Identification of Repeated Attacks Using Network Traffic Forensics

Denial-of-service attacks on the Internet today are often launched from zombies, multiple compromised machines controlled by an attacker. Attackers often take control of a number of zombies and then repeatedly use this army to attack a target several times, or to attack several targets. In this paper, we propose a method to identify repeated attack scenarios, that is, the combination of a particular set of hosts and attack tool. Such identification would help a victim coordinate response to an attack, and ideally would be a useful part of legal actions. Because packet contents can be forged by the attacker, we identify an attack scenario by spectral analysis of the arrival stream of attack traffic. The attack spectrum is derived from the characteristics of the attack machines and can therefore be obscured only by reducing attack effectiveness. We designed a multi-dimensional maximum-likelihood classifier to identify repeated attack scenarios. To validate this procedure we apply our approach on real-world attacks captured at a regional ISP, identifying similar attacks first by header contents (when possible) and comparing these results to our process. We conduct controlled experiments to identify and isolate factors that affect the attack fingerprint.