Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Towards trapping wily intruders in the large
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones
ESORICS '02 Proceedings of the 7th European Symposium on Research in Computer Security
Remote timing attacks are practical
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
SSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle
Computer Communications
Tracing cyber attacks from the practical perspective
IEEE Communications Magazine
Exploring the security requirements for quality of service in combined wired and wireless networks
Proceedings of the 2009 International Conference on Wireless Communications and Mobile Computing: Connecting the World Wirelessly
DTRAB: combating against attacks on encrypted protocols through traffic-feature analysis
IEEE/ACM Transactions on Networking (TON)
Hi-index | 0.00 |
Attacks against encrypted protocols have become increasingly popular and sophisticated. Such attacks are often undetectable by the traditional Intrusion Detection Systems (IDSs). Additionally, the encrypted attack-traffic makes tracing the source of the attack substantially more difficult. In this paper, we address these issues and devise a mechanism to trace back attackers against encrypted protocols. In our efforts to combat attacks against cryptographic protocols, we have integrated a traceback mechanism at the monitoring stubs (MSs), which were introduced in one of our previous works. While we previously focused on strategically placing monitoring stubs to detect attacks against encrypted protocols, in this work we aim at equipping MSs with a traceback feature. In our approach, when a given MS detects an attack, it starts tracing back to the root of the attack. The traceback mechanism relies on monitoring the extracted features at different MSs, i.e., in different points of the target network. At each MS, the monitored features over time provide a pattern which is compared or correlated with the monitored patterns at the neighboring MSs. A high correlation value in the patterns observed by two adjacent MSs indicates that the attack traffic propagated through the network elements covered by these MSs. Based on these correlation values and a prior knowledge of the network topology, the system can then construct a path back to the attacking hosts. The effectiveness of the proposed traceback scheme is verified by simulations.