FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation

Pages:     | 1 |   ...   | 3 | 4 || 6 |

«Untangling Attribution David D. Clark* and Susan Landau** I. Introduction In February 2010, former Director of the National Security Agency Mike ...»

-- [ Page 5 ] --

A lack of laws against criminal activity on the Internet originally made prosecution of such activities difficult. Thus, for example, there were no charges brought against the Filipino developer of the 2000 ILOVEYOU virus; the Philippines only criminalized this activity three months after the release.4 1 A combination of the development of national laws and much greater international cooperation has greatly improved the ability to track and prosecute clearly criminal Internet activities (e.g., identity theft, child pornography, and malware propagation). The key issue is what constitutes "clearly criminal." Economic espionage is not a crime in much of the world, and therefore other nations are unlikely to aid the United States in investigating or prosecuting such activities conducted against U.S. industries.

That does not mean that investigation and consequences are not possible, only that they cannot follow the path of criminal prosecution the way as did, say, theft from RBS WorldPay If a nation-state is involved in data exfiltration, then the problem is a national security issue, not a law enforcement case. The level of proof of the attribution need not stand up in court. Indeed, the level of proof used to 40 See supra text accompanying note 23.

41 CIVIL CODE, Rep. Act 8792 (Phil.).

2011 / UntanglingAttribution determine the attribution may never be made public even if the accusations of spying are. Intelligence agencies deal with certain forms of espionage, such as cyberexploitations of national research labs or defense contractors.

Intelligence agencies do not usually try to bring spies into court governments have their own ways of pushing back on attacks - but instead employ forms of tit-for-tat that require a degree of attribution, but perhaps only at the level of the state actor responsible. Diplomats can enter into a "shall we confront or cooperate" negotiation with their counterparts, using evidence that might not stand up in court but which is sufficiently compelling to underpin the negotiation.

Finally, if a cyberattack occurs as part of what is seen as "armed conflict," there may be some form of military response. This form of response is not usually directed at a specific person, but at a state or nonstate group. The level of attribution that is required is thus to some larger aggregate, not the individual. To the extent that the initial manifestation of attribution is at the level of the IP address, the question that arises is how, and with what precision, this can be associated with some collective actor.

To the military, attribution at the level of an individual is not useful. Of course, there may be times when it is in a nation's interest not to publicly attribute hostile acts to other nations - even when they are sure which nation is the hostile actor. Thus packet-level attribution would actually be against a state's interest.

VI. Summarizing the Value of Attribution

While there are probably many specific identity/attribution schemes, they seem to fall into general categories: the machine, the person, and the aggregate identity, such as a state actor. The term principal is often used to describe the person or other entity that is ultimately accountable for some action.

Machines may have their own credentials and may store credentials for principals, but machines act only on behalf of some agent, and that agent (individual or collective) is the entity that must be identified and held accountable if effective deterrence is to occur. Thus machine attribution plays an important role in attribution, but is not of great value by itself if the goal is holding that agent accountable.

HarvardNationalSecurity Journal/ Vol. 2 Under many circumstances, it is possible, with some effort, to link an IP address to a higher-level form of identity, whether an individual, a family (for residential broadband access), a corporation, or a state. Making this connection may be very difficult if the alleged attacker is in another jurisdiction. More importantly, attacks that involve cascades of machines challenge us to make the linkage back to the computer that belongs to the attacker that should be held accountable.

During an attack, when the goal is mitigation, it is not generally useful to identify the responsible person; what is needed is to deal with the machines that are the source of the attack. This sort of attribution is usually associated with IP addresses.

Retribution is not typically directed at a machine; after all, one does not usually arrest a machine. However, one could imagine various forms of active defense, in which a system under attack reaches out and somehow disables the attacking machine. This could be seen as a form of tit-for-tat retribution. It is probably illegal under U.S. law, but would represent an example of punishing a machine rather than a person. The practical issue here is that if the machine is an intermediary belonging to an innocent user, the degree of punishment (if it is allowed at all) must be carefully crafted to fit the crime. Mitigating these sorts of attacks is important, and various proposals will have to be considered, such as asking the ISP hosting an attacking machine to disconnect it from the net for a few minutes. Any such scheme must be designed in such a way that it itself cannot be subverted into a tool for originating an attack. One might force a machine to reboot to see if this disabled the attack code, but this again looks like a direct attack.4 2

A. What Attribution Can Deliver

Various different approaches are possible: machine-level attribution, application-level attribution based on credentials exchanged between endpoints, and redesigning systems so the costs of an attack lie partially on the attackers. We consider each of these briefly.

42 Current recommended practice for ISPs is for the ISP hosting the infested machine to verify that the machine appears to be part of a bot-net, then use its billing records to translate from machine to person, and send the person a letter.

2011 / UntanglingAttribution

–  –  –

Much has been made of the fact that source IP addresses can be forged. However, the only sort of attack where a forged IP address is effective is a DDoS attack, where the goal is just to flood the destination with useless traffic. Any more sophisticated exchange, for example in support of espionage, will necessitate a two-way exchange of information;

this requires the use of valid source addresses. In a multi-step attack, the infiltration preparation of the intermediate machine requires meaningful communication; all but the last step will have valid source addresses.

2. Application-level Attribution

Especially if we were to redesign some protocols, the use of application-level attribution based on credentials exchanged among endpoints is the approach that has the best balance of implications. First, the applications, having knowledge of the task, can pick the best tradeoff between strong accountability and the resulting protections and weaker (or no) accountability and its freedoms. A web site may want to allow access without demanding any identification, even though doing so weakens its access to retribution for attack. The site can compensate for this by limiting the consequences of attack - certainly there should be no confidential information on such a machine. DDoS may be the only real peril for such a machine, since defacement can usually be corrected quickly.

On the other hand, a machine storing highly confidential information should have no reason to permit any connection without strong identification of the other parties. An example of such would be a system handling process control for the power grid. While the best security would be to have the system not connected to the public Internet, for reasons of convenience, such connections do occur. In that case, one wants a defensive strategy that would include connection to the system only if strong forms of authentication are employed.

If a machine is attacked, we need a regime in which that machine can present evidence of attribution that it has gathered (both at the IP and application level), which it chooses to reveal because of the attack. Steps must be taken to prevent the end-point from falsifying this evidence; for example by means of some use of cryptography, or the use of trusted observers as witnesses. If this approach can be made to work, then the HarvardNationalSecurity Journal/ Vol. 2 revelation of each party's identity is under the control of the other parties, but no others. This seems like a nice balance of features.

–  –  –

One might conclude from the above discussion that the goal of improved deterrence based on better attribution is hopeless. This conclusion is overly pessimistic. The correct conclusion we draw is that change to the Internet to add some sort of public, personal identity mechanism at the packet level is not useful and in fact counter-productive. Such identification would adversely impact privacy and would seriously impair many law enforcement and national security investigations. But one might imagine various sorts of clever "shifts in the playing field" that would make certain sorts of attribution easier to accomplish. Thus one could indirectly orthogonally - approach the issue of attribution.

For example, would allocation of addresses to countries so that addresses could more easily and robustly be linked to a jurisdiction be a good idea? Such a change would have many implications,4 3 and careful thought would be required to consider whether such a change would be in the best interest of nation-states, ISPs, content providers, Internet governance organizations, users and the other actors involved with the Internet.

Would it make sense to hold owners of intermediate machines in a multi-stage attack responsible to some (perhaps minor) degree for the resulting harm of the attack? This approach might heighten attention to better security of computers attached to the net and might lay the groundwork for a multi-stage trace-back system in which machines that allow themselves to be infiltrated become subject to third-party external surveillance as a consequence. To put it another way, poor system maintenance would result in a loss of privacy.

' Implications might include state control over who can have addresses and more state control over which firms can be ISPs, better localization of content in country-specific ways, selective jurisdiction-specific blocking of content, and reduction in the power that regional address allocation authorities have over the operation of ISPs within different countries.

2011 / UntanglingAttribution

4. Costs of Attribution

Few technical solutions have purely one-sided effects, and attribution is no exception to this general principle. Once a mechanism for attribution is put in place, we must expect that it will be used differently in different jurisdictions, according to the laws and customs of each country. In the United States, we may talk about deterrence as a goal to stop the breaking of our laws, while another country might use the same tools to repress dissidents. Better attribution tools could also be used to detect our intelligence services at work. Making one task easier makes these other related tasks easier, unless we take specific actions to separate classes of activity in a technical way. This sort of separation would imply the use of different forms of attribution in different circumstances; a consequence of this is that attribution tools should not be built into the core fabric of the Internet.

