Exposing invisible timing-based traffic watermarks with BACKLIT

Traffic watermarking is an important element in many network security and privacy applications, such as tracing botnet C&C communications and deanonymizing peer-to-peer VoIP calls. The state-of-the-art traffic watermarking schemes are usually based on packet timing information and they are notoriously difficult to detect. In this paper, we show for the first time that even the most sophisticated timing-based watermarking schemes (e.g., RAINBOW and SWIRL) are not invisible by proposing a new detection system called BACKLIT. BACKLIT is designed according to the observation that any practical timing-based traffic watermark will cause noticeable alterations in the intrinsic timing features typical of TCP flows. We propose five metrics that are sufficient for detecting four state-of-the-art traffic watermarks for bulk transfer and interactive traffic. BACKLIT can be easily deployed in stepping stones and anonymity networks (e.g., Tor), because it does not rely on strong assumptions and can be realized in an active or passive mode. We have conducted extensive experiments to evaluate BACKLIT's detection performance using the PlanetLab platform. The results show that BACKLIT can detect watermarked network flows with high accuracy and few false positives.

[1]  Guofei Gu,et al.  Using an Ensemble of One-Class SVM Classifiers to Harden Payload-based Anomaly Detection Systems , 2006, Sixth International Conference on Data Mining (ICDM'06).

[2]  Vitaly Shmatikov,et al.  Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses , 2006, ESORICS.

[3]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[4]  Nasir D. Memon,et al.  Efficient Detection of Delay-Constrained Relay Nodes , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[5]  Neil W. Macfadyen Traffic Characterisation and Modelling , 2002 .

[6]  Sushil Jajodia,et al.  Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[7]  Xuxian Jiang,et al.  A First Step towards Live Botmaster Traceback , 2008, RAID.

[8]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[9]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[10]  Hao Jiang,et al.  Passive estimation of TCP round-trip times , 2002, CCRV.

[11]  Nikita Borisov,et al.  Multi-flow attack resistant watermarks for network flows , 2009, 2009 IEEE International Conference on Acoustics, Speech and Signal Processing.

[12]  Nikita Borisov,et al.  Multi-flow Attacks Against Network Flow Watermarking Schemes , 2008, USENIX Security Symposium.

[13]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[14]  Colin Perkins,et al.  Packet reordering, high speed networks and transport protocol performance , 2004, Proceedings. 13th International Conference on Computer Communications and Networks (IEEE Cat. No.04EX969).

[15]  Nikita Borisov,et al.  SWIRL: A Scalable Watermark to Detect Correlated Network Flows , 2011, NDSS.

[16]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[17]  Vern Paxson,et al.  TCP Congestion Control , 1999, RFC.

[18]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[19]  Donald F. Towsley,et al.  Measurement and Classification of Out-of-Sequence Packets in a Tier-1 IP Backbone , 2002, IEEE/ACM Transactions on Networking.

[20]  Eduardo Magaña,et al.  One-way Delay Measurement and Characterization , 2007, International Conference on Networking and Services (ICNS '07).

[21]  Junjie Zhang,et al.  On the Secrecy of Spread-Spectrum Flow Watermarks , 2010, ESORICS.

[22]  Srinivas Shakkottai,et al.  A Study of Burstiness in TCP Flows , 2005, PAM.

[23]  Matthew K. Wright,et al.  Studying Timing Analysis on the Internet with SubRosa , 2008, Privacy Enhancing Technologies.

[24]  Wolfgang John,et al.  Analysis of internet backbone traffic and header anomalies observed , 2007, IMC '07.

[25]  Charles W. Therrien,et al.  Probability for electrical and computer engineers , 2004 .

[26]  Sushil Jajodia,et al.  Tracking anonymous peer-to-peer VoIP calls on the internet , 2005, CCS '05.

[27]  Sally Floyd,et al.  Measuring the evolution of transport protocols in the internet , 2005, CCRV.

[28]  Nikita Borisov,et al.  RAINBOW: A Robust And Invisible Non-Blind Watermark for Network Flows , 2009, NDSS.

[29]  Xinwen Fu,et al.  DSSS-Based Flow Marking Technique for Invisible Traceback , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[30]  Parameswaran Ramanathan,et al.  Packet-dispersion techniques and a capacity-estimation methodology , 2004, IEEE/ACM Transactions on Networking.

[31]  Wei Wang,et al.  Dependent link padding algorithms for low latency anonymity systems , 2008, CCS.

[32]  Robert P.W. Duin,et al.  PRTools3: A Matlab Toolbox for Pattern Recognition , 2000 .

[33]  Peng Ning,et al.  Tracing Traffic through Intermediate Hosts that Repacketize Flows , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.