skip to main content
10.1145/948109.948115acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays

Published:27 October 2003Publication History

ABSTRACT

Network based intruders seldom attack directly from their own hosts, but rather stage their attacks through intermediate "stepping stones" to conceal their identity and origin. To identify attackers behind stepping stones, it is necessary to be able to correlate connections through stepping stones, even if those connections are encrypted or perturbed by the intruder to prevent traceability.The timing-based approach is the most capable and promising current method for correlating encrypted connections. However, previous timing-based approaches are vulnerable to packet timing perturbations introduced by the attacker at stepping stones. In this paper, we propose a novel watermark-based correlation scheme that is designed specifically to be robust against timing perturbations. The watermark is introduced by slightly adjusting the timing of selected packets of the flow. By utilizing redundancy techniques, we have developed a robust watermark correlation framework that reveals a rather surprising result on the inherent limits of independent and identically distributed (iid) random timing perturbations over sufficiently long flows. We also identify the tradeoffs between timing perturbation characteristics and achievable correlation effectiveness. Experiments show that the new method performs significantly better than existing, passive, timing-based correlation in the presence of random packet timing perturbations.

References

  1. I. J. Cox, M. L. Miller and J. A. Bloom. Digital Watermarking. Morgan-Kaufmann Publishers, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. P. B. Danzig and S. Jamin. tcplib: A Library of TCP Internetwork Traffic Characteristics. USC Technical Report, USC-CS-91--495.Google ScholarGoogle Scholar
  3. P. B. Danzig, S. Jamin, R. Cacerest, D. J. Mitzel and E. Estrin. An Empirical Workload Model for Driving Wide-Area TCP/IP Network Simulations. In Journal of Internetworking 3:1, pages 1--26 March 1992.Google ScholarGoogle Scholar
  4. M. H. DeGroot. Probability and Statistics. Addison-Wesley Publishing Company, 1989.Google ScholarGoogle Scholar
  5. D. Donoho, A.G. Flesia, U. Shanka, V. Paxson, J. Coit and S. Staniford. Multiscale Stepping Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), October, 2002. Springer Verlag Lecture Notes in Computer Science, #2516. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. M. T. Goodrich. Efficient Packet Marking for Large-Scale IP Traceback. In Proceedings of 9th ACM Conference on Computer and Communication Security CCS'02, pages 117--126, October 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. H. Jung, et al. Caller Identification System in the Internet Environment. In Proceedings of 4th USENIX Security Symposium, 1993.Google ScholarGoogle Scholar
  8. S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. IETF RFC 2401, September 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. NLANR Trace Archive. <http://pma.nlanr.net/Traces/long/>.Google ScholarGoogle Scholar
  10. OpenSSH. <http://www.openssh.com>.Google ScholarGoogle Scholar
  11. S. Savage, D. Wetherall, A. Karlin and T. Anderson. Practical Network Support for IP Traceback. In Proceedings of the ACM SIGCOMM 2000, April 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. S. Snapp, et al. DIDS (Distributed Intrusion Detection System) - Motivation, Architecture and Early Prototype. In Proceedings of 14th National Computer Security Conference, pages 167--176, 1991.Google ScholarGoogle Scholar
  13. D. Song and A. Perrig. Advanced and Authenticated Marking Scheme for IP Traceback. In Proceedings of IEEE INFOCOM'01, April 2001.Google ScholarGoogle Scholar
  14. S. Staniford-Chen, L. T. Heberlein. Holding Intruders Accountable on the Internet. In Proceedings of the IEEE Symposium on Security and Privacy, May 1995. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. C. Stoll. The Cuckoo's Egg: Tracking Spy through the Maze of Computer Espionage. Pocket Books, October 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. X. Wang, D. S. Reeves and S.F. Wu. Inter-Packet Delay-Based Correlation for Tracing Encrypted Connections through Stepping Stones. In D. Gollmann, G. Karjoth and M. Waidner, editors, 7th European Symposium on Research in Computer Security - ESORICS 2002, October 2002. Springer-Verlag Lecture Notes in Computer Science #2502. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. X. Wang, D. S. Reeves, S. F. Wu and J. Yuill. Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework. In Proceedings of 16th International Conference on Information Security (IFIP/Sec'01), June, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. T. Ylonen, et al. SSH Protocol Architecture. IETF Internet Draft: draft-ietf-secsh-architecture-4.txt, July 2003.Google ScholarGoogle Scholar
  19. K. Yoda and H. Etoh. Finding a Connection Chain for Tracing Intruders. In F. Guppens, Y. Deswarte, D. Gollmann and M. Waidner, editors, 6th European Symposium on Research in Computer Security - ESORICS 2000, October 2000. Springer-Verlag Lecture Notes in Computer Science #1895 Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Y. Zhang and V. Paxson. Detecting Stepping Stones. In Proceedings of the 9th USENIX Security Symposium, pages 171--184, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in
        • Published in

          cover image ACM Conferences
          CCS '03: Proceedings of the 10th ACM conference on Computer and communications security
          October 2003
          374 pages
          ISBN:1581137389
          DOI:10.1145/948109

          Copyright © 2003 ACM

          Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 27 October 2003

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • Article

          Acceptance Rates

          Overall Acceptance Rate1,261of6,999submissions,18%

          Upcoming Conference

          CCS '24
          ACM SIGSAC Conference on Computer and Communications Security
          October 14 - 18, 2024
          Salt Lake City , UT , USA

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader