Fingerprinting Violating Machines with TCP Timestamps
Proceeding: The Third International Conference on Digital Security and Forensics (DigitalSec2016)Publication Date: 2016-09-06
Authors : Mohammed Al-Saleh;
Page : 68-73
Keywords : TCP Timestamp; Protocol Artifact; Fingerprinting;
Abstract
Cyber crime has increased as a side effect of the dramatic growth in Internet deployment. Identifying machines that are responsible about crimes is a vital step in an attack investigation. Tracking the IP address of the attacker to its origin is indispensable. However, apart from finding the attacker's (possible) machine, it is inevitable to provide supportive proofs to bind the attack to the attacker's machine, rather than depending solely on the IP address of the attacker, which can be dynamic. This paper proposes to implant such supportive proofs by utilizing the timestamps in the TCP header. Our results show that unique timestamps can be recovered in target machines. In addition, because a violator is unaware of (and has no control over) the internals of the TCP, the investigation process is empowered with stealth. To the best of our knowledge, we are the first to utilize protocol remnants in fingerprinting violating machines.
Other Latest Articles
- Countermeasure against Drive by Download Attack by Analyzing Domain Information
- Proposal of Unified Data Management and Recovery Tool Using Shadow Copy
- Proposal of an Improved Event Tree and Defense Tree Combined Method for Risk Evaluation with Common Events
- Development and Evaluation of a Dynamic Security Evaluation System for the Cloud System Operation
- Application and Evaluation of Method for Establishing Consensus on Measures Based on Cybersecurity Framewor
Last modified: 2016-09-11 23:54:01