An IP traceback model for network forensics

Abstract

Network forensics deals with capture, recording, analysis and investigation of network traffic to traceback the attackers. Its ultimate goal is to provide sufficient evidence to allow the perpetrator to be prosecuted. IP traceback is an important aspect in the investigation process where the real attacker is identified by tracking source address of the attack packets. In this paper we classify the various approaches to network forensics to list the requirements of the traceback. We propose a novel model for traceback based on autonomous systems (AS) and deterministic packet marking (DPM) to enable traceback even with a single packet. The model is analyzed against various evaluation metrics. The traceback solution will be a major step in the direction of attack attribution and investigation. © Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2011.