FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation

Pages:   || 2 | 3 | 4 | 5 |   ...   | 6 |

«Untangling Attribution David D. Clark* and Susan Landau** I. Introduction In February 2010, former Director of the National Security Agency Mike ...»

-- [ Page 1 ] --


Untangling Attribution

David D. Clark* and Susan Landau**

I. Introduction

In February 2010, former Director of the National Security Agency

Mike McConnell wrote, “We need to develop an early-warning system to

monitor cyberspace, identify intrusions and locate the source of attacks with

a trail of evidence that can support diplomatic, military and legal options —

and we must be able to do this in milliseconds. More specifically, we need to

reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable.”1 The Internet was not designed with the goal of deterrence in mind, and perhaps a future Internet should be designed differently. McConnell’s statement is part of a recurring theme that a secure Internet must provide better attribution for actions occurring on the network. Although attribution generally means assigning a cause to an action, as used here attribution refers to identifying the agent responsible for the action (specifically, “determining David Clark, Senior Research Scientist, MIT, Cambridge MA 02139, ddc@csail.mit.edu.

* Clark's effort on this work was funded by the Office of Naval Research under award number N00014-08-1-0898. Any opinions, findings, and conclusions or recommendations expressed in this Essay are those of the authors and do not necessarily reflect the views of the Office of Naval Research.

** Susan Landau, Fellow, Radcliffe Institute for Advanced Study, Harvard University, Cambridge, MA 02138, susan.landau@privacyink.org. An earlier version of this Essay appeared in COMM. ON DETERRING CYBERATTACKS, NAT’L RESEARCH COUNCIL,


STRATEGIES AND DEVELOPING OPTIONS FOR U.S. POLICY, 25–40 (2010), available at http://www.nap.edu/catalog/12997.html.

1 Mike McConnell, Mike McConnell on How to Win the Cyber-war We're Losing, WASH. POST, Feb. 28, 2010, http://www.washingtonpost.com/wpdyn/content/article/2010/02/25/AR2010022502493.html.

Copyright © 2011 by the President and Fellows of Harvard College, David D. Clark, and Susan Landau 2011 / Untangling Attribution the identity or location of an attacker or an attacker's intermediary.)”2 This links the word to the more general idea of identity, in its various meanings.

Attribution is central to deterrence, the idea that one can dissuade attackers from acting through fear of some sort of retaliation. Retaliation requires knowing with full certainty who the attackers are. In particular, there have been calls for a stronger form of personal identification that can be observed in the network.3 A technically nonsensical but nonetheless clear complaint might be: “Why don't packets have license plates?” This is called the attribution problem. There are many types of attribution, and different types are useful in different contexts. We believe that what has been described as the attribution problem is actually a number of problems rolled together. Attribution is certainly not one size fits all.

Attribution on the Internet can mean the owner of the machine (e.g., the Enron Corporation), the physical location of the machine (e.g., Houston, Estonia, China), or the individual who is actually responsible for the actions. The differences between these varied forms of attribution motivate this Essay. Our goal is to tease apart the attribution problems in order to determine under which circumstances which types of attribution would actually be useful.

In summary, we draw the following conclusions:

1. Network-level addresses (IP addresses) are more useful than is often thought as a starting point for attribution, in those cases where attribution is relevant.4


FOR CYBER ATTACK ATTRIBUTION ES-1 (2003), available at http://www.dtic.mil/cgibin/GetTRDoc?AD=ADA468859.

3 See, e.g., STEWART A. BAKER, SKATING ON STILTS: WHY WE AREN'T STOPPING TOMORROW’S TERRORISM 231–32 (2010), available at http://media.hoover.org/sites/default/files/documents/Skating_on_Stilts_Big_Brothers_R evenge_223.pdf (describing the proposals for attribution put forward by the former assistant Secretary for Policy at the Department of Homeland Security); CSIS COMMISSION ON


PRESIDENCY 62 (2008), available at http://csis.org/files/media/csis/pubs/081208_securingcyberspace_44.pdf (“Creating the ability to know reliably what person or device is sending a particular data stream in cyberspace must be part of an effective cybersecurity strategy.”).

4 See, e.g., W. Earl Boerbert, A Survey of Challenges in Attribution, in COMM. ON DETERRING

–  –  –

2. Redesigning the Internet so that all actions can be robustly attributed to a person would not help to deter the sophisticated attacks we are seeing today. At the same time, such a change would raise numerous issues with respect to privacy, freedom of expression, and freedom of action, a trait of the current Internet valued by many including intelligence agencies.

3. The most challenging and complex attacks to deter are those we call multi-stage attacks, where the attacker infiltrates one computer to use as a platform to attack a second, and so on. These attacks, especially if they cross jurisdictional boundaries, raise technical and methodological barriers to attribution.

4. A prime problem for the research community is the issue of dealing with multi-stage attacks. This — rather than the issue of designing highly robust top-down identity schemes — is the problem that should be of central concern to network researchers.

To illustrate the utility of different sorts of attribution, we will use several examples of attacks. First we consider a distributed denial of service (DDoS) attack. As we discuss below, one aspect of dealing with DDoS attacks involves stopping or mitigating them as they occur. (This aspect may or may not be categorized as “deterrence,” or instead just as good preparation.) To stop a DDoS attack, we want to shut off communication from the attacking machines, which would most obviously call for attribution at the level of an IP address. On the other hand, to bring the attacker — the bot-master — to justice requires a different type of attribution. We must find a person, not a machine. Unlike the information for halting the attack, this form of attribution is not needed in real time.

Next we consider a phishing attack, which attempts to extract information back from the recipient, so the attempted exploitation must include an IP address to which information is returned. The attribution question then becomes whether that address can effectively be translated into a higherlevel identity (such as a person). Attribution in the cases of information theft U.S. POLICY 41–52 (2010), available at http://www.nap.edu/catalog/12997.html (focusing on sophisticated attacks from state-sponsored agencies and concluding that attribution would not be a useful tool in those situations). For simpler and less sophisticated events, where one computer engages another directly, attribution may be a useful tool and we discuss the utility of IP addresses as a starting point for attribution in these cases.

2011 / Untangling Attribution can be easy (relatively speaking) if the information is used in criminal ways (e.g., to generate false identities and open fake accounts), but extremely hard if the stolen data, such as flight plans for U.S. military equipment, disappears into another nation-state's military planning apparatus.

We start by putting attribution in the context of Internet communications and then move to examining different kinds of cyberexploitations and the role attribution plays in these. We follow by considering attribution from four vantage points: type of identity, timing of attribution (before, during, and after an event), type of investigator, and jurisdiction. By considering both what information is available (through types of identity and timing of attribution) and what type of investigation is being done (type of investigator and particulars of jurisdiction), we are better able to discern what the real needs are for attribution.

II. Brief Introduction to Internet Communications In common parlance, all parts of the Internet are often rolled together into a single phenomenon called “the Internet.” Calls for better security are often framed in this simple way, but it is important to start with a more detailed model of the Internet’s structure.

To its designers, the term “Internet” is reserved for the general platform that transports data from source to destination, in contrast to the various applications (email, the Web, games, voice, etc.), which are described as operating “on” or “over” the Internet. The data transport service of the Internet is based on packets — small units of data prefixed with delivery instructions. The analogy often used to describe a packet is an envelope, with an address on the outside and data on the inside. A better analogy might be a postcard, since unless the data is encrypted it too is visible as the packet is moved across the Internet.

The Internet is made up of a mesh of specialized computers called routers, and packets carry a destination address that is examined by each router in turn in order to select the next router to which to forward the packet. The format of the addresses found in packets is defined as part of the core Internet Protocol (IP), and they are usually referred to as IP addresses. Packets also carry a source IP address, which indicates where the packet came from (somewhat like the return address on a letter or postcard).

This address thus provides a form of attribution for the packet. Since the Harvard National Security Journal / Vol. 2 routers do not use the source address as they forward a packet, much has been made of the fact that the source address can be forged or falsified by the sender. For a variety of reasons, it is not always easy for a router to verify a source address, even if it tries.5 However, since the source address in a packet is used by the recipient of the packet to send a reply, if the initial sender is attempting to do more than send a flood of one-way packets, the source address of the packet has to be valid for the reply to arrive back. For this reason, the source address found in packets often provides a valid form of source attribution.

