STARDECK (Systematic Tracking of Attackers using Routing Data and Event Correlation Knowledge) is a patented attack attribution infrastructure (US Patent No: 8,806,634) that provides answers to two questions of interest to those investigating the origin and nature of network attacks:

  • Level 1 Attribution:  True Origins of IP Packets
  • Given a possibly spoofed, single IP packet, determine the possible IP addresses of the machines that could have generated the packet.

  • Level 2 Attribution:  Controlling Mechanisms of Attacks
  • Determine if the actions of machine of origin (Level 1 attribution), are being caused by or controlled by activity at other machine(s) and identify evidence about such machine(s).

Attack Attribution Approach

The STARdeck approach to addressing the above attribution questions involves the following key steps:

  • Deploy remote traffic sensors prior to attacks to gather data in advance of attacks. A small number of sensors in a few locations can provide valuable attribution data.
  • Develop efficient traffic summaries to store sensor data indefinitely – traffic digests are important so that one can store as much traffic as needed for later attribution.
  • Gather “Reverse Routing” data for the network to compute the possible origins for traffic at each remote sensor link – this data provides accurate information about possible addresses corresponding to remote sensor links.
  • Build a table of origins for different sensor link identification signatures. This table provides rapid lookup of possible origins from a link signature.
  • Incorporate network intrusion data and application logs from any source as available. These sources are particularly relevant to Level 2 attribution, where every available piece of information could prove to be useful.

More details are available in the White Papers posted at Cs3's website

STARDECK Level 1 Attribution is performed for a packet P by:

  • Finding the link identification signature for P from summaries of sensor data;
  • Looking up the table of origins for that link identification signature.

STARDECK Level 2 Attribution is performed by:

  • Incorporating new and existing heuristics for stepping stone control using traffic summaries;
  • Providing general query and correlation facilities for Level 2 attribution questions.

STARDECK Competitive Benefits and Advantages:

  • Method for Level 1 attribution works with sparse cooperation from a few points in the network to supply data. Other traceback methods require universal adoption.
  • This technique for Level 1 attribution can combine evidence from any of the prior methods wherever they are deployed.
  • Efficient traffic digests enable advance reconnaissance for arbitrary periods of time and, therefore, become a valuable source of forensic data to attribute network activity.
  • The Reflection Probe Method (RPM) to gather reverse routing data for large networks and for the Internet provides valuable data about packet sources related to link signatures.
  • Ability to answer Level 2 attribution queries including traditional stepping stones, but also including hard-to-trace zombies and worms.