Identifying Network Packets Across Translational Boundaries

A translational boundary is any computer network system which performs network address translation in order to act as an intermediary between client requests and server responses. Since boundaries essentially hide networks from the world by acting on their behalf, a sensor monitoring traffic for malicious activity outside of a boundary would attribute the boundary itself as the target of an attack rather than the actual host affected behind the boundary. This challenge is exacerbated inside of tiered network architectures and drives the need for a capability to track network communications across boundaries. While several attempts have been made at addressing this problem space, existing approaches are often difficult to implement or fundamentally problematic. We propose a novel method for tracking communications across boundaries based on the fact that the message being transmitted must remain constant and intact in order for it to be successfully interpreted by a server. The proposed method leverages cryptographic hashing techniques applied towards the application layer payload of network packets from two different perspectives on the network, enabling correlation before and after the packet headers are modified by the boundary. The technique can be implemented atop open source technology on commodity hardware, and provides a stable foundation for building tiered enterprise network architectures with an inherent capability for pinpointing malicious activity.