This Article 
 Bibliographic References 
 Add to: 
An Invisible Localization Attack to Internet Threat Monitors
November 2009 (vol. 20 no. 11)
pp. 1611-1625
Wei Yu, Towson University, Towson
Xun Wang, Cisco Systems Inc., San Jose
Xinwen Fu, University of Massachusetts Lowell, Lowell
Dong Xuan, Ohio State University, Columbus
Wei Zhao, University of Macau, Macau
Internet threat monitoring (ITM) systems have been deployed to detect widespread attacks on the Internet in recent years. However, the effectiveness of ITM systems critically depends on the confidentiality of the location of their monitors. If adversaries learn the monitor locations of an ITM system, they can bypass the monitors and focus on the uncovered IP address space without being detected. In this paper, we study a new class of attacks, the invisible LOCalization (iLOC) attack. The iLOC attack can accurately and invisibly localize monitors of ITM systems. In the iLOC attack, the attacker launches low-rate port-scan traffic, encoded with a selected pseudonoise code (PN-code), to targeted networks. While the secret PN-code is invisible to others, the attacker can accurately determine the existence of monitors in the targeted networks based on whether the PN-code is embedded in the report data queried from the data center of the ITM system. We formally analyze the impact of various parameters on attack effectiveness. We implement the iLOC attack and conduct the performance evaluation on a real-world ITM system to demonstrate the possibility of such attacks. We also conduct extensive simulations on the iLOC attack using real-world traces. Our data show that the iLOC attack can accurately identify monitors while being invisible to ITM systems. Finally, we present a set of guidelines to counteract the iLOC attack.

[1] D. Moore, C. Shannon, and J. Brown, “Code-Red: A Case Study on the Spread and Victims of an Internet Worm,” Proc. Second Internet Measurement Workshop (IMW '02), Nov. 2002.
[2] D. Moore, V. Paxson, and S. Savage, “Inside the Slammer Worm,” IEEE Magazine of Security and Privacy, vol. 1, no. 4, pp. 33-39, 2003.
[3] W32/MyDoom.B Virus, , 2008.
[4] J. Mirkovic and P. Reiher, “A Taxonomy of DDOS Attack and DDOS Defense Mechanisms,” ACM SIGCOMM Computer Comm. Rev., vol. 34, no. 2, pp. 39-54, 2004.
[5] Internet Security News, 2001/Feb0037.html, 2008.
[6] Internet Storm Center, SANS, http:/, 2008.
[7] D. Moore, G.M. Voelker, and S. Savage, “Inferring Internet Deny-of-Service Activity,” Proc. 10th USENIX Security Symp. (SECURITY '01), Aug. 2001.
[8] V. Yegneswaran, P. Barford, and S. Jha, “Global Intrusion Detection in the DOMINO Overlay System,” Proc. 11th IEEE Network and Distributed System Security Symp. (NDSS '04), Feb. 2004.
[9] V. Yegneswaran, P. Barford, and D. Plonka, “On the Design and Utility of Internet Sinks for Network Abuse Monitoring,” Proc. Sixth Int'l Symp. Recent Advances in Intrusion Detection (RAID '03), Sept. 2003.
[10] D. Moore, “Network Telescopes: Observing Small or Distant Security Events,” Invited Presentation at the 11th USENIX Security Symp. (SECURITY '02), Aug. 2002.
[11] Dynamic Graphs of the Nimda Worm, /analysis/security nimda, 2008.
[12] “myNetWatchman,” myNetWatchman Project, http:/www.mynet, 2008.
[13] L. Spitzner, Know Your Enemy: Honeynets. Honeynet Project, , 2008.
[14] N. Provos, “Honeyd—A Virtual Honeypot Daemon,” Proc. 10th DFN-CERT Workshop, Feb. 2003.
[15] J. Twucrpss and M.M. Williamson, “Implementing and Testing a Virus Throttling,” Proc. 12th USENIX Security Symp. (SECURITY'03), Aug. 2003.
