|LEARN MORE Market Need | Features | Technology Description | Availability | Product Contacts|
A traditional approach to find out who the non-compliant user is would be to remove drives from suspicious computers after hours, image them and then replace them in order to analyze deleted files, fragments, inodes, logs and histories to find evidence of malicious or non-compliant use. The problem with this approach is that it is very labor intensive and there is a real chance that the adversary will discover he or she is under investigation and destroys evidence.
Researchers at the Johns Hopkins University Applied Physics Laboratory (JHU/APL) have developed a way to identify specific machines through Remote Network Fingerprinting.
- Exploits the physical uniqueness of the machine
- Identifies the endpoints in a communication
- Shows that an endpoint participated in a transaction or was not involved in a transaction
The researchers at JHU/APL expanded the UCSD research by estimating skew via linear regression and used error analysis theory to determine the required sample size. They simulated WAN delay and measured PCI bus to link clock skew to the physical world and found that PCI bus clock speed is directly related to clock skew. Linear regression uniquely identifies machines to within a couple parts per million. Also, the number of samples required is directly proportional to the observed timestamp error and confidence interval, while it is inversely proportional to collection interval and allowed parts per million tolerance.
The JHU/APL approach to Passive Forensic Identification of Networked TCP/IP communication endpoints allows for a repeatable way to fingerprint a specific machine using the simple technique of linear regression and statistical error analysis guides the investigator on how much information needs to be collected.
|Norma Lee Todd
443/778-4528 (Baltimore Metro Area)
|BACK TO: Featured Technology | Top of Page|