This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking
May/June 2011 (vol. 8 no. 3)
pp. 434-449
ASCII Text
x 
 
Xinyuan Wang, Douglas S. Reeves, "Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking," IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 3, pp. 434-449, May/June, 2011.
 
 
BibTex
x
 
@article{ 10.1109/TDSC.2010.35,
author = {Xinyuan Wang and Douglas S. Reeves},
title = {Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking},
journal ={IEEE Transactions on Dependable and Secure Computing},
volume = {8},
number = {3},
issn = {1545-5971},
year = {2011},
pages = {434-449},
doi = {http://doi.ieeecomputersociety.org/10.1109/TDSC.2010.35},
publisher = {IEEE Computer Society},
address = {Los Alamitos, CA, USA},
}
 
 
RefWorks Procite/RefMan/Endnote
x 
 
TY - JOUR
JO - IEEE Transactions on Dependable and Secure Computing
TI - Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking
IS - 3
SN - 1545-5971
SP434
EP449
EPD - 434-449
A1 - Xinyuan Wang,
A1 - Douglas S. Reeves,
PY - 2011
KW - Network-level security and protection
KW - intrusion tracing
KW - correlation
KW - stepping stone.
VL - 8
JA - IEEE Transactions on Dependable and Secure Computing
ER -
 
Xinyuan Wang, George Mason University, Fiarfax
Douglas S. Reeves, N.C. State University, Raleigh
Network-based intruders seldom attack their victims directly from their own computer. Often, they stage their attacks through intermediate “stepping stones” in order to conceal their identity and origin. To identify the source of the attack behind the stepping stone(s), it is necessary to correlate the incoming and outgoing flows or connections of a stepping stone. To resist attempts at correlation, the attacker may encrypt or otherwise manipulate the connection traffic. Timing-based correlation approaches have been shown to be quite effective in correlating encrypted connections. However, timing-based correlation approaches are subject to timing perturbations that may be deliberately introduced by the attacker at stepping stones. In this paper, we propose a novel watermark-based-correlation scheme that is designed specifically to be robust against timing perturbations. Unlike most previous timing-based correlation approaches, our watermark-based approach is “active” in that it embeds a unique watermark into the encrypted flows by slightly adjusting the timing of selected packets. The unique watermark that is embedded in the encrypted flow gives us a number of advantages over passive timing-based correlation in resisting timing perturbations by the attacker. In contrast to the existing passive correlation approaches, our active watermark-based correlation does not make any limiting assumptions about the distribution or random process of the original interpacket timing of the packet flow. In theory, our watermark-based correlation can achieve arbitrarily close to 100 percent correlation true positive rate (TPR), and arbitrarily close to 0 percent false positive rate (FPR) at the same time for sufficiently long flows, despite arbitrarily large (but bounded) timing perturbations of any distribution by the attacker. Our paper is the first that identifies 1) accurate quantitative tradeoffs between the achievable correlation effectiveness and the defining characteristics of the timing perturbation; and 2) a provable upper bound on the number of packets needed to achieve a desired correlation effectiveness, given the amount of timing perturbation. Experimental results show that our active watermark-based correlation performs better and requires fewer packets than existing, passive timing-based correlation methods in the presence of random timing perturbations.