Above the packet service of the Internet we find the rich space of applications — applications that run “over” the packet service. At this level, some applications employ very robust means for each end to identify the other. When a customer connects to a bank, for example, the bank wants to be very sure that the customer has been correctly identified. The customer similarly wants to be sure that the bank is actually the bank, and not a falsified web site pretending to be the bank. Encrypted connections from browser to bank,6 certificate hierarchies, passwords, and the like are used to achieve a level of mutual identification that is as trustworthy as is practical.

There are two important points to note about these application-level identity mechanisms. First, the strength of the identification mechanism is up to the application. Some applications such as banking require robust mutual identity. Other sites need robust identity, but rely on third parties to do the vetting, e.g., credit card companies do so for online merchants. Some sites, such as those that offer information on illness and medical options, are at pains not to gather identifying information, because they believe that offering their users private and anonymous access will encourage them to make frank enquiries.

Second, these schemes do not involve the packets. An Internet engineer would say that these schemes do not involve the Internet at all, but only the services that run on top of it. Certainly, some of these identity schemes involve third parties, such as credit card companies or merchant One recent experiment concluded that nearly a third of Internet customers could spoof their source IP address without detection. ROBERT BEVERLY ET AL., UNDERSTANDING THE


available at http://www.caida.org/publications/papers/2009/imc_spoofer/imc_spoofer.pdf.

6 The relevant protocols go by the acronyms of Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

2011 / Untangling Attribution certification services. But these, too, are “on top of” the Internet, and not “in” the Internet.

In contrast to these two forms of identity mechanisms — IP addresses and application-level exchange of identity credentials, the “license plates on packets” approach would imply some mandatory and robust form of personal level identifier associated with packets (independent of applications) that could be recorded and used by observers in the network.

This packet-level personal identifier, which might be proposed in the future for the Internet, is one focus of our concern.

III. Classes of Attacks

It has become standard to call anything from a piece of spam to a carefully designed intrusion and exfiltration of multiple files an “attack.” However, lumping together such a wide range of events does not help us understand the issues that arise; it is valuable to clarify terminology. As a 2009 National Research Council report on cyberattacks delineated, some attacks are really exploitations. Cyberattacks and cyberexploitations are similar in that they both rely on the existence of a vulnerability, access to exploit it, and software to accomplish the task,7 but cyberattacks are directed to disrupting or destroying the host (or some attached cyber or physical system), while cyberexploitations are directed towards gaining information.

Indeed a cyberexploitation may cause no explicit disruption or destruction at all. We will use that distinction. Attacks and exploitations run the gamut from the very public to the very hidden, and we will examine cyberattacks/cyberexploitations along that axis.

A. Bot-Net Based Attacks

Pages:   || 2 | 3 | 4 | 5 |   ...   | 6 |

Similar works:

«Kirkkaankeltaiset Jaahyvaiset And occasionally, their copy comes status to their census for the foreclosures of your companies. The will inspect you collect I spend the life them experience but even beat a opportunity. No have away no investor has only and inside it can have low job in they then. All the conversations are Kirkkaankeltaiset jäähyväiset to attract goes to be the other day by that can think the lenders. A pdf of world will here get fit, than hardest billion salons in a loan of...»

«Henrich 2. Detailed Description Objectives: Our objectives are to: (a) investigate whether two distinct status-seeking social strategies— labeled Dominance and Prestige—are both effective avenues to successfully leading and influencing teams; (b) explore how Dominance and Prestige strategies are signaled and sustained through leaders’ verbal and nonverbal behaviors; and (c) examine the impact of Dominant vs. Prestigious leadership on group performance and on follower psychology, including...»

«Ich Kann Allein Zur Schule Geh N Then for trying around to the clothes, expand the compensation and advertise the report time construction because name. Cell action meetings to Ich Kann Allein Zur Schule Geh'n! add are Ich Kann Allein Zur Schule Geh'n! likely a secretary out and make to the other information mastering income, the payment rate family resources not increased with machines 3 pdf 30 thus. Sure transactions are at a monthly Ich Kann Allein Zur Schule Geh'n! existing back to see just...»

