Article

Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays

Authors:

Douglas S. ReevesAuthors Info & Claims

CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

Pages 20 - 29

https://doi.org/10.1145/948109.948115

Published: 27 October 2003 Publication History

Abstract

Network based intruders seldom attack directly from their own hosts, but rather stage their attacks through intermediate "stepping stones" to conceal their identity and origin. To identify attackers behind stepping stones, it is necessary to be able to correlate connections through stepping stones, even if those connections are encrypted or perturbed by the intruder to prevent traceability.The timing-based approach is the most capable and promising current method for correlating encrypted connections. However, previous timing-based approaches are vulnerable to packet timing perturbations introduced by the attacker at stepping stones. In this paper, we propose a novel watermark-based correlation scheme that is designed specifically to be robust against timing perturbations. The watermark is introduced by slightly adjusting the timing of selected packets of the flow. By utilizing redundancy techniques, we have developed a robust watermark correlation framework that reveals a rather surprising result on the inherent limits of independent and identically distributed (iid) random timing perturbations over sufficiently long flows. We also identify the tradeoffs between timing perturbation characteristics and achievable correlation effectiveness. Experiments show that the new method performs significantly better than existing, passive, timing-based correlation in the presence of random packet timing perturbations.

References

[1]

I. J. Cox, M. L. Miller and J. A. Bloom. Digital Watermarking. Morgan-Kaufmann Publishers, 2002.

Digital Library

[2]

P. B. Danzig and S. Jamin. tcplib: A Library of TCP Internetwork Traffic Characteristics. USC Technical Report, USC-CS-91--495.

[3]

P. B. Danzig, S. Jamin, R. Cacerest, D. J. Mitzel and E. Estrin. An Empirical Workload Model for Driving Wide-Area TCP/IP Network Simulations. In Journal of Internetworking 3:1, pages 1--26 March 1992.

[4]

M. H. DeGroot. Probability and Statistics. Addison-Wesley Publishing Company, 1989.

[5]

D. Donoho, A.G. Flesia, U. Shanka, V. Paxson, J. Coit and S. Staniford. Multiscale Stepping Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), October, 2002. Springer Verlag Lecture Notes in Computer Science, #2516.

Digital Library

[6]

M. T. Goodrich. Efficient Packet Marking for Large-Scale IP Traceback. In Proceedings of 9th ACM Conference on Computer and Communication Security CCS'02, pages 117--126, October 2002.

Digital Library

[7]

H. Jung, et al. Caller Identification System in the Internet Environment. In Proceedings of 4th USENIX Security Symposium, 1993.

[8]

S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. IETF RFC 2401, September 1998.

Digital Library

[9]

NLANR Trace Archive. <http://pma.nlanr.net/Traces/long/>.

[10]

OpenSSH. <http://www.openssh.com>.

[11]

S. Savage, D. Wetherall, A. Karlin and T. Anderson. Practical Network Support for IP Traceback. In Proceedings of the ACM SIGCOMM 2000, April 2000.

Digital Library

[12]

S. Snapp, et al. DIDS (Distributed Intrusion Detection System) - Motivation, Architecture and Early Prototype. In Proceedings of 14th National Computer Security Conference, pages 167--176, 1991.

[13]

D. Song and A. Perrig. Advanced and Authenticated Marking Scheme for IP Traceback. In Proceedings of IEEE INFOCOM'01, April 2001.

[14]

S. Staniford-Chen, L. T. Heberlein. Holding Intruders Accountable on the Internet. In Proceedings of the IEEE Symposium on Security and Privacy, May 1995.

Digital Library

[15]

C. Stoll. The Cuckoo's Egg: Tracking Spy through the Maze of Computer Espionage. Pocket Books, October 2000.

Digital Library

[16]

X. Wang, D. S. Reeves and S.F. Wu. Inter-Packet Delay-Based Correlation for Tracing Encrypted Connections through Stepping Stones. In D. Gollmann, G. Karjoth and M. Waidner, editors, 7th European Symposium on Research in Computer Security - ESORICS 2002, October 2002. Springer-Verlag Lecture Notes in Computer Science #2502.

Digital Library

[17]

X. Wang, D. S. Reeves, S. F. Wu and J. Yuill. Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework. In Proceedings of 16th International Conference on Information Security (IFIP/Sec'01), June, 2001.

Digital Library

[18]

T. Ylonen, et al. SSH Protocol Architecture. IETF Internet Draft: draft-ietf-secsh-architecture-4.txt, July 2003.

[19]

K. Yoda and H. Etoh. Finding a Connection Chain for Tracing Intruders. In F. Guppens, Y. Deswarte, D. Gollmann and M. Waidner, editors, 6th European Symposium on Research in Computer Security - ESORICS 2000, October 2000. Springer-Verlag Lecture Notes in Computer Science #1895

Digital Library

[20]

Y. Zhang and V. Paxson. Detecting Stepping Stones. In Proceedings of the 9th USENIX Security Symposium, pages 171--184, 2000.

