Research aims to unmask intruders

By Paul Desmond
Network World, 09/11/00

Network forensics can go a long way toward identifying security holes and reconstructing lost data, but it often can't find the source of an attack launched over the Internet. Determined intruders have many tricks for masking their identities.

Clay Shields wants to change that. The assistant professor of computer sciences at Purdue University in West Lafayette, Ind., is trying to devise a way to identify people across a network and determine their physical location. The research, conducted under the auspices of Purdue's Center for Education and Research in Information Assurance and Security, aims to find a way to match TCP streams in a network to identify patterns that point to an attacker.

If a firm is the victim of a series of attacks, it could install a device to record data about the TCP streams involved in the attacks. This data, such as the timing of the streams and packet sizes, would be matched with data collected by similar devices elsewhere on the network, potentially letting law enforcement identify similar patterns leading to the perpetrator.

Shields is focusing on properties that don't require looking inside packets, so the technology will work with encrypted streams.

He acknowledges his research could raise privacy concerns, but says the intention is to use the technology only when it is legally and socially desirable to identify someone.

Shields hopes to have a prototype in place by next spring.

Back to main story

To top