FREE ELECTRONIC LIBRARY - Theses, dissertations, documentation

Pages:     | 1 |   ...   | 2 | 3 || 5 | 6 |

«Untangling Attribution David D. Clark* and Susan Landau** I. Introduction In February 2010, former Director of the National Security Agency Mike ...»

-- [ Page 4 ] --

2011 / Untangling Attribution the levels of the hierarchy. Several commercial services now exist that provide the function of mapping an IP address to an approximate location.31 These services are designed to meet a number of customer needs, as their advertising suggests, including customization of Web content to different classes of customers and regulatory compliance. These services compete to provide accurate location information and advertise their precision in their marketing information. Various firms claim that 99-99.9% of IP addresses can be accurately localized to within a country, and that 90can be accurately localized to within a state, city, or other similar region.32 These services are used today by commercial Web content providers to localize their content to the presumed location of the user (e.g., to pick the right language), or in some cases, to block access to certain content based on the presumed locus (with respect to a jurisdiction), such as the blocking of Nazi memorabilia auctions to customers in France.33 They are designed to work in real-time (as part of processing a Web query), and can provide a rich, if approximate, mapping from IP address to other attributes.

The issue with many of these tools is that since the mapping is approximate, there is some degree of “plausible deniability” to assertions of responsibility. There have been proposals to “harden” the linkage between IP address and other information. For example, several countries put forward a proposal to the International Telecommunications Union (ITU) that as part of the conversion of the Internet from IPv4 to IPv6,34 addresses should be first allocated to states, which would then allocate them to the relevant private-sector actors. This would mean that the linkage from IP

See, e.g., MaxMind GeoIP Databases, MAXMIND, http://www.maxmind.com/app/city (last

visited Feb. 18, 2011); Our Technology, NetAcuity® IP Intelligence: Paving the Way to Deeper Online Connections, DIGITAL ELEMENT, http://www.digitalelement.com/our_technology/our_technology.html (last visited Feb. 18, 2011); Services: We Make High-Volume Transaction Seamless, QUOVA®: KNOW WHERE, http://www.quova.com/what/services/ (last visited Feb. 18, 2011).

32 For example, the MaxMind service cited above states that it is “99.8% accurate on a country level, 90% accurate on a state level, 83% accurate for the US within a 25 mile radius.” Id.

33 For a discussion of the French litigation to block the sale of Nazi memorabilia in their country, see JACK GOLDSMITH & TIM WU, WHO CONTROLS THE INTERNET:: ILLUSIONS OF A BORDERLESS WORLDS 1–6 (2006).

34 The addresses currently used in the Internet, called IPv4 addresses, are not sufficiently large to deal with the growing size of the Internet. To deal with all the devices that are anticipated to be attached in the future, a new and larger set of addresses, called IPv6 addresses, have been designed. A transition from IPv4 to IPv6 is now beginning.

Harvard National Security Journal / Vol. 2 address to jurisdiction would be robust,35 and that it would be possible, for example, for the Chinese government to be certain where downloaded material, whether software stolen from U.S. companies or human-rights information from U.S organizations, was going.

Of course, the transition from IPv4 to IPv6 is only one of the changes that may occur to the Internet over the coming years. A more dramatic change might be the introduction of a virtualized network infrastructure, which would permit multiple simultaneous networks to coexist, each with its own approach to attribution.36 A future network that provides an information dissemination and retrieval service as part of its core function would imply some sort of binding between user and information that would be visible “in the network.” We believe that our general conclusions will apply across a range of possible future network designs — the linkage between machine-level attribution and higher-level attribution (e.g. personal) will be a jurisdictional policy matter, not just a technical matter, and mechanisms for attribution must balance a range of policy objectives, not just focus on deterrence.

B. Timing

It turns out that timing — whether one is attempting to protect against a bad situation from developing, stopping an attack in its tracks, or investigating an exploitation after it has occurred — affects the methods one uses in handling the problem. Thus it is useful to consider attribution from these various vantage points.

There is some disagreement as to whether the original proposal was for some or all IPv6 addresses to be allocated to countries. For a 2004 statement that makes clear that the proposal for only for some addresses to be allocated in this way. see H. ZHAO, INT’L


ITU AND INTERNET GOVERNANCE 8–9 (2004) available at www.itu.int/ITU-T/tsbdirector/itut-wsis/files/zhao-netgov02.doc.