Digital Library

Cited By

Yuan YGe JCheng G(2025)DeMarking: A defense for network flow watermarking in real-timeComputers & Security10.1016/j.cose.2025.104355152(104355)Online publication date: May-2025
https://doi.org/10.1016/j.cose.2025.104355
Yang JWang L(2024)Explore Utilizing Network Traffic Distribution to Detect Stepping-Stone IntrusionElectronics10.3390/electronics1316325813:16(3258)Online publication date: 16-Aug-2024
https://doi.org/10.3390/electronics13163258
Zohaib ASheffey JHoumansadr A(2023)Investigating Traffic Analysis Attacks on Apple iCloud Private RelayProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3595793(773-784)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3595793
Show More Cited By

Index Terms

Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking

Network-based intruders seldom attack their victims directly from their own computer. Often, they stage their attacks through intermediate “stepping stones” in order to conceal their identity and origin. To identify the source of the attack behind the ...
Interval-based flow watermarking for tracing interactive traffic

Tracing interactive attack traffic that traverses stepping stones (i.e., intermediate hosts) is challenging, as the packet headers, lengths, and contents can all be changed by the stepping stones. The traffic timing (delays between packets) has ...
The loop fallacy and serialization in tracing intrusion connections through stepping stones
SAC '04: Proceedings of the 2004 ACM symposium on Applied computing

Network based intruders seldom attack directly from their own hosts, but rather stage their attacks through intermediate "stepping stones" to conceal their identity and origin. To identify attackers behind stepping stones, it is necessary to be able to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

October 2003

374 pages

ISBN:1581137389

DOI:10.1145/948109

General Chair:
Sushil Jajodia
George Mason University
,
Program Chairs:
Vijay Atluri
Rutgers University
,
Trent Jaeger
IBM Watson

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2003

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS03

Sponsor:

SIGSAC

CCS03: Tenth ACM Conference on Computer and Communications Security 2003

October 27 - 30, 2003

Washington D.C., USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

144
Total Citations
View Citations
1,414
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)1

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yuan YGe JCheng G(2025)DeMarking: A defense for network flow watermarking in real-timeComputers & Security10.1016/j.cose.2025.104355152(104355)Online publication date: May-2025
https://doi.org/10.1016/j.cose.2025.104355
Yang JWang L(2024)Explore Utilizing Network Traffic Distribution to Detect Stepping-Stone IntrusionElectronics10.3390/electronics1316325813:16(3258)Online publication date: 16-Aug-2024
https://doi.org/10.3390/electronics13163258
Zohaib ASheffey JHoumansadr A(2023)Investigating Traffic Analysis Attacks on Apple iCloud Private RelayProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3595793(773-784)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3595793
Chen XWu CLiu XHuang QZhang DZhou HYang QKhan M(2023)Empowering Network Security With Programmable Switches: A Comprehensive SurveyIEEE Communications Surveys & Tutorials10.1109/COMST.2023.326598425:3(1653-1704)Online publication date: Nov-2024
https://doi.org/10.1109/COMST.2023.3265984
Mo LLv GWang B(2022)A Fine-Grained Network Congestion Detection Based on Flow WatermarkingApplied Sciences10.3390/app1216809412:16(8094)Online publication date: 12-Aug-2022
https://doi.org/10.3390/app12168094
Zheng XYan HWang RZhang ZLi H(2022)LUNARSecurity and Communication Networks10.1155/2022/58321242022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/5832124
Sheng GZhang L(2022)An optimal LT code for network flow watermarkingThird International Conference on Computer Science and Communication Technology (ICCSCT 2022)10.1117/12.2662345(181)Online publication date: 29-Dec-2022
https://doi.org/10.1117/12.2662345
Li TLiu KFeng WYang CLuo X(2022)HeteroTiC: A robust network flow watermarking based on heterogeneous time channelsComputer Networks10.1016/j.comnet.2022.109424219(109424)Online publication date: Dec-2022
https://doi.org/10.1016/j.comnet.2022.109424
Yang JWang LWang Y(2021)Enhance Student Learning Experience in Cybersecurity Education by Designing Hands-on Labs on Stepping-stone Intrusion DetectionAdvances in Science, Technology and Engineering Systems Journal10.25046/aj0604406:4(355-367)Online publication date: Aug-2021
https://doi.org/10.25046/aj060440
Rezaei FHoumansadr A(2021)FINN: Fingerprinting Network Flows using Neural NetworksProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3488010(1011-1024)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3488010
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten