A Survey of Forensic Network Attack Source Traceback

Abstract

Abstract: The concealment and anonymity of cyber attackers pose significant challenges to the field of network attack traceback. This study provides a comprehensive overview of the current state of research on network attack traceback analysis techniques, focusing on three aspects: traffic, scenarios, and samples. Firstly, with respect to traffic traceback, the paper outlines methods and applications based on log records, packet marking, ICMP tracing, and link testing. Secondly, it categorizes traceback techniques for different scenarios, encompassinganonymous networks, zombie networks, springboards, local area networks, and advanced persistent threat attacks, as well as their applications and limitations in realworld environments. Finally, concerning sample analysis, the paper discusses the progress and application scenarios of static and dynamic traceback analysis in the context of malicious code analysis and attack tracing.

Key words: cybersecurity, attribution, network deception, malicious sample traceability, anonymous network traceability

摘要： 网络攻击者的隐藏性和匿名性使得网络攻击溯源技术充满挑战.研究综述了基于流量、场景和样本3个方面的网络攻击溯源分析技术的研究现状.首先，针对流量溯源，总结出基于日志记录、流量包标记、ICMP回溯和链路测试等方法和应用；其次，根据不同场景归纳出匿名网络攻击、僵尸网络攻击、跳板攻击、局域网攻击和高级可持续威胁攻击的溯源技术以及在实际环境中的应用和限制；最后，对于样本分析探讨了静态和动态溯源分析在恶意代码分析及攻击溯源方面的研究进展和应用场景.

关键词: 网络安全, 追踪溯源, 网络欺骗, 恶意样本溯源, 匿名网络溯源

CLC Number:

TP393

王子晨, 汤艳君, 潘奕扬, . 面向取证的网络攻击者溯源分析技术研究综述[J]. 信息安全研究, 2024, 10(4): 302-.

