FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation

Pages:     | 1 |   ...   | 2 | 3 || 5 | 6 |

«Untangling Attribution David D. Clark* and Susan Landau** I. Introduction In February 2010, former Director of the National Security Agency Mike ...»

-- [ Page 4 ] --

2011 / UntanglingAttribution the levels of the hierarchy. Several commercial services now exist that provide the function of mapping an IP address to an approximate location.3 ' These services are designed to meet a number of customer needs, as their advertising suggests, including customization of Web content to different classes of customers and regulatory compliance. These services compete to provide accurate location information and advertise their precision in their marketing information. Various firms claim that 99-99.9% of IP addresses can be accurately localized to within a country, and that 90can be accurately localized to within a state, city, or other similar region.3 2 These services are used today by commercial Web content providers to localize their content to the presumed location of the user (e.g., to pick the right language), or in some cases, to block access to certain content based on the presumed locus (with respect to a jurisdiction), such as the blocking of Nazi memorabilia auctions to customers in France.3 3 They are designed to work in real-time (as part of processing a Web query), and can provide a rich, if approximate, mapping from IP address to other attributes.

The issue with many of these tools is that since the mapping is approximate, there is some degree of "plausible deniability" to assertions of responsibility. There have been proposals to "harden" the linkage between IP address and other information. For example, several countries put forward a proposal to the International Telecommunications Union (ITU) that as part of the conversion of the Internet from IPv4 to IPv6, 34 addresses should be first allocated to states, which would then allocate them to the relevant private-sector actors. This would mean that the linkage from IP 31 See, e.g., MaxMind GeoIPDatabases, MAXMIND, htt./ wwmaxmind.com/app/cit last visited Feb. 18, 2011); Our Technology, NetAcuiity lPIntelligence:Paving the Way to Deeper Online Connections, DIGITAL ELEMENT, htt.//: vwwdi italelement.com/our technoloev/our technoloov.html (last visited Feb. 18, 2011); Services: We Make High- Volne TransactionSeamless, QUO\A@: KNow WHLRL, http://wwwvquova.com/what/services/ (last visited Feb. 18, 2011).

32 For example, the MaxMind service cited above states that it is "99.8% accurate on a country level., 90% accurate on a state level, 83% accurate for the US within a 25 mile radius." Id.

" For a discussion of the French litigation to block the sale of Nazi memorabilia in their country, see JACK GOLDSMITH & TIM1WU. WHO CONTROLS THL INTLRNLT:: ILLUSIONS OF ABORDLRLLSS WORLDS 1-6 (2006).

34 The addresses currently used in the Internet, called IPv4 addresses, are not sufficiently large to deal with the growing size of the Internet. To deal with all the devices that are anticipated to be attached in the future, a new and larger set of addresses, called IPv6 addresses, have been designed. A transition from IPv4 to IPv6 is now beginning.

HarvardNationalSecurity Journal/ Vol. 2 address to jurisdiction would be robust,3 5 and that it would be possible, for example, for the Chinese government to be certain where downloaded material, whether software stolen from U.S. companies or human-rights information from U.S organizations, was going.

Of course, the transition from IPv4 to IPv6 is only one of the changes that may occur to the Internet over the coming years. A more dramatic change might be the introduction of a virtualized network infrastructure, which would permit multiple simultaneous networks to coexist, each with its own approach to attribution. 36 A future network that provides an information dissemination and retrieval service as part of its core function would imply some sort of binding between user and information that would be visible "in the network." We believe that our general conclusions will apply across a range of possible future network designs the linkage between machine-level attribution and higher-level attribution (e.g. personal) will be a jurisdictional policy matter, not just a technical matter, and mechanisms for attribution must balance a range of policy objectives, not just focus on deterrence.

B. Timing

It turns out that timing - whether one is attempting to protect against a bad situation from developing, stopping an attack in its tracks, or investigating an exploitation after it has occurred - affects the methods one uses in handling the problem. Thus it is useful to consider attribution from these various vantage points.

