Architecture for multi-stage network attack traceback

Attacks can originate from anywhere in the network but there is little the network can tell operators about where the attacker is located. Packet traceback techniques have been proposed to find the source of one or more IP packets, but some attackers use multiple remote login sessions, or stepping stones, to increase obfuscation. IP packet traceback can only find the source of one of the several connections in the stepping stone connection chain. Stealthy tracing attackers research light trace (STARLlTE) is a customization and significant extension to BBN's source path isolation engine (SPlE.) The goal of STARLlTE was to construct a prototype to integrate single packet traceback with stepping stone detection. The resulting prototype traces a packet to an ingress router, and then discovers if the flow of that packet is related to a flow in another connection. A successful correlation can then be continued until an ultimate source is located