References

［1］Gao Zhiqiang, Ansari N. Tracing cyber attacks from the practical perspective［J］. IEEE Communications Magazine, 2005, 43(5): 123131［2］Matsuda S, Baba T, Hayakawa A, et al. Design and implementation of unauthorized access tracing system［C］ Proc of 2002 Symp on Applications and the Internet. Piscataway, NJ: IEEE, 2002: 7481［3］Snoeren A C, Partridge C, Sanchez L A, et al. Singlepacket IP traceback［J］. IEEEACM Trans on Networking, 2002, 10(6): 721734［4］Savage S, Wetherall D, Karlin A, et al. Practical network support for IP traceback［C］ Proc of the Conf on Applications, Technologies, Architectures, and Protocols for Computer Communication. New York: ACM, 2000: 295306［5］Belenky A, Ansari N. IP traceback with deterministic packet marking［J］. IEEE Communications Letters, 2003, 7(4): 162164［6］Sun YY, Zhang C, Meng SQ, et al. Modified deterministic packet marking for DDoS attack traceback in IPv6 network［C］ Proc of the 11th IEEE Int Conf on Computer and Information Technology. Piscataway, NJ: IEEE, 2011: 245248［7］Suresh S, Sankar Ram N. Feasible DDoS attack source traceback scheme by deterministic multiple packet marking mechanism［J］. The Journal of Supercomputing, 2020, 76: 42324246［8］Vijayalakshmi M, Nithya N, Mercy Shalinie S. A novel algorithm on IP traceback to find the real source of spoofed IP packets［C］ Proc of Artificial Intelligence and Evolutionary Algorithms in Engineering Systems (ICAEES 2014). Berlin: Springer, 2015: 7987［9］Bellovin S M, Leech M, Taylor T. ICMP traceback messages［EBOL］. 2003 ［20230718］. https:academic commons.cocumbia.edudoi10.7916D8FF406R［10］Thing V L, Lee H C, Sloman M, et al. Enhanced ICMP traceback with cumulative path［C］ Proc of the 61st IEEE Vehicular Technology Conf. Piscataway, NJ: IEEE, 2005: 24152419［11］Cheng BC, Liao GT, Lin CK, et al. Mibitracecp: An improvement of icmpbased traceback efficiency in network forensic analysis［C］ Proc of the 9th IFIP Int Conf on Network and Parallel Computing. Berlin: Springer, 2012: 101109［12］Lee H C, Thing V L, Xu Y, et al. ICMP traceback with cumulative path, an efficient solution for IP traceback［C］ Proc of the 5th Int Conf on Information and Communications Security. Berlin: Springer, 2003: 124135［13］Yao G, Bi J, Vasilakos A V. Passive IP traceback: Disclosing the locations of IP spoofers from path backscatter［J］. IEEE Trans on Information Forensics and Security, 2014, 10(3): 471484［14］Burch H, Cheswick B. Tracing anonymous packets to their approximate source［C］ Proc of LISA. New York: ACM, 2000: 319327［15］Lai G H, Chen CM, Jeng BC, et al. Antbased IP traceback［J］. Expert Systems with Applications, 2008, 34(4): 30713080［16］姜建国, 王继志, 孔斌, 等. 网络攻击源追踪技术研究综述［J］. 信息安全学报, 2018, 3(1): 111131［17］Song D X, Perrig A. Advanced and authenticated marking schemes for IP traceback［C］ Proc of IEEE Conf on Computer Communications, the 12th Annual Joint Conf of the IEEE Computer and Communications Society (INFOCOM 2001). Piscataway, NJ: IEEE, 2001: 878886［18］杨泽明, 李强, 刘俊荣, 等. 面向攻击溯源的威胁情报共享利用研究［J］. 信息安全研究, 2015, 1(1): 3136［19］Dingledine R, Mathewson N, Syverson P. Tor: The secondgeneration onion router［R］. Washington DC: Naval Research Lab, 2004［20］陈周国, 蒲石, 祝世雄. 匿名网络追踪溯源综述［J］. 计算机研究与发展, 2012, 49(S2): 111117［21］Yu W, Fu X, Graham S, et al. DSSSbased flow marking technique for invisible traceback［C］ Proc of 2007 IEEE Symp on Security and Privacy (SP’07). Piscataway, NJ: IEEE, 2007: 1832［22］Ling Z, Luo J, Wu K, et al. Torward: Discovery, blocking, and traceback of malicious traffic over tor［J］. IEEE Trans on Information Forensics and Security, 2015, 10(12): 25152530［23］卓中流. 匿名网络追踪溯源关键技术研究［D］. 成都: 电子科技大学, 2018［24］何高峰, 杨明, 罗军舟, 等. 洋葱路由追踪技术中时间特征的建模与分析［J］. 计算机学报, 2014, 37(2): 356372［25］Pries R, Yu W, Fu X, et al. A new replay attack against anonymous communication networks［C］ Proc of 2008 IEEE Int Conf on Communications. Piscataway, NJ: IEEE, 2008: 15781582［26］Qin Y, Wu J, Zou F, et al. Breaking Tor’s anonymity by modifying cell’s command［C］ Proc of 2022 IEEE Symp on Computers and Communications (ISCC). Piscataway, NJ: IEEE, 2022: 17［27］Dingledine R. Tor security advisory:“relay early” traffic confirmation attack［EBOL］. ［20230718］. https:lists.torproject.orgpipermailtorannounce2014July000094.html［28］Pei Y, Oida K. Tracing website attackers by analyzing onion Routers’ log files［J］. IEEE Access, 2020, 8: 133190133203［29］方滨兴, 崔翔, 王威. 僵尸网络综述［J］. 计算机研究与发展, 2011, 48(8): 13151331［30］郭晓军, 何磊, 赵江波. 僵尸网络流量检测与控制追踪技术研究［J］. 计算机技术与发展, 2013, 23(9): 135138［31］于晓聪, 董晓梅, 于戈, 等. 僵尸网络在线检测技术研究［J］. 武汉大学学报: 信息科学版, 2010, 35(5): 578581［32］Takemori K, Fujinaga M, Sayama T, et al. Hostbased traceback, tracking bot and C&C server［C］ Proc of the 3rd Int Conf on Ubiquitous Information Management and Communicatio. New York: ACM, 2009: 400405［33］Ramsbrock D, Wang X, Jiang X. A first step towards live botmaster traceback［C］ Proc of the 11th Int Symp on Recent Advances in Intrusion Detection (RAID 2008). Berlin: Springer, 2008: 5977［34］夏秦, 王志文, 刘璐. 基于域名共现行为的僵尸网络行为追踪［J］. 西安交通大学学报, 2012, 46(4): 712［35］Lin W, Lee D. Traceback attacks in cloud—Pebbletrace botnet［C］ Proc of the 32nd Int Conf on Distributed Computing Systems Workshops. Piscataway, NJ: IEEE, 2012: 417426［36］Yi Z, Pan L, Wang X, et al. IP traceback using digital watermark and honeypot［C］ Proc of the 5th Int Conf on Ubiquitous Intelligence and Computing (UIC 2008). Berlin: Springer, 2008: 426438［37］Chen S S, Heberlein L T. Holding intruders accountable on the internet［C］ Proc of 1995 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 1995: 3949［38］Zhang Y, Paxson V. Detecting stepping stones［C］ USENIX Security Symposium. Berkeley: USENIX, 2000: 173184［39］孙奕, 林杨东, 刘臻, 等. 