" There is some disagreement as to whether the original proposal was for some or all IPv6 addresses to be allocated to countries. For a 2004 statement that makes clear that the proposal for only for some addresses to be allocated in this way. see H. ZHAO, INT'L


ITU AND INTERNET GoV LRNANCL 8-9 2004 available at wwwitu.int/ITU-T/tsbdirector/itut-wsis/files/ zhao-netovO2. doc.

"3One way to understand virtualization is to continue the analogy to delivery of letters and postcards. Instead of using separate physical trucks for different delivery services - the postal service., UPS., Fedex, and so on - the various providers could decide to have one physical fleet of trucks that is "virtualized," in other words shared among all the providers.

Each truck would follow only one physical route, but the different services might have different formats for addresses. Of course, to complete the "virtualization," not only would the space inside the truck be shared, but the truck would cleverly change the logo on the side as needed so it always had the correct branding to the customer. Each delivery company would have a "virtual truck" driving down the street.

2011 / UntanglingAttribution

1. Before the Fact: Prevention or Degradation

Actions taken before the attack are the ones most commonly associated with "computer security" - they involve good defenses for computers and the networks themselves, such as by downloading the latest patches or instituting good operating practices. None of these involve the need for attribution, but putting tools in place to implement good authentication and authorization are part of good security. For some classes of attacks, specifically DDoS events, it may be possible to degrade the viability of the bot-net or the potency of the attack by preventive actions that affect infected machines. In this respect, degradation of attacks can involve remote attribution.

2. During the Fact Mitigation

During an attack/event, the main objective is to stop or mitigate the event. Secondarily, one may want to gather evidence to be used after the fact. What one can do during an attack depends on the nature of the attack, and different approaches to mitigation place different requirements on attribution for the attack. Different approaches will be needed to stop a DDoS attack and data exfiltration while it is happening.

3. After the Fact Retribution

The traditional discussion of deterrence focuses on what would happen after the fact, when some sort of retribution would be exacted. For example, as discussed above, if the event is classed as a crime, this would trigger a police response. Primarily, police investigate crimes, identify the perpetrator, and gather the evidence for prosecution. Attribution is at the center of this role. Unless one can identify the perpetrator, retribution is hard to achieve. However, as we illustrated above in our examples of attacks, the actual situation is more complex in a computer-generated situation than this simple story might imply.

4. Ongoing: Attribution as a Part of NormalActivity

In fact, the "before the fact" phase above defines what should be the normal operating mode of the system. With good preparation, bad events might not occur. However, one should look at the role of identity and attribution in the ongoing operation of a system. The idea of authentication HarvardNationalSecurity Journal/ Vol. 2 is well understood. Several sorts of ongoing activities are made more trustworthy not by trying to prevent misbehavior in real time, but by demanding strong accountability. For example, access to medical records in an emergency room may best be controlled by allowing the access but requiring that the doctor making the request be thoroughly identified so the request can be logged.

C. Investigators

There are various sorts of deterrence that might be imagined; these have different implications for the needed quality and precision of the attribution. Different actors - police, intelligence services, and the military will benefit from different sorts of attribution. In the case of attacks that are described as crimes, the usual sort of deterrence is judicial - arrest and prosecution - while in the case of cyberexploitation from military or national security sites, the deterrence may take diplomatic or retaliatory routes.

Judicial response would seem to call for attribution at the level of the individual, and of forensic quality - sufficient to bring into court. However, this model of attribution may be over-simplified. First, the most important role of attribution may be during the course of the investigation, when evidence is being gathered. Having a clue about attribution that is sufficient to guide an ongoing investigation may be critical. One FBI agent put it this way: "I could do packet attribution and let's say it gets me to a physical location. Maybe I get a search warrant and I get back. How I get there is important."3 7 After that point, forensic quality evidence matters. From the investigator's standpoint, "[What's] critically important is that you have evidence. Packet attribution is not beyond a reasonable doubt. The biggest thing in attribution is you're not looking for a computer; you're looking for a person."3 8 Prosecutors look for certain kinds of evidence to bring before a jury. Evidence of on-line identity, however robust technically, may be less compelling than evidence gathered from carrying out search warrants and following the money. Packet-level attribution may aid an investigation, but our world still demands that the real evidence come from the physical world.

