Communications - May 2011

mechanism allowing properly authorized parties to examine any packet, even those logged months prior, unambiguously identifying the physical machine that sent it. However, absent express authorization, packet signatures do not expose identifying information. Finally, we enforce the correct use of this mechanism by allowing any network element to verify the validity of the signatures it receives.

PHo ToGraPH By alICIa KuBIS Ta

Our goal is principally to assess the
viability of privacy-preserving attribu-
tion. Over the past four years, we have
built a prototype system called Clue to
explore the practical engineering chal-
lenges of building a privacy-preserving
forensic-attribution capability. This
illuminating experience revealed the
architectural requirements of our ap-
proach while forcing us to confront
the challenges of the underlying cryp-
tographic overhead. Surprisingly, we
found that much of the overhead can be
hidden or amortized through careful
protocol design alone. Thus, even our
untuned user-level software prototype
adds less than 30ms of latency to in-
teractive traffic and achieves bulk TCP
throughput exceeding 17Mbps. More-
over, this throughput, which is sig-
nificantly greater than a typical broad-
band access connection, is limited by
the speed of the receiver; aggregate
server throughput can be considerably
greater. While numerous challenges
remain, our research demonstrates the
feasiblity of privacy-preserving foren-
sic attribution, encouraging wider con-
sideration of our approach.

motivating scenarios
Forensic attribution would create a
fundamentally new network-layer ca-
pability, with numerous potential ap-
plications, including the subset we sur-
vey here. For certain types of crimes,
law-enforcement officers routinely
face the challenge of how to map be-
tween traffic received at some point
in the network and the physical device
of origin. Establishing this mapping
would allow investigators to determine
if the same device was used in multiple
crimes, if a particular activity was per-
petrated by a known device, and poten-
tially to track even the location of a tar-
geted device via IP geolocation.