Finding a Connection Chain for Tracing Intruders

Intruders usually log in through a chain of multiple computer systems to hide their origins before breaking into their targets, which makes tracing difficult. In this paper we present a method to find the connection chain of an intruder for tracing back to the origin. We focus on telnet and rlogin as interactive applications intruders use to log in through hosts. The method involves setting up packet monitors at as many traffic points as possible on the Internet to record the activities of intruders at the packet level. When a host is compromised and used as a step-through host to access another host, we compare the packet logs of the intruder at that host to logs we have recorded all over the Internet to find the closest match. We define the ‘deviation’ for one packet stream on a connection from another, and implement a system to compute deviations. If a deviation is small, the two connections must be in the same connection chain. We present some experimental results showing that the deviation for two unrelated packet streams is large enough to be distinguished from the deviation for packet streams on connections in the same chain.