Telephone interview by Susan Landau with senior FBI official (Dec. 14, 2009) (notes on file with Landau).


2011 / UntanglingAttribution National security investigators perform a different act than law enforcement investigators when sifting the evidence in a cyberexploitations or cyberattacks. They are seeking intelligence rather than producing court evidence. Where that evidence is produced - the jurisdiction - will play an important role in its veracity. A national security investigation cannot depend on packet-level attribution produced outside a trustworthy domain.

D. Jurisdiction

Different parts of the Internet operate within different jurisdictions:

different countries, different legal systems, and (within these jurisdictions) both as public and as private-sector activities. Any discussion of attribution must consider jurisdictional issues.

1. Variation in Enforcement

Some regions may be lax in their enforcement of laws and uninterested in making the investigation of cyber-attack a high priority. This can be an issue in any attack, but becomes of particular importance in attacks that involve cascades of machines: machine A infiltrates machine B to attack machine C, and so on. If the Jurisdiction within which B sits is not responsive, it becomes much harder to gather any evidence (which may be transient) that might link B to A. There is anecdotal evidence that attackers may "venue-shop" for regimes in which aggressive investigation is unlikely.

Evidence suggests that for single-stage events, so long as there are procedures in place within a jurisdiction, mapping from IP address to higher-level attribution is practical. For example, in the United States, the Recording Industry Association of America ("RIAA"), under the provisions of the Digital Millennium Copyright Act, regularly obtains information from ISPs about their customers hosting material covered by copyright for the purpose of bringing lawsuits. 39 The conclusion reached from this example should be the importance of jurisdiction in such a network investigation. To determine traffic origin requires investigating the machines traversed by the communications. If a jurisdiction permits such an investigation, then attribution - and perhaps deterrence - is possible. But if it does not, say because the jurisdiction does not view the activity as criminal, then tracing will not be possible.

* See, e.g, Recording Indus. Ass'n of Am., Inc. v. Verizon Internet Serv., 351 F.2d 1229 (D.C. Cir. 2003).

HarvardNationalSecurity Journal/ Vol. 2 This suggests that even if we were to push for a variant of the Internet that demanded very robust identity credentials to use the network, tracing would remain subject to barriers that would arise from variation in jurisdictions. Unless we imagine that all countries would agree to the election of a single, global identity authority, credentials would be issued by individual countries, where the quality of the process would be highly variable. In view of this, it is worth examining the issue of criminal versus national security investigations more closely.

2. Criminal Versus National Security Investigations

"Follow the money" is surprisingly useful as a guide to investigations.

That adage might seem odd in investigating crimes that are purely virtual, but the fact is that almost all criminal activity (including child pornography) involves money. Thus, for example, although their initial theft was of bits, if the RBSWorldPay40 criminals were to profit, in the end they needed to collect money from bank accounts. Even in child pornography cases, there are producers, organizers, users - and money.

Pages:     | 1 |   ...   | 2 | 3 || 5 | 6 |

Similar works:

«Csaba Pléh (Hungary) THE COMPUTER AS AN INSPIRING AND A LIMITING FACTOR IN THE CONCEPTUAL DEVELOPMENT OF PSYCHOLOGY Machine as a model of man It is a general feature of the modern Western image of man to treat the then available machines as possible analogues to man. This mental pattern extends the relevance of machines to man, and interprets man as a fountain, as a clock or as a steam-engine. This tendency is supplemented, however, by two further factors. First, the idea is raised that after...»

«Oracle® Hospitality Hotel Mobile iOS User Guide Release 1.0 E69306-01 June 2016 Oracle Hospitality Hotel Mobile iOS User Guide, Release 1.0 E69306-01 Copyright © 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy,...»

«La Lucha Continues Mujerista Theology Ada María Isasi-Díaz Founded in 1970, Orbis Books endeavors to publish works that enlighten the mind, nourish the spirit, and challenge the conscience. The publishing arm of the Maryknoll Fathers and Brothers, Orbis seeks to explore the global dimensions of the Christian faith and mission, to invite dialogue with diverse cultures and religious traditions, and to serve the cause of reconciliation and peace. The books published reflect the views of their...»

