The Session Token Protocol for Forensics and Traceback

Get BibTex-formatted data

Download

PDF

Author

Brian Carrier and Clay Shields

Tech report number

CERIAS TR 2004-36

Entry type

article

Abstract

In this paper we present the Session Token Protocol (STOP), a new protocol that can assist in the forensic analysis of a computer involved in malicious network activity. It has been designed to help automate tracing attackers who log on to a series of hosts to hide their identity. STOP utilizes the Identification Protocol (IDENT) infrastructure, improving both its capabilities and user privacy. On request, the STOP protocol saves user-level and application-level data associated with a particular TCP connection and returns a random token specifically related to that session. The saved data are not revealed to the requester unless the token is returned to the local administrator, who verifies the legitimacy of the need for the release of information. The protocol supports recursive traceback requests to gather information about the entire path of a connection. This allows an incident investigator to trace attackers to their home systems, but does not violate the privacy of normal users. This paper details the new protocol and presents implementation and performance results.

Download

PDF

Date

2004 – 08 – 01

Institution

CERIAS

Journal

ACM Transactions on Information and System Security

Key alpha

carrier

Number

Pages

333-362

Volume

Publication Date

2004-08-01

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Article{ carrier,
	title = "The Session Token Protocol for Forensics and Traceback",
	author = "Brian Carrier and Clay Shields",
	year = "2004",
	month = "08",
	institution = "CERIAS",
	journal = "ACM Transactions on Information and System Security",
	number = "3",
	pages = "333-362",
	volume = "7",
	day = "01",
	abstract = "In this paper we present the Session Token Protocol (STOP), a
new protocol that can assist in the forensic analysis of a computer
involved in malicious network activity.  It has been designed to help
automate tracing attackers who log on to a series of hosts to hide their
identity.  STOP utilizes the Identification Protocol (IDENT)
infrastructure, improving both its capabilities and user privacy.  On
request, the STOP protocol saves user-level and
application-level data associated with a particular TCP connection and
returns a random token specifically related to that session.  The
saved data are not revealed to the requester unless the token is
returned to the local administrator, who verifies the legitimacy of
the need for the release of information.  The protocol supports
recursive traceback requests to gather information about the entire
path of a connection. This allows an incident investigator to trace
attackers to their home systems, but does not violate the privacy of
normal users.  This paper details the new protocol and presents
implementation and performance results.",
}