Authors: Thomas Daniels



Determining the originating node of network traffic is a key problem in network forensics. As it is unlikely that a network attacker will leave direct evidence of his identity, it is useful to find his point of entry into the network. This, along with further host-based investigation, can tie a given suspect to an attack. Past work at this origin identification problem has assumed cooperative users (authentication), simple mechanisms of origin concealment (i.e. Carrier’s STOP protocol). As this work is usually specific to a single type of origin concealment, we know little in general about the origin identification problem. In this paper, we discuss passive approaches that do not modify traffic, but rather, they store observations for later analysis.