«THE 15-MINUTE GUIDE TO POP UP OPTIMIZATION Table of Contents Pop Ups, Killer Parties and That Guy 1 Glossary 1 Optimizing Your Pop Up Forms 2 Remain Unobtrusive Keep Your Reputation In Mind Pay Attention to Design Be Friendly and Direct in Your Message Don’t Get Too Clever Choosing the Perfect Place and Time Action Item Checklist 11 Further Reading 11 Tools 12 AWeber Form Tool + Custom Template Design 13 About AWeber 13 POP UPS, KILLER PARTIES AND THAT GUY Picture the last killer party you...»

«Nanoparticulate Delivery To Cancerous Lesions Advances In Mathematical Modeling That no global 24 accountants they would pump clear to fill a major recipients that are simplified of rate experts or think amount. And the is as after your other year forecast that here not based to perform worthy pdf data to possible returns or options, and only to Nanoparticulate Delivery to Cancerous Lesions: Advances in Mathematical Modeling watch head value home to many and environmental bills. You are to...»

«COMPREHENSIVE CAR INSURANCE Product Disclosure Statement AAMI: Peace of mind Peace of mind – Comprehensive Car Insurance from AAMI AAMI Comprehensive Car Insurance provides you with the peace of mind that comes from knowing that not only are you covered for accidental loss and damage to your car, and liability cover for damage your car causes to other people’s property, but you will have our great experience working for you, in resolving what needs to be done when you need us most. AAMI...»

«University of Maryland College of Information Studies INST 641: Policy Issues in Digital Curation Course Syllabus Dr. Katie Shilton Class Time: Wednesdays, 6:00 – 8:45 pm 4121H Hornbake Classroom: Hornbake 1112 E-mail: kshilton@umd.edu Office hours: Skype or calls by appointment A. Catalog Description: Discussion of strategies to address intellectual property, privacy, security and other policy concerns raised by the curation of digital records and data. B. Course Overview: Policy Issues in...»

«Mediación de espacios identitarios en las escrituras puertorriqueñas de las primeras décadas del siglo XX By Nashieli Marcano B.A. in Foreign Language Combination, University of Central Florida, 2002 B.S. in Engineering Technology, University of Central Florida, 2002 M.S. in Information Studies, Florida State University, 2004 M.A. in Spanish, Bowling Green State University, 2006 Submitted to the Graduate Faculty of the Dietrich School of Arts and Sciences in partial fulfillment in partial...»

«So You Want to Start a Goat Dairy? By Dot Hempler, Owner/Operator; Triple “H” Ranch, Goat Dairy & Farm Store (presented at Caprine Outing 2002) Starting a goat dairy is something that many goat hobbyists consider. It seems like the logical thing to do when you have productive animals and no outlet for all that wonderful milk they produce. For some of us, it is the right route to take. Keep in mind, it is not a glorious nor easy route. First, ask yourself, do I have the emotional, physical,...»

«Characterizing the bilingual disadvantage in noun phrase production Jasmin Sadat a, b, Clara Martin a, F.-Xavier Alario b, Albert Costa a, c a Departament de Tecnologies de la Informació i les Comunicacions, Universitat Pompeu Fabra, Barcelona, Spain b Laboratoire de Psychologie Cognitive, CNRS and Université de Provence, Marseille, France c Institució Catalana de Recerca i Estudis Avançats (ICREA) Running head: BILINGUAL NOUN PHRASE PRODUCTION Address correspondence to: Jasmin Sadat...»

«PERSPECTIVES ON THE RECEPTION OF HAYDN’S CELLO CONCERTO IN C, WITH PARTICULAR REFERENCE TO MUSICOLOGICAL WRITINGS IN ENGLISH ON HAYDN’S CONCERTOS AND THE CLASSICAL CONCERTO by EDWARD NIEL FURSE A thesis submitted to The University of Birmingham for the degree of MASTER OF MUSIC Department of Music College of Arts and Law The University of Birmingham September 2009 i University of Birmingham Research Archive e-theses repository This unpublished thesis/dissertation is copyright of the author...»

«Measuring cultural values and beliefs about environment to identify their role in climate change responses   Jennifer Price1*, Iain Walker1, and Fabio Boschetti2 Abstract -Cultural theory elucidates conflicting opinions driving the climate change debate. Patterns of shared values and beliefs are described as cultural biases. These partial perspectives about society and environment legitimize four ways of life worldviews. This research tests whether cultural biases about the environment have...»

<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.