«FROM FANTASY TO REALITY IN EPIC DUELS— ILIAD 22 AND AENEID 12.1 Peter Mountford While writing my MA thesis on the Aeneid, I read vast amounts on Virgil and his epic, but I do not think that anyone has yet looked at Book 12 in the way in which I want to approach it today. For the most part commentators have concentrated on themes, the characters of Aeneas and Turnus, the unsettling end and its possible implications for the Augustan programme. Such commentaries range from the positive view of...»

«Ecumenical Reception, the Roman Catholic Church, and Receptive Ecumenism Melissa Carnall GETI Final Paper February 14, 2014 Carnall 1 “You are never the same after you attend an ecumenical gathering.”1 After attending the 10th Assembly of the World Council of Churches (WCC) in Busan, Republic of Korea, I can attest to this as true. It is a time of radical transformation in our hearts and minds and souls. My previous introduction to and love for ecumenism was mostly as a result of ecumenical...»

«SUBSTANTIVE EDITING VERSUS TECHNICAL EDITING: HOW LAW REVIEW EDITORS DO THEIR JOB Anne Enquist* Editor. The very word conjures up images of an older man with a starched white shirt hunched over a manuscript, a permanent scowl on his face. Or perhaps a strait-laced woman, again older, hair pulled back tight in a bun, her red pen mercilessly lining out words and correcting mistakes. Editing. That word may bring similar images to mind, but it is more likely to be associated with one’s own late...»

«Political Psychology, Vol. 26, No. 6, 2005 Values, Framing, and Citizens’ Thoughts about Policy Issues: Effects on Content and Quantity Paul R. Brewer University of Wisconsin-Milwaukee Kimberly Gross George Washington University This study examines how frames invoking a core value shape the content and quantity of citizens’ thoughts about a policy issue. An experimental study showed that exposure to a pro-school voucher equality frame increased the probability that participants would invoke...»

«Oracle Enterprise Taxation and Policy Management Self Service Implementation Guide Release E36012-01 October 2012 Oracle Enterprise Taxation and Policy Management Self Service Implementation Guide Release E36012-01 October 2012 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as...»

«Abstract preview Evolution of collaborative academic networks Sara Denize, University of Western Sydney University of Western Sydney Locked Bag 1797,Penrith South DC NSW,1797 Australia +61 (2) 9852-4137 s.denize@uws.edu.au Simeon Simoff, University of Western Sydney University of Western Sydney Locked Bag 1797,Penrith South DC NSW,1797 Australia +61 (2) 9685 9179 s.simoff@uws.edu.au Ekta Nankani, University of Western Sydney enankani@hotmail.com Louise Young, University of Western Sydney PO...»

«Characterizing the bilingual disadvantage in noun phrase production Jasmin Sadat a, b, Clara Martin a, F.-Xavier Alario b, Albert Costa a, c a Departament de Tecnologies de la Informació i les Comunicacions, Universitat Pompeu Fabra, Barcelona, Spain b Laboratoire de Psychologie Cognitive, CNRS and Université de Provence, Marseille, France c Institució Catalana de Recerca i Estudis Avançats (ICREA) Running head: BILINGUAL NOUN PHRASE PRODUCTION Address correspondence to: Jasmin Sadat...»

«PROCEEDINGS OF THE 10th INTERNATIONAL CONFERENCE ON INNOVATION AND MANAGEMENT December 2-4, 2013 Chief Editors Arnoldo de Hoyos, Ken Kaminishi, Geert Duysters Associate Editor Wang Yingming, Ye Jianmu Wuhan University of Technology Press Wuhan, China 【Summary】 The proceedings include informatization, operation management and manufacturing innovation, product, industrial and regional Innovation, organizational, institutional and management innovation, environmental innovation and sustainable...»

«Exploring the Cold War through The Twilight Zone 39 Exploring the Cold War through The Twilight Zone: Five episodes in a journey to a dimension of sight, sound and mind Heather Lunney Masters, University of New England The Cold War between the United States and the Soviet Union was largely characterised by the threat of military conflict rather than its actuality.1 The ideological nature of the Cold War led both sides to recognise the critical importance of not only building up their military...»

<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.