This action might not be possible to undo. Are you sure you want to continue?
In the Context of Cyberwar
Definition Attribution: determining the identity or location of an attacker or an attacker s intermediary. country Location: geographic. (Wheeler. IP/Ethernet address Question 1: How much effort will it take? Question 2: Determine to what degree of certainty? . 2003) ± ± ± ± Identity: name. alias.
Threat Models (from the attacker s perspective) Global passive adversary ± Observes all network links ± Adversary controls fraction of network nodes Non-global adversary ± Controls only a fraction of total network nodes ± A smart non-global adversary can approximate global passive adversary .
Tor) ± Peer-to-peer (Torks/NISAN) In-house network with a botnet .Anti-Attribution (anonymity) Two methods ± stepping-stones (multi-stage attacks) ± routing through anonymization networks Low-latency ± Mix-based (ex. Mixmaster) High-latency ± Onion-routing (ex.
2003 . which routes traffic through computer Z Source: Wheeler.Stepping Stones Attacker X compromises computer Y.
Stepping Stones (cont d) Worm origin identification (Xie et al.. 2005) ± Use traffic logs to create attack trees ± Requirement: full access to traffic logs across networks .
Anonymization Networks Low-latency. onion-routing (Tor) ± Onion Routing Anonymizes network flows by providing unlinkability Weaknesses ± Malicious exit/entry nodes destroys anonymity ± Traffic analysis (Murdoch. Danezis 2005 ) » Allows discovery of all routing nodes (but not identity of sender) .
al 2010) ± Tor has a big problem: scalability ± P2P networks solve this problem by using distributed hash tables ± This introduces a weakness: More lookups makes it easier for an observer to detect communications .Anonymization Networks (cont d) P2P (Torks/NISAN) (Wang et.
Passive vs. Active Timing-based Approach Passive timing-based approach ± Observe packets and correlate flows ± Takes longer Active Timing-based Approach (watermarking) ± Inject patterns into network flow and try to detect pattern at exit routers ± Quicker ± Observer must be able to control communication Requirement: access to routers at all key points of observation. Not a requirement: inspection of packet contents. .
bots move on to the next server ± Disadvantage: allows defender hijacking of C&C servers to take over the botnet ± Lasted 10 days before Torpig s controllers regained control ± During that time. .Botnet Takeover Stone-Gross et. al (2009) ± Torpig size: ~180.000 username/password pairs. including 300. 70GB of data was intercepted.000 bots ( at least 17 Gbps bandwidth) ± Took advantage of Torpig s use of domain flux Deterministic algorithm for connecting to C&C server ± Advantage: when one C&C server gets knocked offline.
even good hackers make serious mistakes The more control over networks the better . but possible ± Not feasible for domestic crime ± Feasible for national security issues Hack-back is a requirement ± Luckily.Comments Attribution is hard.