A key element for effectively countering cyber-threats is the
ability to traceback a cyber-attack from the target to the origin host,
identifying any intermediate stepping-stones that may have been used.
Current technologies are highly inadequate for this task since they
require significant modifications to existing IP protocols and devices,
or are not effective when the attacker actively evades traceback by
obfuscating traffic flows. In this joint effort by UT, Cornell,
and Telcordia, we propose the RapidTrace approach for rapid and
proactive detection of stepping-stones used for cyberattacks. Our
approach comprises of multiple techniques and algorithms that when used
collectively increase the stepping-stone detection capability by
reducing the evasion options available to the attacker. UT will
focus on developing novel evasion-resistant techniques that seemlessly
integrate stepping stone detection and anomaly detection. The
impact of these algorithms is that an attacker that is oblivious to the
presence of the traceback solution will get caught due to the
timing-based stepping-stone detection technique. Also, an attacker that
attempts to evade them by obfuscating traffic flows (e.g. introducing
chaff and delay) will end-up having its inter-stepping-stone traffic
appear anomalous relative to thumb-prints and interactive session
causality relationships, and hence get caught.