Title: Fingerprinting violating machines with in-memory protocol artefacts

Authors: Mohammed I. Al-Saleh; Yaser Jararweh

Addresses: Jordan University of Science and Technology, Department of Computer Science, P.O. Box 3030, Irbid, 22110, Jordan ' Jordan University of Science and Technology, Department of Computer Science, P.O. Box 3030, Irbid, 22110, Jordan

Abstract: Cyber crime has increased as a side effect of the dramatic growth in internet deployment. Identifying machines that are responsible about crimes is a vital step in an attack investigation. Tracking the IP address of the attacker to its origin is indispensable. However, apart from finding the attacker's (possible) machine, it is inevitable to provide supportive proofs to bind the attack to the attacker's machine, rather than depending solely on the IP address of the attacker, which can be dynamic. This paper proposes to implant such supportive proofs by utilising the internals of three well-known internet protocols: IP, TCP, and ICMP. Our results show that there can be potential proofs in the structures of these protocols. In addition, because a violator is unaware of (and has no control over) the involved protocols, the investigation process is empowered with stealth. To the best of our knowledge, we are the first to utilise protocol remnants in fingerprinting violating machines.

Keywords: fingerprinting; violating machine; protocol artefacts.

DOI: 10.1504/IJAIP.2020.106035

International Journal of Advanced Intelligence Paradigms, 2020 Vol.15 No.4, pp.388 - 404

Received: 13 Jan 2017
Accepted: 29 Jun 2017
Published online: 26 Mar 2020 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article