The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Design an Algorithm Matching TCP Connection Pairs for Intruder Traceback

침입자 역추적을 위한 TCP 연결 매칭 알고리즘 설계

  • 강형우 (ETRI 부설 국가보안기술연구소) ;
  • 홍순좌 (ETRI 부설 국가보안기술연구소) ;
  • 이동훈 (고려대학교 전산학과)
  • Published : 2006.02.01
Download PDF
⟨ Previous Next ⟩

Abstract

In the field of network defense, a lot of researches are directed toward locating the source of network attacks. When an intruder launches attack not from their own computer but from intermediate hosts that they previously compromised, and these intermediate hosts are called stepping-stones. There we two kinds of traceback technologies : IP packet traceback and connection traceback. We focused on connection traceback in this paper This paper classifies process structures of detoured attack type in stepping stone, designs an algorithm for traceback agent, and implements the traceback system based on the agent

최근의 해킹사고에서 침입자는 피해시스템에서 자신의 IP주소 노출을 피하기 위하여 피해시스템을 직접 공격하지 않고 Stepping stone(경유지)을 이용하여 경유지 우회 공격을 수행한다. 본 논문에서는 현재 네트워크 환경에서 Stepping stone을 이용한 경유지 우회 공격시 공격자의 근원지 주소를 추적하기 위한 알고리즘을 설계한다. 침입자 추적은 크게 두 가지 분류로 나뉘어 진다. 첫째는 IP Packet traceback, 둘째는 Connection traceback 이다. 본 논문에서는 Connection traceback에 공격을 다루며, 운영체제의 프로세스 구조를 이용하여 공격자 또는 Stepping stone을 구분하여 침입자의 위치를 추적한다.

Keywords

References

  1. S. Stamford-Chen and L.T. Heberlein. 'Holding Intruders Accountable on the Internet,' In Proceedings of the 1995 IEEE Symposium on Security and Privacy, 1995 https://doi.org/10.1109/SECPRI.1995.398921
  2. Steven R. Snapp, James Brentano, Gihan V. Dias, 'DIDS (Distributed Intrusion Detection System) Motivation, Architecture, and An Early Prototype,' Proceedings of the 14th National Computer Security Conference, 1991
  3. H.T. Jung et aI. 'Caller Identification System in the Internet Environment' Proceedings of the 4th Usenix Security Symposium, 1993
  4. Y. Zhang and V. Paxson, 'Detecting Stepping stones,' Proceedings of 9th USENIX Security Symposium, Aug., 2000
  5. K. Yoda and H. Etoh, 'Finding a Connection Chain for Tracing Intruders,' In F. Guppens, Y. Deswarte, D. Gollamann, and M. Waidner, editors, 6th European Symposisum on Research in Computer Security-ESORICS 2000 LNCS -1985, Toulouse, France, Oct., 2000
  6. D. Schnackenberg, 'Dynamic Cooperating Boundary Controllers (http://www.darpa.mil/ito/ sumrnaries97/E295_0.html)', Boeing Defense and Space Group, 1998
  7. X. Wang, D. Reeves, S. F. Wu, and J. Yuill, 'Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework', Proceedings of IFIP Conference on Security, Mar., 2001
  8. Chongwoo Woo, Suntae Hwang, Iinwoo Choi, Sangyoung Kim, Hyungwoo Kang, Jaewoo Park, Gunwoo Nam, 'Multiagent based Intruder tracing System in the Active Network Environment', Proceedings of the ICACT 2003, pp.719-723, 2003.1
  9. H.W. Kang, S.J. Hong, D.H. Lee: 'Matching Connection Pairs', PDCAT 2004, LNCS 3320, pp.642-649 https://doi.org/10.1007/b103538
  10. Graham Glass, 'UNIX for Programmers and Users: A Complete Guide', Prentice Hall, 1993
  11. W. R. Stevens, 'Unix Network Programming,' Prentice Hall, 1998
  12. W.R. Stevens. TCP/IP lllustrated, Vol.1, Addison Wesley, 1994
  13. B. Carrier, C. Shields: A Recursive Session Token Protocol for Use in Computer Forensics and TCP Traceback, IEEE INFOCOM 2002 https://doi.org/10.1109/INFCOM.2002.1019405