Abstract
Payload attribution is an important problem often encountered in network forensics. Given an excerpt of a payload, finding its source and destination is useful for many security applications such as identifying sources and victims of a worm or virus. Although IP traceback techniques have been proposed in the literature, these techniques cannot help when we do not have the entire packet or when we only have an excerpt of the payload. In this paper, we present a payload attribution system (PAS) that attributes reasonably long excerpts of payloads to their source and/or destination hosts. The system we propose is based on a novel data structure called a Hierarchical Bloom Filter (HBF). An HBF creates compact digests of payloads and provides probabilistic answers to membership queries on the excerpts of payloads. We also present the performance analysis of the method and experimental results from a prototype demonstrating the practicality and efficacy of the system. The system can reliably work with certain packet transformations and is flexible enough to be used if the query string is spread across several packets. The system, however, can be evaded by splitting or by "stuffing" the payload. Future work focuses on making the system robust against such evasions.
Original language | English (US) |
---|---|
Title of host publication | Proceedings of the ACM Conference on Computer and Communications Security |
Editors | B. Pfitzmann, P. Liu |
Pages | 31-41 |
Number of pages | 11 |
State | Published - 2004 |
Event | Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004 - Washington, DC, United States Duration: Oct 25 2004 → Oct 29 2004 |
Other
Other | Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004 |
---|---|
Country/Territory | United States |
City | Washington, DC |
Period | 10/25/04 → 10/29/04 |
Keywords
- ForNet
- Hierarchical Bloom Filters
- Payload attribution
- Security
ASJC Scopus subject areas
- General Computer Science