With the rapid growth of computer network technology in general, network security has become a major concern. The fact that the tools and information needed to penetrate the security of computer networks are widely available has increased that concern. A malicious host wishing to attack the network has a wide arsenal available to them. Many of the tools for attack rely on “spoofing” or otherwise using a faked network address to masquerade as an authorized host. Using this technique, the malicious host can launch denial of service attacks, bypass access control mechanisms, or otherwise disrupt the network.
To protect against such attack, it is desirable to identify and locate the malicious host. However, an attacker can present itself as an authorized host by using a forged source address. In some situations, the source MAC address and/or the source IP address of the malicious host is forged or spoofed. Additionally, all other standard identification information in the packet that points to the source host can be spoofed. This makes it difficult to identify the source malicious host.
Even where spoofed packets are detected, the results of such detection may be prone to a high incidence of false positives. It may be the responsibility of the network administrator to investigate false positive alerts. Where false positives are numerous, it becomes quite cumbersome to track down the false positives, rule out maliciousness, and take subsequent action where relevant.