, causing degrading network performance or, even worse, network breakdown. A proactive approach to DoS attacks is allocating the original attack host(s) issuing the attacks and stopping the malicious traffic, instead of wasting resources on the attack traffic. In this research, an ant-based traceback approach is proposed to identify the DoS attack origin. Instead of creating a new type or function needed by the router or proceeding the high volume, find-grained data, the proposed traceback approach uses flow level information to spot the origin of a DoS attack. Two characteristics of ant algorithm, quick convergence and heuristic, are adopted in the proposed approach on finding the DoS attack path. Quick convergence efficiently finds out the origin of a DoS attack; heuristic gives the solution even though partial flow information is provided by the network. The proposed method is validated and evaluated through the preliminary experiments and simulations generating various network environments by network simulator, NS-2. The simulation results show that the proposed method can successfully and efficiently find the DoS attack path in various simulated network environments, with full and partial flow information provided by the network.

IP traceback

Ant Algorithm

DoS

NetFlow

Data-Link Layer Traceback in Ethernet Networks

Snow, Michael Thomas

07 December 2006

The design of the most commonly-used Internet and Local Area Network protocols provide no way of verifying the sender of a packet is who it claims to be. Protocols and applications exist that provide authentication but these are generally for special use cases. A malicious host can easily launch an attack while pretending to be another host to avoid being discovered. At worst, the behavior may implicate a legitimate host causing it and the user to be kicked off the network. A malicious host may further conceal its location by sending the attack packets from one or more remotely-controlled hosts. Current research has provided techniques to support traceback, the process of determining the complete attack path from the victim back to the attack coordinator. Most of this research focuses on IP traceback, from the victim through the Internet to the edge of the network containing the attack packet source, and Stepping-Stone traceback, from source to the host controlling the attack. However, little research has been conducted on the problem of Data-Link Layer Traceback (DLT), the process of tracing frames from the network edge to the attack source, across what is usually a layer-2 network. We propose a scheme called Tagged-fRAme tracebaCK (TRACK) that provides a secure, reliable DLT technique for Ethernet networks. TRACK defines processes for Ethernet switches and a centralized storage and lookup host. As a frame enters a TRACK-enabled network, a tag is added indicating the switch and port on which the frame entered the network. This tag is collected at the network edge for later use in the traceback operation. An authentication method is defined to prevent unauthorized entities from generating or modifying tag data. Simulation results indicate that TRACK provides accurate DLT operation while causing minimal impact on network and application performance. / Master of Science

Traceback

Link Layer

Ethernet

Wired Networks

Hospital Based Traceback of Ovarian Cancer Patients: a Feasibility Study

Weinmann, Simone Marin

January 2021

No description available.

Genetics

Ovarian cancer

Traceback

recontact

genetics

PERFORMANCE EVALUATION OF A TTL-BASED DYNAMIC MARKING SCHEME IN IP TRACEBACK

Devasundaram, Shanmuga Sundaram

January 2006

No description available.

Computer Science

IP traceback

distributed denial-of-service attacks

DDoS

DoS

dynamic packetmarking

traceback

Denial of Service attacks: path reconstruction for IP traceback using Adjusted Probabilistic Packet Marking

Dube, Raghav

17 February 2005

The use of Internet has revolutionized the way information is exchanged, changed business paradigms and put mission critical and sensitive systems online. Any dis- ruption of this connectivity and the plethora of services provided results in significant damages to everyone involved. Denial of Service (DoS) attacks are becoming increas- ingly common and are the cause of lost time and revenue. Flooding type DoS attacks use spoofed IP addresses to disguise the attackers. This makes identification of the attackers extremely difficult. This work proposes a new scheme that allows the victim of a DoS attack to identify the correct origin of the malicious traffic. The suggested mechanism requires routers to mark packets using adjusted probabilistic marking. This results in a lower number of packet-markings required to identify the traffic source. Unlike many related works, we use the existing IPv4 header structure to incorporate these markings. We simulate and test our algorithms using real Internet trace data to show that our technique is fast, and works successfully for a large number of distributed attackers.

