A Functional Reference Model of Passive Network Origin Identification

Transcription

1 DIGITAL FORENSIC RESEARCH CONFERENCE A Functional Reference Model of Passive Network Origin Identification By Thomas Daniels Presented At The Digital Forensic Research Conference DFRWS 2003 USA Cleveland, OH (Aug 6 th - 8 th ) DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development.

2 A Reference Model of Passive Network Origin Identification Thomas E. Daniels Fall 2002 Information Assurance Center Department of Electrical and Computer Engineering Iowa State University A Reference Model of Passive Network Origin Identification p.1/15

3 What am I talking about?! Origin Identification Systems Where did that network traffic come from? Not just IP spoofing and island hopping We re concerned with causality here. Active Mark or redirect traffic to assist in finding its origin Passive Just listen to collect evidence of the origin Passive is what we re talking about here A Reference Model of Passive Network Origin Identification p.2/15

4 Outline Some introductory material Reference Models Our Reference Model Implications of the model What does this mean for network forenics? A Reference Model of Passive Network Origin Identification p.3/15

5 Past Work in NOIS Passive Host-based (CISIE, Carrier s STOP) Network-based (Traffic Thumbprinting, IDIP, DoSTracker) Active Traffic Marking (Authentication, Probabilistic Packet Marking, embedding watermarks) Route Modifying (Centertrack, Deciduous) A Reference Model of Passive Network Origin Identification p.4/15

6 Some Intro Material Network Assumptions G = (V, E, IM, XM) where IM V and XM E Messages follow an unbounded path through G to some destination Observables Content Headers Timing and Location Signal Characteristics A Reference Model of Passive Network Origin Identification p.5/15

7 Reference Models Structured construct that defines a class of mechanisms Describes the member s of the class in a structured way Defines the interaction Compare to the ISO OSI 7 layer reference model Why are reference models important? Assists understanding components, their interactions, education, generalizations about systems, and build terminology. A Reference Model of Passive Network Origin Identification p.6/15

8 Our Reference Model Network Monitors Collect and process data for online or later use Internal External Analysis Program(s) Collect data from Monitors Make/suppport decisions about tracing traffic to origin Direct tracing procedure A Reference Model of Passive Network Origin Identification p.7/15

9 Network Monitors The Relay N The Relay N N.in {m1... mi} T() N.out {m 1... m j} N.in {m1... mi} T() N.out {m 1... m j} O1 External Monitors O2 O1 {(m1,m1.time, m1.loc), {(m1,m1.time, m1.loc), (m2,m2.time, m2.loc),...} (m2,m2.time, m2.loc),...} {(mi,mi.time,mi.loc) >(m j, m j.time, m j.loc),...} {Dropped NDE s} {Generated NDE s} External Monitors are arguably less powerful than internal Capabilities of Internal monitors are optimistic A Reference Model of Passive Network Origin Identification p.8/15

10 Edge Observed Networks Observer An abstraction of one or more monitors Merges observations of many distinct monitors Edge Observed Networks Reduce a network topology to a simplified one such that all edges in new network are monitored. A A M1 N1+N3 M2 N2 B M1 N1 M2 N2 B M3 M3 C M4 D C M4 N3 D A Reference Model of Passive Network Origin Identification p.9/15

11 What are EOG s good for? Allow merging internal and external monitors in one NOI System Abstracts away enough detail that general statements can be made. A Reference Model of Passive Network Origin Identification p.10/15

12 Components of a Passive NOIS Data Available Selection Data Reduction Control Commands Analysis Program Storage Reporting Query Responses A Reference Model of Passive Network Origin Identification p.11/15

13 Condtions for Passive NOI Necessary Conditions Network Separation Enough Storage history > storage obsf req obssize Mutually Sufficient Conditions (in addition to above) Analysis Program Trusted Communication Paths Correlation of an input to any given output across all nodes in EOG Sufficient because these together allow a step by step trace to succeed. A Reference Model of Passive Network Origin Identification p.12/15

14 Forensic Implications Passive NOIS s will be limited to initial investigation Data reduction is key to success of NOI, but at odds with corroborating evidence or integrity. Future research needs to consider this tradeoff Current NOIS proposals utility for investigation is limited Most non-host-based NOISs trace a single type of network traffic Hence, complex attacks can only be traced so far by these systems. Host-based solutions (e.g. Carrier s STOP) are useful, but require widespread deployment Future research should address the problem of deployable systems that trace multiple types of traffic and how to take advantage of different types of A Reference Model of Passive Network Origin Identification p.13/15 NOISs

15 Conclusions We hope this model and future refinements will prove useful in education, research, and development of network forensics tools. There are forensics objectives that conflict with objectives of current passive NOISs. This reference model has motivated our current work in Divide and Trace methods for tracing traffic. A Reference Model of Passive Network Origin Identification p.14/15

16 Questions? Thanks for the wonderful workshop experience! Rock Out, Jam Out More info can be found in my dissertation at A Reference Model of Passive Network Origin Identification p.15/15