Correlation%20of%20Encrypted%20Traffic%20Through%20Stepping%20Stones

Correlation%20of%20Encrypted%20Traffic%20Through%20Stepping%20Stones

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Robust Correlation of Encrypted Attack Traffic Through Stepping Stones by Manipulation of Interpacket Delays Xinyuan Wang Department of Computer Science N.C. State University Raleigh, NC 27695 xwang5@unity.ncsu.edu Douglas S. Reeves Cyber Defense Lab Departments of Computer Science and Electrical and Computer Engineering N.C. State University Raleigh, NC 27695 reeves@csc.ncsu.edu ABSTRACT Network based intruders seldom attack directly from their own hosts, but rather stage their attacks through intermediate “stepping stones” to conceal their identity and origin. To identify attackers behind stepping stones, it is necessary to be able to correlate connections through stepping stones, even if those connections are encrypted or perturbed by the intruder to prevent traceability. The timing-based approach is the most capable and promising current method for correlating encrypted connections. However, previous timing-based approaches are vulnerable to packet timing perturbations introduced by the attacker at stepping stones. In this paper, we propose a novel watermark-based correlation scheme that is designed specifically to be robust against timing perturbations. The watermark is introduced by slightly adjusting the timing of selected packets of the flow. By utilizing redundancy techniques, we have developed a robust watermark correlation framework that reveals a rather surprising result on the inherent limits of independent and identically distributed ( iid ) random timing perturbations over sufficiently long flows. We also identify the tradeoffs between timing perturbation characteristics and achievable correlation effectiveness. Experiments show that the new method performs significantly better than existing, passive, timing-based correlation in the presence of random packet timing perturbations. Categories and Subject Descriptors C.2.0 [ Computer-Communication Networks ]: General – Security and protection (e.g., firewalls) ; K.6.5 [ Management of Computing and Information Systems ]: Security and Protection Unauthorized access (e.g., hacking, phreaking) . General Terms Security, Reliability Keywords Stepping Stones, Intrusion Tracing, Correlation, Robustness 1. INTRODUCTION Network based attacks have become a serious threat to the critical information infrastructure on which we depend. Those charged with defending networked assets that are under attack would like very much to be able to identify the source of the attack, so that appropriate action can be taken (whether that be contacting the source network administrator, filtering the attacker’s traffic, litigation, or criminal prosecution). Attackers, however, go to some lengths to conceal their identities, using a variety of countermeasures. As an example, they may spoof the IP source address of their traffic. Methods of tracing spoofed traffic, generically referred to as IP traceback[6,11,13], have been developed to address this countermeasure.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 10

Correlation%20of%20Encrypted%20Traffic%20Through%20Stepping%20Stones

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online