Method to Find Stepping Stones By Comparing Network Latency Times from Different Protocol Stack Layers
Technical Challenge:This method addresses the problem of detecting when a stepping-stone is being used in an attack on one's system. If a stepping-stone is detected, this method may be used to help to identify if the attacking computer is near or far from the stepping-stone computer.
Description:Frequently, when a hacker attacks a computer, the hacker uses one or more intermediary computers to hide the location of the attacking computer. These intermediary computers are called "stepping-stones". It also indicates if the attacking computer is near or far from the stepping stone computer. This method uses data passively collected from the network and cannot be detected by a hacker watching for possible countermeasures to his attack. After collecting the data, this method filters out specified network data, compares the latency time from different network layer data. If the latency is above a specified threshold, an alert is sent to the network or computer security analyst. The analyst may adjust the collection parameters, data filtering parameters, and the alert latency threshold.
Demonstration Capability:Only part of this procedure has been implemented in a software program, which can be easily demonstrated.
Potential Commercial Application(s):This method may be incorporated in a tool to search for the location of a hacking attack. If the tool indicates that there is a stepping-stone and the attacking computer is near or far from the stepping-stone, a computer analyst can use this information to help them locate the hacker.
Patent Status:A patent application has been filed with USPTO.
Reference Number: 1377
If you are interested in exploring this technology further, please express your interest in writing to the:
National Security Agency
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15 2009