[1] A. Blum, D. Song, and S. Venkataraman, "Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds," Proc. Seventh Int'l Symp. Recent Advances in Intrusion Detection (RAID '04), Oct. 2004.
[2] R.C. Chakinala, A. Kumarasubramanian, R. Manokaran, G. Noubir, C. Pandu Rangan, and R. Sundaram, "Steganographic Communication in Ordered Channels," Proc. Eighth Information Hiding Int'l Conf. (IH '06), 2006.
[3] T.M. Cover and J.A. Thomas, Elements of Information Theory. John Wiley & Sons, Inc., 1991.
[4] I. Cox, M. Miller, and J. Bloom, Digital Watermarking. Morgan-Kaufmann Publishers, 2002.
[5] P. Danzig and S. Jamin, "Tcplib: A Library of TCP Internetwork Traffic Characteristics," Technical Report USC-CS-91-495, Univ. of Southern California, 1991.
[6] P. Danzig, S. Jamin, R. Cacerest, D. Mitzel, and E. Estrin, "An Empirical Workload Model for Driving Wide-Area TCP/IP Network Simulations," J. Internetworking, vol. 3, no. 1, pp. 1-26, Mar. 1992.
[7] M. DeGroot, Probability and Statistics. Addison-Wesley Publishing Company, 1989.
[8] D. Donoho et al, "Multiscale Stepping Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay," Proc. Fifth Int'l Symp. Recent Advances in Intrusion Detection (RAID '02), pp. 17-35, Oct. 2002.
[9] M.T. Goodrich, "Efficient Packet Marking for Large-Scale IP Traceback," Proc. Ninth ACM Conf. Computer and Comm. Security (CCS '02), pp. 117-126, Oct. 2002.
[10] T. He and L. Tong, "Detecting Encrypted Stepping-Stone Connections" IEEE Trans. Signal Processing, vol. 55, no. 5, pp. 1612-1623, May 2006.
[11] H. Jung et al., "Caller Identification System in the Internet Environment," Proc. Fourth USENIX Security Symp., 1993.
[12] S. Kent and R. Atkinson RFC 2401: Security Architecture for the Internet Protocol, IETF, Sept. 1998.
[13] G. Kramer, "Generator of Self-Similar Network Traffic," http://wwwcsif.cs.ucdavis.edu/kramer/code trf_gen2.html, 2005.
[14] J. Li, M. Sung, J. Xu, and L. Li, "Large Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation," Proc. IEEE Symp. Security and Privacy, 2004.
[15] P. Moulin, "Information-Hiding Games," Proc. Int'l Workshop Digital Watermarking (IWDW '03), May 2003.
[16] P. Moulin and J.A. O'sullivan, "Information-Theoretic Analysis of Information Hiding," IEEE Trans. Information Theory, vol. 49, no. 3, pp. 563-593, Mar. 2003.
[17] NLANR Trace Archive, http://pma.nlanr.net/Traceslong/, 2005.
[18] OpenSSH. URL. http:/www.openssh.com, 2010.
[19] P. Peng, P. Ning, and D.S. Reeves, "On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques," Proc. IEEE Symp. Security and Privacy (SP '06), May 2006.
[20] P. Peng, P. Ning, D. Reeves, and X. Wang, "Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets," Proc. Second Int'l Workshop Security in Distributed Computing Systems (SDCS '06), June 2005.
[21] Y.J. Pyun, Y.H. Park, X. Wang, D.S. Reeves, and P. Ning, "Tracing Traffic through Intermediate Hosts that Repacketize Flows," Proc. IEEE INFOCOM '07, May 2007.
[22] Y.J. Pyun and D.S. Reeves, "Deployment of Network Monitors for Attack Attribution," Proc. Fourth Int'l Conf. Broadband Comm., Networks, and Systems (Broadnets '07), pp. 525-534, Sept 2007.
[23] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, "Practical Network Support for IP Traceback," Proc. ACM SIGCOMM '00, pp. 295-306, Sept. 2000.
[24] C.E. Shannon, "A Mathematical Theory of Communication" Bell System Technical J., vol. 27, pp. 379-423, 623-656, July/Oct. 1948.
[25] S. Snapp et al., "DIDS (Distributed Intrusion Detection System)—Motivation, Architecture, and Early Prototype," Proc. 14th Nat'l Computer Security Conf., pp. 167-176, 1991.
[26] A. Snoeren and C. Patridge et al., "Hash-Based IP Traceback," Proc. ACM SIGCOMM '01, pp. 3-14, Sept. 2001.
[27] S. Staniford-Chen, and L. Heberlein, "Holding Intruders Accountable on the Internet," Proc. IEEE Symp. Security and Privacy, pp. 39-49, 1995.
[28] C. Stoll, The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage. Pocket Books, 2000.
[29] M.S. Taqqu, W. Willinger, and R. Sherman, "Proof of a Fundamental Result in Self-Similar Traffic Modeling," ACM Computer Comm. Rev., vol. 27, pp. 5-23, 1997.
[30] X. Wang, S. Chen, and S. Jajodia, "Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems," Proc. IEEE Symp. Security and Privacy (SP '07), May 2007.
[31] X. Wang and D. Reeves, "Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Manipulation of Interpacket Delays," Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), pp. 20-29, Oct. 2003.
[32] X. Wang, D. Reeves, and S.F. Wu, "Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones," Proc. Seventh European Symp. Research in Computer Security (ESORICS '02), pp. 244-263, Oct. 2002.
[33] X. Wang, D. Reeves, S.F. Wu, and J. Yuill, "Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework," Proc. 16th Int'l Conf. Information Security (IFIP/Sec '01), pp. 369-384, June 2001.
[34] T. Ylonen and C. Lonvick, IETF Internet Draft: SSH Protocol Architecture, IETF, draft-ietf-secsh-architecture-16.txt, Work in Progress, June 2004.
[35] K. Yoda, and H. Etoh, "Finding a Connection Chain for Tracing Intruders," Proc. Sixth European Symp. Research in Computer Security (ESORICS '00), pp. 191-205, Oct. 2002.
[36] Y. Zhang and V. Paxson, "Detecting Stepping Stones," Proc. Ninth USENIX Security Symp., pp. 171-184, 2000.
[37] L. Zhang, A.G. Persaud, A. Johnson, and Y. Guan, "Detection of Stepping Stone Attack under Delay and Chaff Perturbations," Proc. 25th IEEE Int'l Performance Computing and Comm. Conf. (IPCCC '06), Apr. 2006.

Index Terms:
Network-level security and protection, intrusion tracing, correlation, stepping stone.
Citation:
Xinyuan Wang, Douglas S. Reeves, "Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking," IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 3, pp. 434-449, May-June 2011, doi:10.1109/TDSC.2010.35
Usage of this product signifies your acceptance of the Terms of Use.