ABSTRACT
Network based intruders seldom attack directly from their own hosts, but rather stage their attacks through intermediate "stepping stones" to conceal their identity and origin. To identify attackers behind stepping stones, it is necessary to be able to correlate connections through stepping stones, even if those connections are encrypted or perturbed by the intruder to prevent traceability.The timing-based approach is the most capable and promising current method for correlating encrypted connections. However, previous timing-based approaches are vulnerable to packet timing perturbations introduced by the attacker at stepping stones. In this paper, we propose a novel watermark-based correlation scheme that is designed specifically to be robust against timing perturbations. The watermark is introduced by slightly adjusting the timing of selected packets of the flow. By utilizing redundancy techniques, we have developed a robust watermark correlation framework that reveals a rather surprising result on the inherent limits of independent and identically distributed (iid) random timing perturbations over sufficiently long flows. We also identify the tradeoffs between timing perturbation characteristics and achievable correlation effectiveness. Experiments show that the new method performs significantly better than existing, passive, timing-based correlation in the presence of random packet timing perturbations.
- I. J. Cox, M. L. Miller and J. A. Bloom. Digital Watermarking. Morgan-Kaufmann Publishers, 2002. Google ScholarDigital Library
- P. B. Danzig and S. Jamin. tcplib: A Library of TCP Internetwork Traffic Characteristics. USC Technical Report, USC-CS-91--495.Google Scholar
- P. B. Danzig, S. Jamin, R. Cacerest, D. J. Mitzel and E. Estrin. An Empirical Workload Model for Driving Wide-Area TCP/IP Network Simulations. In Journal of Internetworking 3:1, pages 1--26 March 1992.Google Scholar
- M. H. DeGroot. Probability and Statistics. Addison-Wesley Publishing Company, 1989.Google Scholar
- D. Donoho, A.G. Flesia, U. Shanka, V. Paxson, J. Coit and S. Staniford. Multiscale Stepping Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), October, 2002. Springer Verlag Lecture Notes in Computer Science, #2516. Google ScholarDigital Library
- M. T. Goodrich. Efficient Packet Marking for Large-Scale IP Traceback. In Proceedings of 9th ACM Conference on Computer and Communication Security CCS'02, pages 117--126, October 2002. Google ScholarDigital Library
- H. Jung, et al. Caller Identification System in the Internet Environment. In Proceedings of 4th USENIX Security Symposium, 1993.Google Scholar
- S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. IETF RFC 2401, September 1998. Google ScholarDigital Library
- NLANR Trace Archive. <http://pma.nlanr.net/Traces/long/>.Google Scholar
- OpenSSH. <http://www.openssh.com>.Google Scholar
- S. Savage, D. Wetherall, A. Karlin and T. Anderson. Practical Network Support for IP Traceback. In Proceedings of the ACM SIGCOMM 2000, April 2000. Google ScholarDigital Library
- S. Snapp, et al. DIDS (Distributed Intrusion Detection System) - Motivation, Architecture and Early Prototype. In Proceedings of 14th National Computer Security Conference, pages 167--176, 1991.Google Scholar
- D. Song and A. Perrig. Advanced and Authenticated Marking Scheme for IP Traceback. In Proceedings of IEEE INFOCOM'01, April 2001.Google Scholar
- S. Staniford-Chen, L. T. Heberlein. Holding Intruders Accountable on the Internet. In Proceedings of the IEEE Symposium on Security and Privacy, May 1995. Google ScholarDigital Library
- C. Stoll. The Cuckoo's Egg: Tracking Spy through the Maze of Computer Espionage. Pocket Books, October 2000. Google ScholarDigital Library
- X. Wang, D. S. Reeves and S.F. Wu. Inter-Packet Delay-Based Correlation for Tracing Encrypted Connections through Stepping Stones. In D. Gollmann, G. Karjoth and M. Waidner, editors, 7th European Symposium on Research in Computer Security - ESORICS 2002, October 2002. Springer-Verlag Lecture Notes in Computer Science #2502. Google ScholarDigital Library
- X. Wang, D. S. Reeves, S. F. Wu and J. Yuill. Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework. In Proceedings of 16th International Conference on Information Security (IFIP/Sec'01), June, 2001. Google ScholarDigital Library
- T. Ylonen, et al. SSH Protocol Architecture. IETF Internet Draft: draft-ietf-secsh-architecture-4.txt, July 2003.Google Scholar
- K. Yoda and H. Etoh. Finding a Connection Chain for Tracing Intruders. In F. Guppens, Y. Deswarte, D. Gollmann and M. Waidner, editors, 6th European Symposium on Research in Computer Security - ESORICS 2000, October 2000. Springer-Verlag Lecture Notes in Computer Science #1895 Google ScholarDigital Library
- Y. Zhang and V. Paxson. Detecting Stepping Stones. In Proceedings of the 9th USENIX Security Symposium, pages 171--184, 2000. Google ScholarDigital Library
Index Terms
- Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays
Recommendations
Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking
Network-based intruders seldom attack their victims directly from their own computer. Often, they stage their attacks through intermediate “stepping stones” in order to conceal their identity and origin. To identify the source of the attack behind the ...
Interval-based flow watermarking for tracing interactive traffic
Tracing interactive attack traffic that traverses stepping stones (i.e., intermediate hosts) is challenging, as the packet headers, lengths, and contents can all be changed by the stepping stones. The traffic timing (delays between packets) has ...
The loop fallacy and serialization in tracing intrusion connections through stepping stones
SAC '04: Proceedings of the 2004 ACM symposium on Applied computingNetwork based intruders seldom attack directly from their own hosts, but rather stage their attacks through intermediate "stepping stones" to conceal their identity and origin. To identify attackers behind stepping stones, it is necessary to be able to ...
Comments