The 9th IEEE International Workshop on Trusted Collaboration

Research Article

Identifying Network Packets Across Translational Boundaries

Download621 downloads
  • @INPROCEEDINGS{10.4108/icst.collaboratecom.2014.257685,
        author={Napoleon Paxton and Joseph Mathews},
        title={Identifying Network Packets Across Translational Boundaries},
        proceedings={The 9th IEEE International Workshop on Trusted Collaboration},
        publisher={IEEE},
        proceedings_a={TRUSTCOL},
        year={2014},
        month={11},
        keywords={identity; translational boundary packet marking},
        doi={10.4108/icst.collaboratecom.2014.257685}
    }
    
  • Napoleon Paxton
    Joseph Mathews
    Year: 2014
    Identifying Network Packets Across Translational Boundaries
    TRUSTCOL
    ICST
    DOI: 10.4108/icst.collaboratecom.2014.257685
Napoleon Paxton,*, Joseph Mathews1
  • 1: U.S. Naval Research Laboratory
*Contact email: nc.paxton@gmail.com

Abstract

A translational boundary is any computer network system which performs network address translation in order to act as an intermediary between client requests and server responses. Since boundaries essentially hide networks from the world by acting on their behalf, a sensor monitoring traffic for malicious activity outside of a boundary would attribute the boundary itself as the target of an attack rather than the actual host affected behind the boundary. This challenge is exacerbated inside of tiered network architectures and drives the need for a capability to track network communications across boundaries. While several attempts have been made at addressing this problem space, existing approaches are often difficult to implement or fundamentally problematic. We propose a novel method for tracking communications across boundaries based on the fact that the message being transmitted must remain constant and intact in order for it to be successfully interpreted by a server. The proposed method leverages cryptographic hashing techniques applied towards the application layer payload of network packets from two different perspectives on the network, enabling correlation before and after the packet headers are modified by the boundary. The technique can be implemented atop open source technology on commodity hardware, and provides a stable foundation for building tiered enterprise network architectures with an inherent capability for pinpointing malicious activity.