Payload attribution

Traceback techniques, such as message logging and message marking, mostly focus on identifying attack actors that carry out DoS and DDoS attacks. Payload attribution systems (PAS) focus on the trail of malware, such as a worm or virus, within a network. Payload attribution takes the stance that victims or investigators do not have access to packet headers, as in traceback techniques. However, an investigator may have access to a packet payload excerpt, such as a malware binary.

PAS comprise of two components; i) payload processing and ii) query processing (Shanmugasun- daram et al., 2004). Payload processing is an ongoing process; a PAS stores all packet payloads or a selected subset of payloads in a network. Storing full packet payloads in a large network may not be feasible due to storage and processing requirements. Approaches use techniques such as hashing and bloom filters to achieve storage compression, e.g. 100:1, so that the approach is feasible. In query processing, a victim queries the PAS using a payload such as a malware binary to reveal attribution artifacts, such as source and destination IP addresses, MAC addresses, port numbers and date/time of occurrence. This reveals where the attack came from and other systems that are infected within the network, and is therefore helpful for insider attack attribution or identifying espionage, such as corporate data being exfiltrated. Both components must be executed efficiently, i.e. at line speed, so that network performance is not affected.

Approaches

The first approach for a PAS proposes bloom filters for storing hashed digests of packet pay- loads (Shanmugasundaram et al., 2004). If a hashed packet is 20 bytes, a standard bloom filter reduces the space requirement to 21 bits, with a small accepted false positive rate. However, this approach does not allow for excerpts of packets to be queried, only whole packet payloads. To overcome this, Block-Based Bloom Filters (BBF) are proposed, that hash blocks of the payload. Hierarchical Bloom Filter (HBF) data structures are also proposed that group together BBFs in a hierarchy. The approach compresses payloads so that it can be used in a medium-to-large sized net- work at line speed. Payload excerpts are submitted to retrieve attribution artifacts. However, this PAS approach can be evaded, such as by distributing an attack over many packets using excerpts that are smaller than the BBF block size.

Another approach proposes Rolling Bloom Filters (RBF) (Cho et al., 2006). This consists of a rolling fixed-size window to help with storage requirements. 1 GB of raw traffic data is compressed to roughly 70 MB. This extends the timeframe for which data can be stored and investigations can begin after the fact. However, similar to Shanmugasundaram et al. (2004), false negatives are possible if a binary is split over multiple packets.

An approach that improves upon HBF and RBF is Winnowing Multi-Hashing (WMH) (Ponec et al., 2010). WMH combines multiple payload attribution methods and assumes that multiple meth- ods give lower false positive rates and data-aging capabilities. Three methods are used; winnowing, shingling and Rabin fingerprinting. A limitation is that using multiple methods increases disk space and processing overheads. To resolve this, WMH suggests dividing the methods as necessary to suite the environment, for example, when data-aging capabilities are not critical. Approaches have also added wildcard querying functionality and improved response time when searching (Haghighat et al., 2013; Wei et al., 2014).

The various approaches are based on separating packet payloads into block sizes, hashing and then inserting them into space efficient data structures, e.g. bloom filters, to reduce storage requirements while increasing search efficiency and reducing false positives. This also helps to alleviate privacy concerns that arise when storing packet payloads. However, a limitation with PAS is encryption. If network attack traffic is encrypted, then a payload excerpt that is not encrypted will not match the stored data and result in a false positive. All PAS have false positive rates.

PAS is also unable to attribute further back than a single administrative domain. PAS could be used in cooperation with traceback techniques to create a combined technique. For example, PAS could reproduce the sequence of events that occurred during an attack within an administrative domain. Following this, traceback techniques could be used to trace the attack outside of the domain and to the closest possible root cause, such as the ISP. This is further considered in Section 3.2.15, Combined Techniques (page 73).

Criteria

Attribution artifacts that are collected: Payload attribution systems reveal network flow data from a single administrative domain e.g. source and destination IP address, MAC address, source and destination ports and time and location that a payload was observed. This technique can identify multiple instances of a payload sent and received by different origins.

Technique reliability: Similar to message logging, a hash of the message is used to determine if a networked device has seen the excerpt. However, in message logging the source and destination IP addresses are part of the hash, while in PAS approaches, only the payload itself is part of the hash. This technique then allows the identification of attacks from disparate sources and can be used to connect seemingly disparate attacks. It can reliably attribute a payload within a single administrative domain, but cannot attribute beyond a domain and does not take into account spoofing of addresses.

Technique limitations: Current approaches only work within a single administrative domain. This is useful for localised attribution, such as a malicious insider leaking corporate data and also useful for remediation, i.e. identifying systems that have been infected. It is not useful for attributing sources beyond an administrative domain. However, these approaches could be improved using a distributed approach, with multiple PAS’s deployed worldwide. Of course, this would have the same limitations of message logging and message marking, namely requiring widespread deployments. Other limitations are that encrypted messages are false positives in PAS and that there are a number of ways to evade the technique, e.g. when binaries are split over messages. Also this technique is not suited to attacks were packets are very similar, e.g. DoS attacks.

hashing packet content, similar to SPIE (Snoeren, 2001). If an adversary compromises a PAS, they are not able to view clear text packet contents.

Deployment requirements: Despite approaches achieving compression rates of 100:1, a PAS deployment requires significant storage and processing requirements to match line speeds. It must also be deployed in a convenient location to observe all packets, such as using an in-line network tap. Also, a trade off must be made regarding the duration to store payloads versus the investment in storage. While researchers have demonstrated that the technique is effective in a large network with thousands of hosts (Shanmugasundaram et al., 2004), for the technique to be effective over an Internet, PAS would need to be deployed over a wide infrastructure. This is a similar prerequisite to message marking and logging proposals, that require wide-scale changes, to be effective.

Relevance outside of the laboratory: At current PAS can be used in an administrative domain to attribute locally. This is useful for insider attacks, identifying exfiltration of data and the spread of malware through the network. Therefore, it provides other benefits alongside attribution, such as identifying other compromised systems. Prerequisites limit the applicability of this technique to within the control of the attributor’s network only. However, it could be combined with other techniques and could be used in a distributed model to offer attribution beyond an administrative domain.