Ori Zakin, Metal Levi, Yuval Elovici, Lior Rockach, Nir Shafrir, Guy Sinter, Ofer Pen
ECIW2008-7th European Conference on Information Warfare and Security …, 2008
Attackers may use computers hidden behind a Network Address Translator (NAT) in order to conduct malicious activities such as denial of service (DoS). In such cases law enforcement agencies are unable in many cases to single out an attacker from all the users hidden behind the NAT. In this paper we present an innovative approach for clustering the sessions emanating from the NAT in order to identify the attacker. Each cluster should ideally include only the sessions emanating from a specific computer. A system that implements the new approach was developed. It was used to evaluate the new approach performance in a real environment that included 24 computers hidden behind the NAT. The preliminary evaluation results have demonstrated the superiority of the new approach over existing solutions and its ability to assist in locating potential attackers hidden behind a NAT.