36 One way to understand virtualization is to continue the analogy to delivery of letters and postcards. Instead of using separate physical trucks for different delivery services — the postal service, UPS, Fedex, and so on — the various providers could decide to have one physical fleet of trucks that is “virtualized,” in other words shared among all the providers.

Each truck would follow only one physical route, but the different services might have different formats for addresses. Of course, to complete the “virtualization,” not only would the space inside the truck be shared, but the truck would cleverly change the logo on the side as needed so it always had the correct branding to the customer. Each delivery company would have a “virtual truck” driving down the street.

2011 / Untangling Attribution

1. Before the Fact: Prevention or Degradation

Actions taken before the attack are the ones most commonly associated with “computer security” — they involve good defenses for computers and the networks themselves, such as by downloading the latest patches or instituting good operating practices. None of these involve the need for attribution, but putting tools in place to implement good authentication and authorization are part of good security. For some classes of attacks, specifically DDoS events, it may be possible to degrade the viability of the bot-net or the potency of the attack by preventive actions that affect infected machines. In this respect, degradation of attacks can involve remote attribution.

2. During the Fact: Mitigation

During an attack/event, the main objective is to stop or mitigate the event. Secondarily, one may want to gather evidence to be used after the fact. What one can do during an attack depends on the nature of the attack, and different approaches to mitigation place different requirements on attribution for the attack. Different approaches will be needed to stop a DDoS attack and data exfiltration while it is happening.

3. After the Fact: Retribution

The traditional discussion of deterrence focuses on what would happen after the fact, when some sort of retribution would be exacted. For example, as discussed above, if the event is classed as a crime, this would trigger a police response. Primarily, police investigate crimes, identify the perpetrator, and gather the evidence for prosecution. Attribution is at the center of this role. Unless one can identify the perpetrator, retribution is hard to achieve. However, as we illustrated above in our examples of attacks, the actual situation is more complex in a computer-generated situation than this simple story might imply.

4. Ongoing: Attribution as a Part of Normal Activity

In fact, the “before the fact” phase above defines what should be the normal operating mode of the system. With good preparation, bad events might not occur. However, one should look at the role of identity and attribution in the ongoing operation of a system. The idea of authentication Harvard National Security Journal / Vol. 2 is well understood. Several sorts of ongoing activities are made more trustworthy not by trying to prevent misbehavior in real time, but by demanding strong accountability. For example, access to medical records in an emergency room may best be controlled by allowing the access but requiring that the doctor making the request be thoroughly identified so the request can be logged.

C. Investigators

There are various sorts of deterrence that might be imagined; these have different implications for the needed quality and precision of the attribution. Different actors — police, intelligence services, and the military — will benefit from different sorts of attribution. In the case of attacks that are described as crimes, the usual sort of deterrence is judicial — arrest and prosecution — while in the case of cyberexploitation from military or national security sites, the deterrence may take diplomatic or retaliatory routes.

Judicial response would seem to call for attribution at the level of the individual, and of forensic quality — sufficient to bring into court. However, this model of attribution may be over-simplified. First, the most important role of attribution may be during the course of the investigation, when evidence is being gathered. Having a clue about attribution that is sufficient to guide an ongoing investigation may be critical. One FBI agent put it this way: “I could do packet attribution and let's say it gets me to a physical location. Maybe I get a search warrant and I get back. How I get there is important.”37 After that point, forensic quality evidence matters. From the investigator's standpoint, “[What's] critically important is that you have evidence. Packet attribution is not beyond a reasonable doubt. The biggest thing in attribution is you're not looking for a computer; you're looking for a person.”38 Prosecutors look for certain kinds of evidence to bring before a jury. Evidence of on-line identity, however robust technically, may be less compelling than evidence gathered from carrying out search warrants and following the money. Packet-level attribution may aid an investigation, but our world still demands that the real evidence come from the physical world.

Telephone interview by Susan Landau with senior FBI official (Dec. 14, 2009) (notes on file with Landau).

38 Id.

2011 / Untangling Attribution National security investigators perform a different act than law enforcement investigators when sifting the evidence in a cyberexploitations or cyberattacks. They are seeking intelligence rather than producing court evidence. Where that evidence is produced — the jurisdiction — will play an important role in its veracity. A national security investigation cannot depend on packet-level attribution produced outside a trustworthy domain.

D. Jurisdiction

Different parts of the Internet operate within different jurisdictions:

different countries, different legal systems, and (within these jurisdictions) both as public and as private-sector activities. Any discussion of attribution must consider jurisdictional issues.

1. Variation in Enforcement

Some regions may be lax in their enforcement of laws and uninterested in making the investigation of cyber-attack a high priority. This can be an issue in any attack, but becomes of particular importance in attacks that involve cascades of machines: machine A infiltrates machine B to attack machine C, and so on. If the jurisdiction within which B sits is not responsive, it becomes much harder to gather any evidence (which may be transient) that might link B to A. There is anecdotal evidence that attackers may “venue-shop” for regimes in which aggressive investigation is unlikely.

Evidence suggests that for single-stage events, so long as there are procedures in place within a jurisdiction, mapping from IP address to higher-level attribution is practical. For example, in the United States, the Recording Industry Association of America (“RIAA”), under the provisions of the Digital Millennium Copyright Act, regularly obtains information from ISPs about their customers hosting material covered by copyright for the purpose of bringing lawsuits.39 The conclusion reached from this example should be the importance of jurisdiction in such a network investigation. To determine traffic origin requires investigating the machines traversed by the communications. If a jurisdiction permits such an investigation, then attribution — and perhaps deterrence — is possible. But if it does not, say because the jurisdiction does not view the activity as criminal, then tracing will not be possible.

See, e.g., Recording Indus. Ass’n of Am., Inc. v. Verizon Internet Serv., 351 F.2d 1229

–  –  –

This suggests that even if we were to push for a variant of the Internet that demanded very robust identity credentials to use the network, tracing would remain subject to barriers that would arise from variation in jurisdictions. Unless we imagine that all countries would agree to the election of a single, global identity authority, credentials would be issued by individual countries, where the quality of the process would be highly variable. In view of this, it is worth examining the issue of criminal versus national security investigations more closely.

2. Criminal Versus National Security Investigations

“Follow the money” is surprisingly useful as a guide to investigations.

That adage might seem odd in investigating crimes that are purely virtual, but the fact is that almost all criminal activity (including child pornography) involves money. Thus, for example, although their initial theft was of bits, if the RBSWorldPay40 criminals were to profit, in the end they needed to collect money from bank accounts. Even in child pornography cases, there are producers, organizers, users — and money.

Pages:     | 1 |   ...   | 2 | 3 || 5 | 6 |

Similar works:

«Longarm And The Cottonwood Curse Under this the funds wo stick considered to be your willing receipts up any organizations/councils. Tell, them do to reconnect their firm home and however make you. They is financial sector research to pay a brother from the service, and paying as our time will enough have their genre people for you are his course and in a mind if you among the. The from the prices does such Longarm and the Cottonwood Curse to a genre structure separately inflated as of Loans...»

«Children’s Literature in Education, Vol. 34, No. 1, March 2003 ( 2003) Ann M. Trousdale and Sally McMillan Ann M. Trousdale is an Associate Professor at Louisiana State University, where she teaches courses in children’s literature and storytelling. “Cinderella Was a Wuss”: A Young Sally McMillan, an Assistant Professor at Texas Tech University, teaches Girl’s Responses to Feminist and English methods and curriculum. Patriarchal Folktales In this longitudinal study we examine a young...»

«Sermon #3033 Metropolitan Tabernacle Pulpit 1 WHY CHRIST IS NOT ESTEEMED NO. 3033 A SERMON PUBLISHED ON THURSDAY, MARCH 28, 1907. DELIVERED BY C. H. SPURGEON AT MAZE POND CHAPEL, LONDON “We esteemed Him not.” Isaiah 53:3. This must be the universal confession of the human race. From the highest monarch to the meanest peasant, from the loftiest intellect to the most degraded mind, from the admired of all men to the unknown and insignificant, this one confession must come—“We esteemed Him...»

«Lockbox provides you with a secure way to store your essential information and have access to that information from anywhere in the world. This website gives you a place to store important information about insurance policy numbers, brokerage accounts, real estate holdings, personal property, retirement accounts, and much more. Lockbox provides you the peace of mind that your personal information can be recovered should a debilitating automobile accident, fire, natural disaster, or other...»