[16] W. Yu, X. Fu, S. Graham, D. Xuan, and W. Zhao, “DSSS-Based Flow Marking Technique for Invisible Traceback,” Proc. IEEE Symp. Security and Privacy (S&P '07), May 2007.
[17] V. Sekar, Y. Xie, D. Maltz, M. Reiter, and H. Zhang, “Toward a Framework for Internet Forensic Analysis,” Proc. Third Workshop Hot Topics in Networks (HotNets-III '04), Nov. 2004.
[18] J. Bethencourt, J. Frankin, and M. Vernon, “Mapping Internet Sensors with Probe Response Attacks,” Proc. 14th USENIX Security Symp. (SECURITY '05), July/Aug. 2005.
[19] Y. Shinoda, K. Ikai, and M. Itoh, “Vulnerabilities of Passive Internet Threat Monitors,” Proc. 14th USENIX Security Symp. (SECURITY '05), July/Aug. 2005.
[20] L.Y. Chuang, C.H. Yang, C.H. Yang, and S.L. Lin, “An Interactive Training System for Morse Code Users,” Proc. Sixth IASTED Int'l Conf. Internet and Multimedia Systems and Applications, Aug. 2002.
[21] R. Naraine, Botnet Hunters Search for Command and Control Servers,,1759,1829347,00.asp , 2008.
[22] Dshield, Distributed Intrusion Detection System, http:/www., 2008.
[23] R.K. Pickholtz, D.L. Schilling, and L.B. Milstein, “Theory of Spread-Spectrum Communication—Tutorial,” IEEE Trans. Comm., vol. 30, no. 5, pp. 855-884, 1982.
[24] E.J. Crusellers, M. Soriano, and J.L. Melus, “Spreading Codes Generator for Wireless CDMA Network,” Int'l J. Wireless Personal Comm., vol. 7, no. 1, 1998.
[25] R. Dixon, Spread Spectrum Systems, second ed. John Wiley & Sons, 1984.
[26] Nova Engineering, Linear Feedback Register Shift,, 2008.
[27] S. Venkataraman, D. Song, P. Gibbons, and A. Blum, “New Streaming Algorithms for Superspreader Detection,” Proc. 12th IEEE Network and Distributed Systems Security Symp. (NDSS '05), Feb. 2005.
[28] S. Staniford, V. Paxson, and N. Weaver, “How to Own the Internet in Your Spare Time,” Proc. 11th USENIX Security Symp. (SECURITY'02), Aug. 2002.
[29] Cryptanalysis, , 2008.
[30] R.L. Allen and D.W. Mills, Signal Analysis: Time, Frequency, Scale, and Structure. John Wiley & Sons, 2004.
[31] X. Fu, Y. Zhu, B. Graham, R. Bettati, and W. Zhao, “On Flow Marking Attacks in Wireless Anonymous Communication Networks,” Proc. 24th Int'l Conf. Distributed Computing Systems (ICDCS'04), Mar. 2004.
[32] N. Zhang, S. Wang, and W. Zhao, “A New Scheme on Privacy Preserving Association Rule Mining,” Proc. Eighth European Conf. Principles and Practice of Knowledge Discovery in Databases (PKDD'04), Sept. 2004.
[33] R. Agrawal, A. Evfimievski, and R. Srikant, “Information Sharing across Private Databases,” Proc. ACM SIGMOD '03, July 2003.
[34] N. Zhang and W. Zhao, “Privacy-Preserving Data-Mining Systems,” Computer, vol. 40, no. 4, Apr. 2007.
[35] A. Lakhina, M. Crovella, and C. Diot, “Mining Anomalies Using Traffic Feature Distribution,” Proc. ACM SIGCOMM '05, Aug. 2005.
[36] W. Yu, N. Zhang, X. Fu, R. Bettati, and W. Zhao, “On Localization Attacks to Internet Threat Monitors: An Information-Theoretic Framework,” Proc. IEEE Int'l Conf. Dependable Systems and Networks (DSN) (Performance and Dependability Symp.—PDS '08), June 2008.