VII. Conclusions

Our fundamental conclusion is that "the attribution problem" is not actually a technical issue at all, but a policy concern with multiple solutions depending on the type of technical issue - e.g., DDoS attack, criminal activity, or data exfiltration - to be solved. Our conclusions are that, not surprisingly, solutions to the "attribution problem" lie outside the technical realm, and are instead in the space of law, regulation, multi-national negotiation, and economics.

A. Conclusion 1

The occasions when attribution at the level of an individual person is useful are very limited. Criminal retribution requires identifying a specific person and assigning blame, but the evidence that is finally brought into court is unlikely to be "forensic quality" computer-based identity, but rather other sorts of physical evidence found during the investigation. Clues about identity may be more important during the course of an investigation.

–  –  –

In application-level attribution as we described it, each end-point may take steps to know who the other parties to the communication are, but that knowledge is private to the communicating parties. In public or thirdparty attribution, an "observer in the middle" is given enough information that it can independently identify the communicating parties. In the current Internet, the only form of observer attribution is based on IP addresses.

Where public attribution is useful, it will be at the level of the machine, not the person. The most obvious case is "during the fact" DDoS mitigation, where nodes in the network need to take action based on source and destination addresses.

We believe that public attribution beyond what is available today (that is, not based on the IP address, but on finer levels that would identify a user) would seldom be of value in the Internet, and would, at the same time, be a major threat to privacy and the right of private action. Such a change would be inimical to many values intrinsic to the United States, including rights protected by the First Amendment to read and write anonymously. 4 4 As a corollary, we note that there are two kinds of observers, trusted (by one of the end points) and untrusted (or unaffiliated, perhaps). If and when observer-based attribution is useful, it will often be a specific case where one of the end-points invokes a trusted observer to monitor what is being sent, perhaps as a witness, or because the end-point machine is not itself trusted.

–  –  –

Multi-stage attacks, which require tracing a chain of attribution across several machines, are a major issue in attribution today.

Pages:     | 1 |   ...   | 3 | 4 || 6 |

Similar works:

«21 PSYCHOLOGICAL PROBLEMS ON EXPEDITIONS Michael Phelan od knows it is just about as much as I can stand at times, and there is abG solutely no escape. I have never had my temper so tried as it is everyday now,” wrote Edward Wilson, a Polar explorer, in . You do not have to spend the winter in the Antarctic to share some of the frustrations and annoyances that Wilson was describing to his wife. Expeditions are stressful and cause psychological difficulties for those involved....»

«‘Has multiculturalism failed?’ The importance of lay knowledge and everyday practice Caroline Howarth1 & Eleni Andreouli2 Abstract Multiculturalism has been a heavily debated term within Western political discourse and academic discussions. In the British political sphere, multiculturalism is increasingly seen as a failed project that encourages inter-group segregation. By contrast, academic discussions have focused on the institutional frameworks to be employed in order to advance cultural...»

«PUPPY By George Saunders Twice already Marie had pointed out the brilliance of the autumnal sun on the perfect field of corn, because the brilliance of the autumnal sun on the perfect field of corn put her in mind of a haunted house—not a haunted house she had ever actually seen but the mythical one that sometimes appeared in her mind (with adjacent graveyard and cat on a fence) whenever she saw the brilliance of the autumnal sun on the perfect etc. etc., and she wanted to make sure that, if...»

«Oracle® Customers Online Implementation Guide Release 12.1 Part No. E13573-04 August 2010 Oracle Customers Online Implementation Guide, Release 12.1 Part No. E13573-04 Copyright © 2002, 2010, Oracle and/or its affiliates. All rights reserved. Primary Author:     Ashita Mathur Contributor:     Ajai Singh, Amy Wu, Anish Stephen, Avinash Jha, Harikrishnan Radhakrishnan, Leela Krishna, Nishant Singhai, Ramanasudhir Gokavarapu, Shankar Bharadwaj Oracle is a registered trademark of Oracle...»

