Information Hiding Techniques for Steganography and Digital Watermarking
Information Hiding Techniques for Steganography and Digital Watermarking
Eliminating Steganography in Internet Traffic with Active Wardens
IH '02 Revised Papers from the 5th International Workshop on Information Hiding
Constraint-based geolocation of internet hosts
IEEE/ACM Transactions on Networking (TON)
Geographic locality of IP prefixes
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Review: Application classification using packet size distribution and port association
Journal of Network and Computer Applications
Covert messaging through TCP timestamps
PET'02 Proceedings of the 2nd international conference on Privacy enhancing technologies
Towards street-level client-independent IP geolocation
Proceedings of the 8th USENIX conference on Networked systems design and implementation
Octant: a comprehensive framework for the geolocalization of internet hosts
NSDI'07 Proceedings of the 4th USENIX conference on Networked systems design & implementation
Embedding covert channels into TCP/IP
IH'05 Proceedings of the 7th international conference on Information Hiding
A Survey of Covert Channels and Countermeasures in Computer Network Protocols
IEEE Communications Surveys & Tutorials
| Hi-index | 0.00 |
How quickly can somebody convert an IP address of a target into a real-word street address? Law enforcement regularly has need to determine a suspect's exact location when investigating crimes on the Internet. They first use geolocation software and databases to determine the suspect's rough location. Recent research has been able to scope a targeted IP address to within a 690m (0.43 mile) radius circle, which is enough to determine the relevant law enforcement department that has jurisdiction. Unfortunately, investigators face a "last half mile" problem: their only mechanism to determine the exact address of the suspect is to subpoena the suspect's Internet Service Provider, a process that can take weeks. Instead, law enforcement would rather locate the suspect within the hour with the hope of catching the suspect while the crime is still on-going, which leads to stronger evidence and straightforward prosecution. Given these time constraints, we investigate how quickly an adversary can locate a target without any special law enforcement powers. Instead, we leverage the use of ubiquitous wireless networks and a mobile physical observer that performs wireless monitoring (akin to "wardriving," which seeks to search for wireless networks). We develop an approach that allows an adversary to send traffic to the target's address that can be detected by the observer, even if wireless encryption is in use. We evaluated the approach in two common real-world settings. In one of these, a residential neighborhood, we used a single-blind trial in which an observer located a target network to within three houses in less than 40 minutes (with potential for more exact results using hardware such as directional antennas). This approach had only a 0.38% false positive rate, despite 24,000 observed unrelated packets and many unrelated networks. These results show significant promise for the geolocation strategy and demonstrate that adversaries with multiple potential observation points, such as law enforcement personnel, could quickly locate a target.