Method of Passive Forensic Identification of Networked TCP/IP Communication Endpoints

Reference#: P02446

The biggest headlines in network security seem to feature the dark world of outside hackers, worms and viruses. In reality, however, a company's computer network is more likely to be compromised by people inside the organization, either due to malicious acts or simple non-compliance to established security protocols. Sometimes it is hard to identify who the users are when a company uses Network Address Translation (NAT) in order to enable multiple hosts on a private network to access the internet using a single public IP address.

The JHU/APL Passive Forensic Identification of Networked TCP/IP Communication Endpoints method “fingerprints” the timing characteristics of a networked computer to distinguish it from a group of similar computers by using passively observed timing differences in TCP packets. In a successful first application, the prototype system correlated intercepted network traffic to track a computer that was “hiding” among several machines using the same Internet Protocol (IP) address.

Patent Status: U.S. patents pending.

*Technology is available for licensing.