Denial of Service Attacks

IP traceback

probabilistic packet marking

path reconstruction

The Research of Network Security in IP Traceback

Tseng, Yu-kuo

29 September 2004

With the dramatic expansion of computers and communication networks, computer crimes, such as threatening letters, fraud, and theft of intellectual property have been growing at a dreadful rate. The increasing frequency of malicious computer attacks on government agencies and Internet businesses has caused severe economic waste and unique social threats. The problems of protecting data and information on computers and communication networks has become even more critical and challenging, since the widespread adoption of the Internet and the Web. Consequently, it is very urgent to design an integrated network-security architecture so as to make information safer, proactively or reactively defeat any network attack, make attackers accountable, and help the law enforcement system to collect the forensic evidences. Among a variety of attacks on computer servers or communication networks, a prevalent, famous, and serious network-security subject is known as "Denial of Service" (DoS) or "Distributed Denial of Service" (DDoS) attacks. According to an investigation on computer crime conducted by CSI/FBI in 2003, Internet DoS/DDoS have increased in frequency, severity, and sophistication, and have caught international attentions to the vulnerability of the Internet. DoS/DDoS attacks consume the resources of a remote host or network, thereby denying or degrading service to legitimate users. Such attacks are among the hardest security problems to address because they are simple to implement, difficult to prevent, and very difficult to trace. Therefore, this dissertation will firstly concentrate on how to resolve these troublesome DoS/DDoS problems. This is considered as the first step to overcome generic network security problems, and to achieve the final goal for accomplishing a total solution of network security. Instead of tolerating DoS/DDoS attacks by mitigating their effect, to trace back the attacking source for eliminating the attacker is an aggressive and better approach. However, it is difficult to find out the true attacking origin by utilizing the incorrect source IP address faked by the attacker. Accordingly, this dissertation will aim at conquering this representative network security problem, i.e. DoS/DDoS attacks, with IP traceback, and designing an optimal IP traceback. IP traceback ¡X the ability to trace IP packets to their origins¡Xis a significant step toward identifying, and thus stopping, attackers. A promising solution to the IP traceback is probabilistic packet marking (PPM). This traceback approach can be applied during or after an attack, and it does not require any additional network traffic, router storage, or packet size increase. Therefore, the IP traceback research on countering DoS/DDoS attacks will be based on PPM scheme. In this dissertation, three outstanding improvements among four PPM criteria¡Xthe convergency, the computational overhead, and the incomplete PPM deployment problem¡Xhas been achieved. PPM-NPC is proposed to improve the PPM convergency and computational overhead. With non-preemptively compensation, the probability of each marked packet arrived at the victim equals its original marking probability. Therefore, PPM-NPC will efficiently achieve the optimal convergent situation by simply utilizing a 2-byte integer counter. Another better scheme, CPPM, is also proposed, such that the marked packets can be fully compensated as well while they are remarked. With CPPM, the probability of each marked packet arrived at the victim will also equal its original marking probability. Consequently, CPPM will achieve the optimal convergent situation efficiently as well. Furthermore, RPPM-NPC is presented to advance the accuracy of a reconstructed path in an incomplete PPM deployment environment by correcting and recovering any discontinuous individual transparent router and any segment of consecutive double transparent routers. This scheme may also reduce the deployment overhead without requiring the participation of all routers on the attack path. Except for these improved criteria, PPM robustness, some weak assumptions in PPM, and a few unsolved problems for PPM, e.g. reflective DDoS attacks, will also be improved in the future. It is also interesting in combining other network security researches, such as IDS, system access control mechanism, etc., for constructing a more complete network security architecture. Therefore, this research hereby is done in order to completely resolve the troublesome flood-style DoS/DDoS problems, and as the basis for accomplishing a total solution of network security.

IP traceback

probabilitic packet marking

denial of service attack

computer network security

A Usage-Based Approach to Pattern Finding: The Traceback Method Meets Code-Mixing

Endesfelder Quick, Antje, Backus, Ad

28 September 2023

Usage-based approaches have become increasingly important in research on language acquisition and recently also in bilingual first language acquisition. Lexically specific patterns, such as What’s this? and frame-and-slot patterns, such as [I want X] play an important role in language acquisition scenarios. The ubiquity of such conventionalized chunks and frame-and-slot patterns supports the idea that children construct their early utterances out of concrete pieces they have heard and stored before. To investigate the emergence of patterns in children’s speech the traceback method has been developed, which accounts for the composition of utterances by relying on previously acquired material. Recently, the traceback method has also been applied to code-mixed utterances in bilingual children testing the assumption that bilingual utterances are structured around a frameand- slot pattern in which the open slot is filled by (a) word(s) from the other language, e.g., [where is X] as in where is das feuer ‘where is the fire’. In this paper we want to present how the empirical use of the traceback method, and the general adoption of a usage-based theoretical perspective, can shed new lights on the study of bilingual phenomena, such as code-mixing.

info:eu-repo/classification/ddc/400

ddc:400

The Building Blocks of Child Bilingual Code-Mixing: A Cross-Corpus Traceback Approach

Endesfelder Quick, Antje, Hartmann, Stefan

31 March 2023

This paper offers an inductive, exploratory study on the role of input and individual differences in the early code-mixing of bilingual children. Drawing on data from two German-English bilingual children, aged 2–4, we use the traceback method to check whether their code-mixed utterances can be accounted for with the help of constructional patterns that can be found in their monolingual data and/or in their caregivers’ input. In addition, we apply the tracebackmethod to checkwhether the patterns used by one child can also be found in the input of the other child. Results show that patterns found in the code-mixed utterances could be traced back to the input the children receive, suggesting that children extract lexical knowledge from their environment. Additionally, tracing back patterns within each child was more successful than tracing back to the other child’s corpus, indicating that each child has their own set of patterns which depends verymuch on their individual input. As such, these findings can shed new light on the interplay of the two developing grammars in bilingual children and their individual differences.

info:eu-repo/classification/ddc/150

ddc:150