Abstract
It is desirable to hold network attackers accountable for their actions in both criminal investigatoins and information warfare situations. Currently, attackers are able to hide their location effectively by creating a chain of connections through a series of hosts. This method is effective because current host audit systems do not maintain enough information to allow association of incoming and outgoing network connections. In this paper, we introduce an inexpensive method that allows both on-line and forensic matching of incoming and outgoing network traffic. Our methd associates origin information with each process in the system process table, and enhances the audit information by logging the origin and destination of network sockets. We present implementation results and show that our methos can effecively record origin information abou the common cases of stepping stone connections and denial of service zombies, and describe the limitations of our approach.
