An efficient sequential watermark detection model for tracing network attack flows

Watermarking schemes for tracing network attack flows have been proposed to detect stepping-stone intrusion and fight against the abuse of anonymity. However, most existing network flow watermark detection techniques focus on fixed sample size of network data, thus resulting in not only unguaranteed rates of detection errors but also low efficiency of watermark detection. We herein propose an efficient sequential watermark detection (ESWD) model for tracing network attack flows. Based on the ESWD model, a statistical analysis of sequential detectors, with no assumptions or limitations concerning the distribution of the timing of packets, proves their effectiveness despite traffic timing perturbations. The experiments using a large number of synthetically-generated SSH traffic flows demonstrate that there is a significant advantage in using the ESWD model over the existing fixed sample size (FSS) detector, where the optimal sequential watermark detector (OSWD) based on the ESWD model results in almost 28% savings in the average number of packets compared to the FSS watermark detector. Furthermore, the nonparametric sequential sign watermark detector (SSWD) can also reduce the average packet number, given the required probability of detection errors.

[1]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  Riccardo Bettati,et al.  On Flow Marking Attacks in Wireless Anonymous Communication Networks , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[3]  Lang Tong,et al.  Detecting Encrypted Stepping-Stone Connections , 2007, IEEE Transactions on Signal Processing.

[4]  Peter B. Danzig,et al.  tcplib: A Library of TCP Internetwork Traffic Characteristics , 2002 .

[5]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[6]  Anton Stiglic,et al.  Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems , 2001, Information Hiding.

[7]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[8]  J. Thomas,et al.  Quantization for Sequential Signal Detection , 1977, IEEE Trans. Commun..

[9]  J. Andel Sequential Analysis , 2022, The SAGE Encyclopedia of Research Design.

[10]  Sushil Jajodia,et al.  Tracking anonymous peer-to-peer VoIP calls on the internet , 2005, CCS '05.

[11]  Nasir D. Memon,et al.  On sequential watermark detection , 2003, IEEE Trans. Signal Process..

[12]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[13]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[14]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[15]  Xinwen Fu,et al.  DSSS-Based Flow Marking Technique for Invisible Traceback , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[16]  Sushil Jajodia,et al.  Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[17]  Peng Ning,et al.  Tracing Traffic through Intermediate Hosts that Repacketize Flows , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.