[37] CAIDA, Telescope Analysis, , 2008.
[38] H. Debar and A. Wespi, “Aggregation and Correlation of Intrusion-Detection Alerts,” Proc. Fourth Int'l Symp. Recent Advances in Intrusion Detection (RAID '01), Oct. 2001.
[39] P. Gross, J. Parekh, and G. Kaiser, “Secure Selecticast for Collaborative Intrusion Detection Systems,” Proc. Third Int'l Workshop Distributed Event-Based Systems (DEBS '04), May 2004.
[40] A. Anderson, A. Johnston, and P. McOwan, Motion Illusions and Active Camouflaging, , 2008.
[41] Chief of Engineers, United States Army: Army Facilities Components System User Guide, armytmtm5-304/, Oct. 1990.
[42] M. Bellare, S. Goldwasser, and D. Miccianciom, “Pseudo-Random Number Generation within Cryptographic Algorithms: The DSS Case,” Proc. 17th Ann. Int'l Cryptology Conf. (CRYPTO '97), May 1997.
[43] L. Wang and B.B. Hirsbrunner, “PN-Based Security Design for Data Storage,” Proc. IASTED Int'l Conf. Databases and Applications (DBA '04), Feb. 2004.
[44] X.G. Xia, C.G. Boncele, and G.R. Arce, “A Multiresolution Watermark for Digital Images,” Proc. Int'l Conf. Image Processing (ICIP '97), Oct. 1997.
[45] Q.M. Li and E.C. Chang, “Zero-Knowledge Watermark Detection Resistant to Ambiguity Attacks,” Proc. Eighth ACM Workshop Multimedia and Security (MMSEC '06), Sept. 2006.
[46] M. Arnold, “Attacks on Digital Audio Watermarks and Countermeasures,” Proc. Third IEEE Int'l Symp. Web Delivering of Music (WEDELMUSIC '03), Sept. 2003.
[47] A. Briassouli and P. Moulin, “Detection-Theoretic Analysis of Warping Attacks in Spread-Spectrum Watermarking,” Proc. IEEE Int'l Conf. Acoustics, Speech, and Signal Processing (ICASSP '03), Apr. 2003.
[48] N. Liu and K.P. Subbalakshmi, “Worst Case Attack on Quantization Based Data Hiding,” Proc. Eighth IEEE Int'l Symp. Multimedia (ISM '06), Dec. 2006.
[49] C. Cachin, Digital Steganography, ~cca/papersencyc.pdf , 2005.
[50] N. Provos, “Defending against Statistical Steganalysis,” Proc. 10th USENIX Security Symp. (SECURITY '01), Aug. 2001.
[51] S. Cabuk, C. Brodley, and C. Shields, “IP Covert Timing Channels: Design and Detection,” Proc. 11th ACM Conf. Computer and Comm. Security (CCS '04), Oct. 2004.
[52] G. Shah, A. Molina, and M. Blaze, “Keyboards and Covert Channels,” Proc. 15th USENIX Security Symp. (SECURITY '06), July/Aug. 2006.
[53] D. Bailey, D. Boneh, E.-J. Goh, and A. Juels, “Covert Channels in Privacy-Preserving Identification Systems,” Proc. ACM Conf. Computer and Comm. Security (CCS '07), Nov. 2007.
[54] T. Takahashi and W. Lee, “An Assessment of VoIP Covert Channel Threats,” Proc. IEEE Int'l Conf. Security and Privacy in Comm. Networks (SecureComm '07), Sept. 2007.

Index Terms:
Internet threat monitoring systems, invisible localization attack, PN-code, security.
Wei Yu, Xun Wang, Xinwen Fu, Dong Xuan, Wei Zhao, "An Invisible Localization Attack to Internet Threat Monitors," IEEE Transactions on Parallel and Distributed Systems, vol. 20, no. 11, pp. 1611-1625, Nov. 2009, doi:10.1109/TPDS.2008.255
Usage of this product signifies your acceptance of the Terms of Use.