基于网络回声的跳板检测系统的设计与实现［J］. 信息网络安全, 2013 (9): 4148［40］Wang X, Reeves D S, Wu S F, et al. Sleepy watermark tracing: An active networkbased intrusion response framework［C］ Proc of Trusted Information: The New Decade Challenge 16. Berlin: Springer, 2001: 369384［41］殷树刚, 李祉岐, 刘晓蕾, 等. 基于APT组织攻击行为的网络安全主动防御方法研究［J］. 信息安全研究, 2023, 9(5): 423432［42］Cohen M I. Source attribution for network address translated forensic captures［J］. Digital Investigation, 2009, 5(34): 138145［43］Hazeyama H, Oe M, Kadobayashi Y. A layer2 extension to hashbased IP traceback［J］. IEICE Trans on Information and Systems, 2003, 86(11): 23252333［44］Chen Y, Liu Z, Liu B, et al. Identifying mobiles hiding behind wireless routers［C］ Proc of 2011 IEEE INFOCOM. Piscataway, NJ: IEEE, 2011: 26512659［45］Wang J, Chen Y, Fu X, et al. 3DLoc: Three dimensional wireless localization toolkit［C］ Proc of the 30th IEEE Int Conf on Distributed Computing Systems. Piscataway, NJ: IEEE, 2010: 3039［46］张宇翔, 韩久江, 刘建, 等. ATT&CK框架下基于事件序列关联的网络高级威胁检测系统［J］. 计算机科学, 2023, 50(S1): 710716［47］Lemay A, Calvet J, Menet F, et al. Survey of publicly available reports on advanced persistent threat actors［J］. Computers & Security, 2018, 72: 2659［48］陈周国, 蒲石, 郝尧, 等. 网络攻击追踪溯源层次分析［J］. 计算机系统应用, 2014, 23(1): 17［49］Cohen D, Narayanaswamy K. Attack attribution in noncooperative networks［C］ Proc of the 5th Annual IEEE SMC Information Assurance Workshop. Piscataway, NJ: IEEE, 2004: 436437［50］刘潮歌, 方滨兴, 刘宝旭, 等. 定向网络攻击追踪溯源层次化模型研究［J］. 信息安全学报, 2019, 4(4): 118［51］Caltagirone S, Pendergast A, Betz C. The diamond model of intrusion analysis［EBOL］. (20130704) ［20230718］. https:apps.dtic.micsticitationsADA586960［52］Pahi T, Skopik F. Cyber attribution 2.0: Capture the false flag［C］ Proc of the 18th European Conf on Cyber Warfare and Security (ECCWS 2019). Coimbra: ACI, 2019: 338345［53］Rid T, Buchanan B. Attributing cyber attacks［J］. Journal of Strategic Studies, 2015, 38(12): 437［54］刘雪花, 丁丽萍, 郑涛, 等. 面向网络取证的网络攻击追踪溯源技术分析［J］. 软件学报, 2021, 32(1): 194217［55］宋文纳, 彭国军, 傅建明, 等. 恶意代码演化与溯源技术研究［J］. 软件学报, 2019, 30(8): 22292267［56］Nikolopoulos S D, Polenakis I. A graphbased model for malware detection and classification using systemcall groups［J］. Journal of Computer Virology and Hacking Techniques, 2017, 13(1): 2946［57］Alazab M. Profiling and classifying the behavior of malicious codes［J］. Journal of Systems and Software, 2015, 100(10): 91102［58］Nataraj L, Karthikeyan S, Jacob G, et al. Malware images: Visualization and automatic classification［C］ Proc of the 8th Int Symp on Visualization for Cyber Security. New York: ACM, 2011: 17［59］Sree Lakshmi T, Govindarajan M, Sreenivasulu A. Malware visual resemblance analysis with minimum losses using Siamese neural networks［J］. Theoretical Computer Science, 2023, 943: 219229［60］乔延臣, 云晓春, 庹宇鹏, 等. 基于simhash与倒排索引的复用代码快速溯源方法［J］. 通信学报, 2016, 37(11): 104113［61］Liu J, Shen Y, Yan H. Functionsbased CFG embedding for malware homology analysis［C］ Proc of the 26th Int Conf on Telecommunications (ICT). Piscataway, NJ: IEEE, 2019: 220226［62］梅瑞, 严寒冰, 沈元, 等. 二进制代码切片技术在恶意代码检测中的应用研究［J］. 信息安全学报, 2021, 6(3): 125140［63］Alrabaee S, Wang L, Debbabi M. BinGold: Towards robust binary analysis by extracting the semantics of binary code as semantic flow graphs (SFGs)［J］. Digital Investigation, 2016, 18(S1): S11S22［64］Hu X, Chiueh TC, Shin K G. Largescale malware indexing using functioncall graphs［C］ Proc of the 16th ACM Conf on Computer and Communications Security. New York: ACM, 2009: 611620［65］Hassen M, Chan P K. Scalable function call graphbased malware classification［C］ Proc of the 7th ACM on Conf on Data and Application Security and Privacy. New York: ACM, 2017: 239248［66］赵炳麟, 孟曦, 韩金, 等. 基于图结构的恶意代码同源性分析［J］. 通信学报, 2017, 38(S2): 8693［67］CaliskanIslam A, Harang R, Liu A, et al. Deanonymizing programmers via code stylometry［C］ Proc of the 24th USENIX Security Symp. Berkeley: USENIX, 2015: 255270［68］罗文华. 基于逆向技术的恶意程序分析方法［J］. 计算机应用, 2011, 31(11): 29752978［69］杨轶, 苏璞睿, 应凌云, 等. 基于行为依赖特征的恶意代码相似性比较方法［J］. 软件学报, 2011, 22(10): 24382453［70］Wu S, Wang P, Li X, et al. Effective detection of android malware based on the usage of data flow APIs and machine learning［J］. Information and Software Technology, 2016, 75: 1725［71］Cho I K, Kim T, Shim Y J, et al. Malware similarity analysis using API sequence alignments［J］. Journal of Internet Services and Information Security, 2014, 4(4): 103114［72］谭杨, 刘嘉勇, 张磊. 基于混合特征的深度自编码器的恶意软件家族分类［J］. 信息网络安全, 2020, 20(12): 7282［73］Zhang M, Duan Y, Yin H, et al. Semanticsaware android malware classification using weighted contextual API dependency graphs［C］ Proc of the 2014 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2014: 11051116［74］白波, 冯云, 刘宝旭, 等. 基于网络行为的攻击同源分析方法研究［J］. 信息安全学报, 2023, 8(2): 6680［75］Vmel S, Freiling F C. A survey of main memory acquisition and analysis techniques for the windows operating system［J］. Digital Investigation, 2011, 8(1): 322［76］Sihwail R, Omar K, Ariffin K Z. A survey on malware analysis techniques: Static, dynamic, hybrid and memory analysis［J］. International Journal on Advanced Science Engineering Information Technology, 2018, 8(42): 16621671［77］王津, 叶晓虎, 肖岩军, 等. 基于上下文感知计算的网络攻击组织追踪方法［J］. 广州大学学报: 自然科学版, 2021, 20(3): 2029［78］Li Q, Yang Z, Jiang Z, et al. Association analysis of cyberattack attribution based on threat intelligence［C］ Proc of the 2nd Joint Int Information Technology, Mechanical and Electronic Engineering Conf. Chongqing: Atlantis Press, 2017: 222230

