Conclusions

In this paper, we have presented a network-based tracing method which requires IP and TCP headers of packets and time stamps to be recorded at many places on the Internet. If a packet stream is given in which an intruder accessed a host in a connection chain with telnet or rlogin interactively for a long time, the system we developed computes a deviation for each of the packet streams at various Internet sites from the given stream, and the result would be small only if a packet stream is in the same connection chain as the given one, otherwise it will be large. Our method relies on the fact that the increase in sequence numbers is invariant at all points on a connection chain if the proper sections of packet streams that are in the same chain are compared.

We use only time stamps and headers of the packets, not the contents of packets, so that the method would be applicable to encrypted connections such as those used in SSH or SSL telnet in the future. But the fact we mentioned above does not hold when some part of a connection in a chain is encrypted, so our method cannot apply directly in that case. Things get more complicated when compression is used as well as encryption in a connection, where the size of the data after compression and encryption also depends on the contents of the original data. As encrypted communications are becoming more widely used today, a future research question would be regarding a tracing method that is effective even if some of the connections are encrypted and compressed.