A mark association-based investigation of attack scenarios in communication networks

The tracing of attacks and the reconstruction of attack scenarios are among the research fields that have been investigated these last years. In this context, several marking techniques have been proposed to traceback the attacker IP address or network. These schemes have shown limitations when dealing with the investigation of attacks since they are unable to reconstruct the attacker actions, and tolerate any form of missing traces or marks. In addition, these schemes are vulnerable to mark spoofing and altering. To deal with these limitations, we propose in this paper an outbound global marking scheme which uses a novel structure, called mark association, that holds enriched information about the intruder activity either at the network, system or storage level. The proposed scheme enables the monitoring of the intruder activity, the tracking of occurred events, the traceback of the attackers source addresses, in addition to the reconstruction of attack scenarios. The capabilities of the proposed scheme are illustrated through a distributed attack performed against the monitored environment.