«260 MILITARY LAW REVIEW [Vol. 204 LIEUTENANT COLONEL JEFF BOVARNICK∗ I challenge all leaders to make a focused, personal commitment to read, reflect, and learn about our profession and our world. Through the exercise of our minds, our Army will grow stronger.1 ∗ Judge Advocate, U.S. Army. Presently assigned as Professor and Chair International & Operational Law Department, The Judge Advocate General’s Legal Center & School (TJAGLCS), U.S. Army, Charlottesville, Virginia. LL.M., 2002,...»

«This paper is part of an ASAP special collection on Social Psychology and Contemporary Immigration Policy Analyses of Social Issues and Public Policy, Vol. 00, No. 0, 2011, pp. 117 How the Media Frames the Immigration Debate: The Critical Role of Location and Politics Stephanie A. Fryberg∗ University of Arizona Nicole M. Stephens Kellogg School of Management, Northwestern University Rebecca Covarrubias University of Arizona Hazel Rose Markus Stanford University Erin D. Carter, Giselle A....»

«International Journal of Biomedical Engineering and Science (IJBES), Vol. 3, No. 1, January 2016 DESIGN OF SINGLE CHANNEL PORTABLE EEG SIGNAL ACQUISITION SYSTEM FOR BRAIN COMPUTER INTERFACE APPLICATION Amlan Jyoti Bhagawati and Riku Chutia Department of Electronics & Communication Engineering, Tezpur University, India ABSTRACT In this paper designing of a battery operated portable single channel electroencephalography (EEG) signal acquisition system is presented. The advancement in the field of...»

«Canadian Studies in Population 39, No. 1–2 (Spring/Summer 2012):125–34. World Population Policies: Their Origin, Evolution, and Impact by John F. May Dordrecht: Springer, 2012 ISBN-10: 9400728360 US$179.00, 366 pp. Review essay by Anatole Romaniuk Department of Sociology, University of Alberta anromaniuk@yahoo.ca Introduction The book should not, and will not, pass unnoticed, and not just among specialists in the field of population studies proper, but well beyond, not the least among those...»

«Measuring cultural values and beliefs about environment to identify their role in climate change responses   Jennifer Price1*, Iain Walker1, and Fabio Boschetti2 Abstract -Cultural theory elucidates conflicting opinions driving the climate change debate. Patterns of shared values and beliefs are described as cultural biases. These partial perspectives about society and environment legitimize four ways of life worldviews. This research tests whether cultural biases about the environment have...»

«Journal of Community & Applied Social Psychology J. Community Appl. Soc. Psychol., 13: 197–205 (2003) Published online in Wiley InterScience (www.interscience.wiley.com). DOI: 10.1002/casp.721 Synthesizing Homelessness Research: Trends, Lessons and Prospects ISOBEL ANDERSON* Housing Policy and Practice Unit, University of Stirling, Stirling, UK ABSTRACT This article presents an overview of some of the key trends emerging from homelessness research to date, lessons to be learned, and some...»

«What Are Intellectuals Good For? A Crooked Timber Seminar on George Scialabba’s Book Edited and organized by Henry Farrell c 2009. This work is licensed under a Creative Commons License. http://creativecommons.org/licenses/by-sa/2.5/ i Contents Contents ii Introduction 1 What Kinds of Intellectuals Should There Be? John Holbo 2 George Scialabba and the Culture Wars. Michael B´rub´ e e 6 Avoiding the Lasch of Modernity Rich Yeselson 15 Toward a Larger Left Aaron Swartz 23 No Live Readings...»

«Characterizing the bilingual disadvantage in noun phrase production Jasmin Sadat a, b, Clara Martin a, F.-Xavier Alario b, Albert Costa a, c a Departament de Tecnologies de la Informació i les Comunicacions, Universitat Pompeu Fabra, Barcelona, Spain b Laboratoire de Psychologie Cognitive, CNRS and Université de Provence, Marseille, France c Institució Catalana de Recerca i Estudis Avançats (ICREA) Running head: BILINGUAL NOUN PHRASE PRODUCTION Address correspondence to: Jasmin Sadat...»

<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.