Active timing based techniques for attack attribution through stepping stones

The purpose of the research is to study the active timing based techniques used for attack attribution through stepping stone computers, where attackers sequentially connect through multiple intermediate hosts to hide their traces. The difficulties of tracing back such attacks come from not only the normal operations of networks and stepping stones, but also the intentional interference of the attackers. Encryption, repacketization, timing perturbation, and meaningless chaff packets could all significantly affect attribution result. In this dissertation, I have investigated multiple research problems related to the active timing based attack attribution. First, I present a correlation scheme that can successfully identify stepping stone connections even if both chaff packets and timing perturbations are introduced by attackers simultaneously. In this scheme, we enhance the existing active watermark schemes and focus on identifying the possible corresponding packets in the flows to be correlated. We develop a series of algorithms to effectively and efficiently decode the embedded watermarks when chaff packets are inserted, and use theoretical analysis and experimental evaluation to validate these algorithms. We also investigate how our correlation scheme can be used to deal with the countermeasure when stepping stone connections are split and then merged, and propose an approach to mitigate the problem of packet loss and retransmission. Next, I present the research on the secrecy issues of the quantization based watermark scheme. We propose an attacking approach based on analyzing the one-way packet transit delays between adjacent stepping stones. Our attack contains several techniques that can infer important watermark parameters and remove/duplicate the embedded watermarks. These techniques enable an attacker to defeat the watermarking system in certain cases by removing watermarks from the stepping stone connections, or replicating watermarks to non-stepping stone connections. We have also developed techniques to detect in realtime whether a stepping stone connection is being watermarked for trace-back purpose. Experiments using real-world data are performed and the results demonstrate that for the quantization based watermark scheme, (1) embedded watermarks can be successfully recovered and duplicated when the watermark parameters are not chosen carefully, and (2) the watermark existence in a network flow can be quickly detected. Third, I present the research result on the secrecy of the probabilistic watermark scheme. Following the ideas of analyzing the quantization based watermark scheme, we propose attacks that can detect the watermark existence, recovery important watermark parameters, and remove/duplicate watermark to effectively defeat the watermark scheme. We also investigate the problem of realtime watermark recovery and removal, and propose an online attacking algorithm. Experiments are then conducted to validate our analysis. Finally, I investigate the secrecy issues of the interval based watermark scheme and propose several security enhancements to deter possible timing analysis attacks. I demonstrate that the interval based scheme is not robust against several attacks we construct, which can quickly detect watermark existence, recover watermark parameters and defeat the watermark scheme. Through experiment, we validate that the improved scheme with security enhancements will significantly increase the resistance to all of these severe attacks.

[1]  Riccardo Bettati,et al.  A quantitative analysis of anonymous communications , 2004, IEEE Transactions on Reliability.

[2]  Rajesh Krishnan,et al.  Using signal processing to analyze wireless data traffic , 2002, WiSE '02.

[3]  Athina Markopoulou,et al.  Assessing the quality of voice communications over internet backbones , 2003, TNET.

[4]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1998, IEEE J. Sel. Areas Commun..

[5]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[6]  Sushil Jajodia,et al.  Tracking anonymous peer-to-peer VoIP calls on the internet , 2005, CCS '05.

[7]  Mauro Barni,et al.  DCT-based watermark recovering without resorting to the uncorrupted original image , 1997, Proceedings of International Conference on Image Processing.

[8]  Paul Syverson,et al.  Onion Routing for Anonymous and Private Internet Connections , 1999 .

[9]  Gene Tsudik,et al.  Mixing E-mail with Babel , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[10]  Brian D. Carrier,et al.  A recursive session token protocol for use in computer forensics and TCP traceback , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[11]  Gene Tsudik,et al.  Towards an Analysis of Onion Routing Security , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[12]  Ingemar J. Cox,et al.  A Secure, Robust Watermark for Multimedia , 1996, Information Hiding.

[13]  Clay Shields,et al.  Providing Process Origin Information to Aid in Network Traceback , 2002, USENIX Annual Technical Conference, General Track.

[14]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .

[15]  Thierry Pun,et al.  Content adaptive watermarking based on a stochastic multiresolution image modeling , 2000, 2000 10th European Signal Processing Conference.

[16]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[17]  Brian Neil Levine,et al.  Hordes: a Multicast-Based Protocol for Anonymity , 2002, J. Comput. Secur..

[18]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[19]  Vern Paxson,et al.  On calibrating measurements of packet transit times , 1998, SIGMETRICS '98/PERFORMANCE '98.

[20]  Riccardo Bettati,et al.  On Flow Marking Attacks in Wireless Anonymous Communication Networks , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[21]  G. McLachlan,et al.  The EM algorithm and extensions , 1996 .

[22]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[23]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[24]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[25]  B. K. Ghosh,et al.  Handbook of sequential analysis , 1991 .

[26]  Sarah Granger,et al.  Social Engineering Fundamentals, Part I: Hacker Tactics , 2003 .

[27]  Paul F. Syverson,et al.  Onion routing , 1999, CACM.

[28]  Riccardo Bettati,et al.  On Flow Correlation Attacks and Countermeasures in Mix Networks , 2004, Privacy Enhancing Technologies.

[29]  Bernd Girod,et al.  Fundamental performance limits of power-spectrum condition-compliant watermarks , 2000, Electronic Imaging.

[30]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[31]  Deepa Kundur,et al.  Diversity and attack characterization for improved robust watermarking , 2001, IEEE Trans. Signal Process..

[32]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[33]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[34]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[35]  Vern Paxson End-to-end internet packet dynamics , 1999, TNET.

[36]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[37]  Peter J. Rousseeuw,et al.  Finding Groups in Data: An Introduction to Cluster Analysis , 1991 .

[38]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[39]  Micah Adler,et al.  Defending anonymous communications against passive logging attacks , 2003, 2003 Symposium on Security and Privacy, 2003..