Passive Forensic Identification of Network TCP/IP Communication Endpoints
The biggest headlines in network security seem to feature the dark world of outside hackers, worms, and viruses. In reality, however, a company’s computer network is more likely to be compromised by people inside the organization, due to either malicious acts or simple noncompliance to established security protocols. Sometimes it is hard to identify who the users are when a company uses Network Address Translation (NAT) in order to enable multiple hosts on a private network to access the internet using a single public IP address.
A traditional approach to find out who the noncompliant user is would be to remove drives from suspicious computers after hours, image them, and then replace them in order to analyze deleted files, fragments, inodes, logs, and histories to find evidence of malicious or noncompliant use. The problem with this approach is that it is very labor intensive and there is a real chance that the adversary will discover he or she is under investigation and destroy evidence.
APL researchers have developed a way to identify specific machines through Remote Network Fingerprinting.
Exploits the physical uniqueness of the machine
Identifies the endpoints in a communication
Shows that an endpoint participated in a transaction or was not involved in a transaction
The University of California San Diego (UCSD) developed an approach that exploits small, microscopic deviations in device hardware—clock skews—to create a “fingerprint” of a machine. The UCSD methodology collects time-stamp values from an observed machine (during a collection phase) and plots these values against a measurer system time in a scatter plot. After this step is completed, a convex hull method of fit is plotted, and the slope of this line is the clock skew of the observed machine. The investigator would then group similar drifts to sort out individual machines. This method posed but did not address the required sampling size and the effect of differing topologies. It also ignored statistical techniques. Using a convex hull technique instead of a linear regression technique throws out the whole body of error analysis theory.
APL researchers expanded the UCSD research by estimating skew via linear regression and used error analysis theory to determine the required sample size. They simulated WAN delay and measured PCI bus to link clock skew to the physical world and found that PCI bus clock speed is directly related to clock skew. Linear regression uniquely identifies machines to within a couple parts per million. Also, the number of samples required is directly proportional to the observed time-stamp error and confidence interval, while it is inversely proportional to collection interval and allowed parts per million tolerance.
The APL Approach to Passive Forensic Identification of Network TCP/IP Communication Endpoints provides a repeatable way to fingerprint a specific machine using the simple technique of linear regression, and statistical error analysis guides the investigator on how much information needs to be collected.
This technology is currently available for licensing.