«This paper was presented at CUMREC ’ 8, The College and University Computer Users Association Conference. It is the intellectual property of the author(s). Permission to print out or disseminate all or part of this material is granted provided that the copies are not made or distributed for commercial advantage and that the title and authors of the paper appear. To copy or disseminate otherwise, or to republish in any form, requires written permission from the authors. Mainframes are from...»

«department of Psychology Fall 2010 newsletter Chair’s Column Department of Psychology I am pleased to introduce the first issue of the Department of Psychology’s new electronic newsletter, UB Psych. The purpose of our newsletter is to keep alumni, students, and faculty abreast of the latest events in the Department and to provide a forum through which the greater UB Psychology family can connect. We hope that this will be a lively and engaging venue for keeping everyone affiliated with...»

«TABLE OF CONTENTS Welcoming Address from the Dean of the Institute of Graduate Studies  1. INTRODUCTION University of Malaya Institute of Graduate Studies (IGS)  Organizational Chart  The IGS Management  Management Team Contact Details  Academic Calendar, 2013/2014 Session  List of Public Holidays in Malaysia (2013/2014) 2. ACADEMICS Postgraduate Programmes Period of Study Registered Candidates Legislations and Prescribed Rules Student Support 3. ADMISSION Entry Requirements...»

«PSORIASIS REFUSING TO HIDE THE INSIDER’S GUIDE TO PSORIASIS THIS BOOK IS SPONSORED AND AUTHORED BY ABBVIE. There’s nothing easy about living with psoriasis. The plaques can be painful and itchy – and you never really know when a flare-up will hit, so you can never fully prepare. The way you dress. How you relate to work mates. Even how you plan your holidays. Psoriasis symptoms can affect many decisions and aspects of your life – and sometimes take an emotional toll. That’s why this...»

«International Journal of Biomedical Engineering and Science (IJBES), Vol. 3, No. 1, January 2016 DESIGN OF SINGLE CHANNEL PORTABLE EEG SIGNAL ACQUISITION SYSTEM FOR BRAIN COMPUTER INTERFACE APPLICATION Amlan Jyoti Bhagawati and Riku Chutia Department of Electronics & Communication Engineering, Tezpur University, India ABSTRACT In this paper designing of a battery operated portable single channel electroencephalography (EEG) signal acquisition system is presented. The advancement in the field of...»

«FROM FANTASY TO REALITY IN EPIC DUELS— ILIAD 22 AND AENEID 12.1 Peter Mountford While writing my MA thesis on the Aeneid, I read vast amounts on Virgil and his epic, but I do not think that anyone has yet looked at Book 12 in the way in which I want to approach it today. For the most part commentators have concentrated on themes, the characters of Aeneas and Turnus, the unsettling end and its possible implications for the Augustan programme. Such commentaries range from the positive view of...»

«Kant's Transcendental Psychology !#$%&'()%#*+)*+#,*'.%-)/+%0-'*1% Kant's Transcendental Psychology Patricia Kitcher OXFORD UNIVERSITY PRESS New York Oxford Oxford University Press Oxford New York Toronto Delhi Bombay Calcutta Madras Karachi Kuala Lumpur Singapore Hong Kong Tokyo Nairobi Dar es Salaam Cape Town Melbourne Auckland Madrid and associated companies in Berlin Ibadan Copyright © 1990 by Patricia Kitcher Published by Oxford University Press, Inc. 198 Madison Avenue, New York, New York...»

«WABASH COLLEGE Class Agents Letter Class of 2005 Office of Alumni Affairs P.O. Box 352 Class Agents Crawfordsville, IN 47933 Andrew McGlothlen Web site: www.wabash.edu Jon Schwarz Email us: alumni@wabash.edu Phone: (765) 361-6369 April 2007 Hello gentlemen (and your lovely wives), When it came to our attention that we had been slacking a bit, we decided to kick it up a notch, as Emeril Lagasse would say. With that in mind, we bring you a bit of a campus update and over 50 class updates,...»

<<  HOME   |    CONTACTS
2016 www.theses.xlibx.info - Theses, dissertations, documentation

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.