Evading stepping-stone detection under the cloak of streaming media with SNEAK

Authors:
Jaideep D. Padhye;Kush Kothari;Madhu Venkateshaiah;Matthew Wright
Affiliations:
Cisco, Inc., Mail Stop SJCF/1/4, 210 West Tasman Drive, San Jose, CA 95134, United States;Department of Computer Science and Engineering, The University of Texas at Arlington, Arlington, TX 76019, United States;clearAvenue, LLC, 939 Elkridge Landing Road #195, Linthicum, MD 21090, United States;Department of Computer Science and Engineering, The University of Texas at Arlington, Arlington, TX 76019, United States
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2010

Citing 23
Cited 0

End-to-end packet delay and loss behavior in the internet

SIGCOMM '93 Conference proceedings on Communications architectures, protocols and applications
Untraceable electronic mail, return addresses, and digital pseudonyms

Communications of the ACM
Tarzan: a peer-to-peer anonymizing network layer

Proceedings of the 9th ACM conference on Computer and communications security
Finding a Connection Chain for Tracing Intruders

ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones

ESORICS '02 Proceedings of the 7th European Symposium on Research in Computer Security
On Effectiveness of Link Padding for Statistical Traffic Analysis Attacks

ICDCS '03 Proceedings of the 23rd International Conference on Distributed Computing Systems
Holding intruders accountable on the Internet

SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays

Proceedings of the 10th ACM conference on Computer and communications security
Information Theory, Inference & Learning Algorithms

Information Theory, Inference & Learning Algorithms
Tracking anonymous peer-to-peer VoIP calls on the internet

Proceedings of the 12th ACM conference on Computer and communications security
A multi-threshold online smoothing technique for variable rate multimedia streams

Multimedia Tools and Applications
On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Detecting stepping stones

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Tor: the second-generation onion router

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
DSSS-Based Flow Marking Technique for Invisible Traceback

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems

SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Detecting covert timing channels: an entropy-based approach

Proceedings of the 14th ACM conference on Computer and communications security
Response time in man-computer conversational transactions

AFIPS '68 (Fall, part I) Proceedings of the December 9-11, 1968, fall joint computer conference, part I
Multi-flow attacks against network flow watermarking schemes

SS'08 Proceedings of the 17th conference on Security symposium
Multiscale stepping-stone detection: detecting pairs of jittered interactive streams by exploiting maximum tolerable delay

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
The traffic analysis of continuous-time mixes

PET'04 Proceedings of the 4th international conference on Privacy Enhancing Technologies
On flow correlation attacks and countermeasures in mix networks

PET'04 Proceedings of the 4th international conference on Privacy Enhancing Technologies
Timing analysis in low-latency mix networks: attacks and defenses

ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Network-based intrusions have become a serious threat to the users of the Internet. To help cover their tracks, attackers launch attacks from a series of previously compromised systems called stepping stones. Timing correlations on incoming and outgoing packets can lead to detection of the stepping stone and can be used to trace the attacker through each link. Prior work has sought to counter the possibility of the attacker employing chaff packets and randomized delays. To date, however, researchers have not accounted for the full range of techniques that a sophisticated attacker could apply. In this work, we show that such an attacker could avoid detection by the best known stepping-stone detection methods. We propose a simple buffering technique that could be used by an attacker on a stepping stone to evade detection. This technique makes the timing of packets in the output flow of the stepping stone entirely independent of the timing of packets from the input flow, thereby eliminating the timing link that makes existing stepping-stone detection methods possible. To accomplish this, we only require buffering at the stepping stone and enough chaff packets to generate a constant-rate flow. This traffic has the characteristics of a multimedia stream, such as Voice over IP (VoIP), which is quite common on the Internet today. To test the effectiveness of our technique, we implemented it in a prototype stepping-stone application and tested its performance on the DETER testbed and the PlanetLab testbed. Our prototype successfully evades watermark-based detection and provides reasonable performance for shell commands over at least three stepping stones.