Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking

Network-based intruders seldom attack their victims directly from their own computer. Often, they stage their attacks through intermediate “stepping stones” in order to conceal their identity and origin. To identify the source of the attack behind the stepping stone(s), it is necessary to correlate the incoming and outgoing flows or connections of a stepping stone. To resist attempts at correlation, the attacker may encrypt or otherwise manipulate the connection traffic. Timing-based correlation approaches have been shown to be quite effective in correlating encrypted connections. However, timing-based correlation approaches are subject to timing perturbations that may be deliberately introduced by the attacker at stepping stones. In this paper, we propose a novel watermark-based-correlation scheme that is designed specifically to be robust against timing perturbations. Unlike most previous timing-based correlation approaches, our watermark-based approach is “active” in that it embeds a unique watermark into the encrypted flows by slightly adjusting the timing of selected packets. The unique watermark that is embedded in the encrypted flow gives us a number of advantages over passive timing-based correlation in resisting timing perturbations by the attacker. In contrast to the existing passive correlation approaches, our active watermark-based correlation does not make any limiting assumptions about the distribution or random process of the original interpacket timing of the packet flow. In theory, our watermark-based correlation can achieve arbitrarily close to 100 percent correlation true positive rate (TPR), and arbitrarily close to 0 percent false positive rate (FPR) at the same time for sufficiently long flows, despite arbitrarily large (but bounded) timing perturbations of any distribution by the attacker. Our paper is the first that identifies 1) accurate quantitative tradeoffs between the achievable correlation effectiveness and the defining characteristics of the timing perturbation; and 2) a provable upper bound on the number of packets needed to achieve a desired correlation effectiveness, given the amount of timing perturbation. Experimental results show that our active watermark-based correlation performs better and requires fewer packets than existing, passive timing-based correlation methods in the presence of random timing perturbations.

[1]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[2]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[3]  Douglas S. Reeves,et al.  Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework , 2001, SEC.

[4]  Walter L. Smith Probability and Statistics , 1959, Nature.

[5]  Sushil Jajodia,et al.  Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[6]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[7]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[8]  C. Pandu Rangan,et al.  Steganographic Communication in Ordered Channels , 2006, Information Hiding.

[9]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[10]  Deborah Estrin,et al.  An Empirical Workload Model for Driving Wide-Area TCP/IP Network Simulations , 2001 .

[11]  Sang Lyul Min,et al.  Caller Identification System in the Internet Environment , 1993 .

[12]  Peter B. Danzig,et al.  tcplib: A Library of TCP Internetwork Traffic Characteristics , 2002 .

[13]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[14]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[15]  Jun Li,et al.  Large-scale IP traceback in high-speed Internet: practical techniques and theoretical foundation , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[16]  Biswanath Mukherjee,et al.  DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype , 1997 .

[17]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[18]  Lang Tong,et al.  Detecting Encrypted Stepping-Stone Connections , 2007, IEEE Transactions on Signal Processing.

[19]  Yong Guan,et al.  Detection of stepping stone attack under delay and chaff perturbations , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[20]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[21]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[22]  Joseph A. O'Sullivan,et al.  Information-theoretic analysis of information hiding , 2003, IEEE Trans. Inf. Theory.

[23]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[24]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[25]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[26]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[27]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[28]  Ingemar J. Cox,et al.  Digital Watermarking , 2003, Lecture Notes in Computer Science.

[29]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[30]  C. Stoll The Cuckoo's Egg : Tracking a Spy Through the Maze of Computer Espionage , 1990 .

[31]  Peng Ning,et al.  Active timing-based correlation of perturbed traffic flows with chaff packets , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[32]  Douglas S. Reeves,et al.  Strategic deployment of network monitors for attack attribution , 2007, 2007 Fourth International Conference on Broadband Communications, Networks and Systems (BROADNETS '07).

[33]  Pierre Moulin Information-Hiding Games , 2002, IWDW.

[34]  Peng Ning,et al.  Tracing Traffic through Intermediate Hosts that Repacketize Flows , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[35]  Walter Willinger,et al.  Proof of a fundamental result in self-similar traffic modeling , 1997, CCRV.

[36]  Michael T. Goodrich,et al.  Efficient packet marking for large-scale IP traceback , 2002, CCS '02.