Identification of Repeated DoS Attacks using Network Traffic Forensics

Once an attacker has compromised a set of machines, typically, he will repeatedly deploy the same set of machines to attack different targets. In this paper, we propose a method to identify repeated attack scenarios, that is, the combination of a particular set of hosts and attack tool, by making use of pattern recognition techniques. While previous methods have focused on intrusion detection using anomaly and signature matching based primarily on header content, our approach attempts to identify unique fingerprints encoded in the packet arrival streams created by the attacker and the attack tool. We investigate the plausibility of our approach on real-world attacks captured at a regional ISP. We designed a multi-dimensional maximum-likelihood classifier to identify repeated attack scenarios based on spectral content of the attack. The preliminary results indicate that in addition to having similar header content, repeated attacks also have similar spectral behavior. We conducted controlled experiments to isolate factors that affect the attack fingerprint. Such an attack scenario identification system can be used to investigate and establish attribution of the DoS attacks, and could also be used to estimate the deployment of a particular attack tool.