[1]	. Research on the Evaluation of Emergency Response to Cybersecurity Events in the Securities Industry [J]. Journal of Information Security Reserach, 2024, 10(4): 368-.
[2]	. Research on Vulnerability Text Feature Classification Technology Based on BERT [J]. Journal of Information Security Reserach, 2023, 9(7): 687-.
[3]	. Research on the Disclosure and Sharing Policy of Cybersecurity Vulnerabilities in China and the United States [J]. Journal of Information Security Reserach, 2023, 9(6): 602-.
[4]	. Research on Intranet Security Integrated Protection Architecture in Energy Enterprises Under Complex Network Threat Environment [J]. Journal of Information Security Reserach, 2023, 9(4): 390-.
[5]	. An Overview of Application and Technology of Artificial Intelligence in Cybersecurity [J]. Journal of Information Security Reserach, 2022, 8(2): 110-.
[6]	. Relationship Analysis of Cloud Platform Data Protection and Content Review Obligation [J]. Journal of Information Security Reserach, 2022, 8(11): 1079-.
[7]	. The Knowing, Practices and Thoughts on “Cybersecurity Maps” from CubeSec [J]. Journal of Information Security Reserach, 2021, 7(E1): 140-.
[8]	. Whole Process Solution of Classified Protection 2.0 [J]. Journal of Information Security Reserach, 2021, 7(E1): 182-.
[9]	. The Analysis of National Security Risk in Open Source Software Supply Chain [J]. Journal of Information Security Reserach, 2021, 7(9): 790-794.
[10]	. Research on Cybersecurity in Cross-border Data Flow Scenario [J]. Journal of Information Security Reserach, 2021, 7(7): 682-686.
[11]	. Research on policies and standards of cybersecurity workforce [J]. Journal of Information Security Reserach, 2021, 7(6): 520-526.
[12]	. Research on Cybersecurity of 5G Networks EU Toolbox of Risk Mitigating Measures [J]. Journal of Information Security Reserach, 2021, 7(5): 412-417.
[13]	. A Study of Big Data Platform Architecture to Address Cybersecurity Protection and Defense [J]. Journal of Information Security Research, 2021, 7(1): 75-80.
[14]	. Research on the mMTC Security of 5G New Infrastructure [J]. Journal of Information Security Research, 2020, 6(8): 710-715.
[15]	. Research on railway network security evaluation system [J]. Journal of Information Security Research, 2020, 6(8): 738-743.