Journal of Systemics, Cybernetics and Informatics (Aug 2006)
Correlating Temporal Thumbprints for Tracing Intruders
Abstract
The Design of TCP/IP protocol makes it difficult to reliably traceback to the original attackers if they obscure their identities by logging through a chain of multiple hosts. A thumbprint method based on connection content was proposed in 1995 to traceback attackers, but this method is limited to non-encrypted sessions. In this paper, we propose a thumbprint based on time intervals, T-thumbprint, to identify a connection. T-thumbprint is a sequence of time gaps between adjacent TCP 'Send' packets of an interactive terminal session. An algorithm is presented to correlate two T-thumbprints to see if they belong to the same connection chain. We also discuss how to use T-thumbprints to traceback an attacker on the Internet, and how to defeat at-tacker's manipulation. T-thumbprint has advantages of: (1) It can be applied to encrypt sessions; (2) It does not require tightly synchronized clocks; (3) It can defeat attacker's manipulation to some extent; and (4) It is efficient, can be used to trace attackers in real time.