Online Training Special Offer! Get an iPad Mini, Surface Go, or $300 Off thru Oct 2!

Network Attack Attribution Research Group

Updated: September 13, 2005

Formed in July 2005: the SANS Network Attack Attribution Research Group is attempting to add breakthrough capabilities to the taxonomy of automated traceback techniques. We are a team from throughout industry and academia with a charter to discuss current attack attribution techniques in literature and identify capabilities lacking in industry solutions. We conduct fundamental research and development, and publish our findings on new attack traceback methods. One of the group's primary directives is to propose, analyze, and promote promising techniques for advancement into an experimentation phase on the DETER testbed. The Attack Attribution Group intends to publish one or more technical reports and presentations when our research and experimentation is complete, and to foster public understanding of the state-of-the art in traceback techniques.

We would like to acknowledge the important role that the DETER testbed is playing in this project. Our team members need a common experimentation environment that can closely simulate public Internet infrastructure and the DETERlab nicely meets this complex requirement. DETERlab is a network emulation and experimentation environment funded by the Department of Homeland Security and the National Science Foundation. We would like to thank the DETER team for the unique services they provide.

Our thanks also go to Stephen Northcutt and The SANS Institute for providing us with the support and resources required to establish this project.

The projected time frame for initial findings is 6 months. Periodic updates and news of interest will be posted to this site.

Links of interest
A very comprehensive outline of IP traceback can be found in Wikipedia, the Free Encyclopedia
SANS Attack Attribution info on DETERlabs

Current Members

This research group is currently comprised of ten members and we run a mailing list that serves as our central communication hub. If you feel that you could add your own unique insight to the problem of attack attribution and would like to play a role in this research you are invited to email the Attack Attribution Research Group's coordinating figures with a letter of interest at

Stephen Northcutt
Director of Training and Certification. The SANS Institute.
Johannes Ullrich
Chief Research Officer. The SANS Institute
Erik Kamerling
Principal Coordinator. SANS Attack Attribution Research Group
Anton Chuvakin, Ph.D
Security Strategist, netForensics
Sid Faber
Security Analyst, Federated Investors
Nick Murphy
Director of Information Technology, EthicsPoint
Kathleen Moriarty
Head of IT Security, MIT Lincoln Laboratory
Scott Shinberg
Security Program Manager, Incident Responder
Steven J. Friedl
Security Consultant,
Jason Thomas
Deputy Program Manager, National Cyber-Forensics and Training Alliance
Matt Ziemniak
Information Analyst, National Cyber-Forensics and Training Alliance