Abstract
In this paper we present the Session Token Protocol (STOP), a
new protocol that can assist in the forensic analysis of a computer
involved in malicious network activity. It has been designed to help
automate tracing attackers who log on to a series of hosts to hide their
identity. STOP utilizes the Identification Protocol (IDENT)
infrastructure, improving both its capabilities and user privacy. On
request, the STOP protocol saves user-level and
application-level data associated with a particular TCP connection and
returns a random token specifically related to that session. The
saved data are not revealed to the requester unless the token is
returned to the local administrator, who verifies the legitimacy of
the need for the release of information. The protocol supports
recursive traceback requests to gather information about the entire
path of a connection. This allows an incident investigator to trace
attackers to their home systems, but does not violate the privacy of
normal users. This paper details the new protocol and presents
implementation and performance results.