Passive estimation of TCP round-trip times
ACM SIGCOMM Computer Communication Review
Traffic Characterisation and Modelling
BT Technology Journal
Holding intruders accountable on the Internet
SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Proceedings of the 10th ACM conference on Computer and communications security
Packet-dispersion techniques and a capacity-estimation methodology
IEEE/ACM Transactions on Networking (TON)
Measuring the evolution of transport protocols in the internet
ACM SIGCOMM Computer Communication Review
Tracking anonymous peer-to-peer VoIP calls on the internet
Proceedings of the 12th ACM conference on Computer and communications security
On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Using an Ensemble of One-Class SVM Classifiers to Harden Payload-based Anomaly Detection Systems
ICDM '06 Proceedings of the Sixth International Conference on Data Mining
Measurement and classification of out-of-sequence packets in a tier-1 IP backbone
IEEE/ACM Transactions on Networking (TON)
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Tor: the second-generation onion router
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
DSSS-Based Flow Marking Technique for Invisible Traceback
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
One-way Delay Measurement and Characterization
ICNS '07 Proceedings of the Third International Conference on Networking and Services
Analysis of internet backbone traffic and header anomalies observed
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Studying Timing Analysis on the Internet with SubRosa
PETS '08 Proceedings of the 8th international symposium on Privacy Enhancing Technologies
A First Step towards Live Botmaster Traceback
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Dependent link padding algorithms for low latency anonymity systems
Proceedings of the 15th ACM conference on Computer and communications security
Multi-flow attacks against network flow watermarking schemes
SS'08 Proceedings of the 17th conference on Security symposium
Multi-flow attack resistant watermarks for network flows
ICASSP '09 Proceedings of the 2009 IEEE International Conference on Acoustics, Speech and Signal Processing
On the secrecy of spread-spectrum flow watermarks
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
A study of burstiness in TCP flows
PAM'05 Proceedings of the 6th international conference on Passive and Active Network Measurement
Timing analysis in low-latency mix networks: attacks and defenses
ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
New attacks on timing-based network flow watermarks
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Detecting co-residency with active traffic analysis techniques
Proceedings of the 2012 ACM Workshop on Cloud computing security workshop
SGor: Trust graph based onion routing
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hi-index | 0.00 |
Traffic watermarking is an important element in many network security and privacy applications, such as tracing botnet C&C communications and deanonymizing peer-to-peer VoIP calls. The state-of-the-art traffic watermarking schemes are usually based on packet timing information and they are notoriously difficult to detect. In this paper, we show for the first time that even the most sophisticated timing-based watermarking schemes (e.g., RAINBOW and SWIRL) are not invisible by proposing a new detection system called BACKLIT. BACKLIT is designed according to the observation that any practical timing-based traffic watermark will cause noticeable alterations in the intrinsic timing features typical of TCP flows. We propose five metrics that are sufficient for detecting four state-of-the-art traffic watermarks for bulk transfer and interactive traffic. BACKLIT can be easily deployed in stepping stones and anonymity networks (e.g., Tor), because it does not rely on strong assumptions and can be realized in an active or passive mode. We have conducted extensive experiments to evaluate BACKLIT's detection performance using the PlanetLab platform. The results show that BACKLIT can detect watermarked network flows with high accuracy and few false positives.