Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
IBM Systems Journal
Communications of the ACM
Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Finding a Connection Chain for Tracing Intruders
ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones
ESORICS '02 Proceedings of the 7th European Symposium on Research in Computer Security
Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework
IFIP/Sec '01 Proceedings of the IFIP TC11 Sixteenth Annual Working Conference on Information Security: Trusted Information: The New Decade Challenge
Techniques and Applications of Digital Watermarking and Content Protection
Techniques and Applications of Digital Watermarking and Content Protection
Holding intruders accountable on the Internet
SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Proceedings of the 10th ACM conference on Computer and communications security
Low-Cost Traffic Analysis of Tor
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets
ICDCSW '05 Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05) - Volume 02
Tracking anonymous peer-to-peer VoIP calls on the internet
Proceedings of the 12th ACM conference on Computer and communications security
On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Active timing based techniques for attack attribution through stepping stones
Active timing based techniques for attack attribution through stepping stones
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Tor: the second-generation onion router
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
DSSS-Based Flow Marking Technique for Invisible Traceback
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Multi-flow attacks against network flow watermarking schemes
SS'08 Proceedings of the 17th conference on Security symposium
Multi-flow attack resistant watermarks for network flows
ICASSP '09 Proceedings of the 2009 IEEE International Conference on Acoustics, Speech and Signal Processing
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Timing analysis in low-latency mix networks: attacks and defenses
ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
NetCamo: camouflaging network traffic for QoS-guaranteed mission critical applications
IEEE Transactions on Systems, Man, and Cybernetics, Part A: Systems and Humans
IEEE Transactions on Information Theory
| Hi-index | 0.00 |
Tracing interactive attack traffic that traverses stepping stones (i.e., intermediate hosts) is challenging, as the packet headers, lengths, and contents can all be changed by the stepping stones. The traffic timing (delays between packets) has therefore been studied as a means of tracing traffic. One such technique uses traffic timing as a side channel into which a watermark, or identifying tag, can be embedded to aid with tracing. The effectiveness of such techniques is greatly reduced when the packet count of the traffic is changed at the stepping stone. Such transformations may occur as a result of either active countermeasures (e.g. chaff packets, flow splitting) by an adversary attempting to defeat tracing, or by incidental repacketization of the traffic by network interfaces. This paper presents a new method of embedding a watermark in traffic timing, for purposes of tracing the traffic in the presence of flow splitting, chaff packets, timing perturbation, and repacketization. This method uses an invariant characteristic of two connection flows which are part of the same stepping stone chain, namely, the elapsed time of the flows. The duration of each flow is sliced into short fixed-length intervals. Packet timing is adjusted to manipulate the packet count in specific intervals (without adding or deleting any packets), for purposes of embedding the watermark. The method is self-synchronizing and does not require clock synchronization between the watermark encoder and decoder. A statistical analysis of the method, with no assumptions or limitations concerning the distribution of packet times, proves the effectiveness of the method given a sufficient number of packets, despite natural and/or deliberate repacketization and countermeasures by an adversary. The method has been implemented and tested on a large number of SSH traffic flows. The results demonstrate that 100% detection rates and very low false positive rates are achieved under conditions of multiple countermeasures, and using only a few hundred packets.