Network based intruders seldom attack their victims directly from their own computer. Often, they stage their attacks through intermediate “stepping stones” in order to conceal their identity and origin. To identify the source of the attack behind the stepping stone(s), it is necessary to correlate the incoming and outgoing flows or connections of a stepping stone. To resist attempts at correlation, the attacker may encrypt or otherwise manipulate the connection traffic.

Timing based correlation approaches have been shown to be quite effective in correlating encrypted connections. However, timing based correlation approaches are subject to timing perturbations that may be deliberately introduced by the attacker at stepping stones. The proposed a novel watermark-based correlation scheme that is designed specifically to be robust against timing perturbations. Unlike most previous timing based correlation approaches, the watermark-based approach is “active” in that it embeds a unique watermark into the encrypted flows by slightly adjusting the timing of selected packets. The unique watermark that is embedded in the encrypted flow gives us a number of advantages over passive timing based correlation in resisting timing perturbations by the attacker. In contrast to existing passive correlation approaches, the proposed watermark based correlation does not make any limiting assumptions about the distribution or random process of the original inter-packet timing of the packet flow. In theory, the watermark based correlation can achieve arbitrarily close to 100% correlation true positive rate and arbitrarily close to 0% false positive rate at the same time for sufficiently long flows, despite arbitrarily large (but bounded) timing perturbations of any distribution by the attacker. The work in this is the first that identifies 1) accurate quantitative tradeoffs between the achievable correlation effectiveness and the defining characteristics of the timing perturbation; 2) a provable upper bound on the number of packets needed to achieve desired correlation effectiveness, given the amount of timing perturbation.

A. Blum, D. Song, and S. Venkataraman. Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID 2004). Springer, October 2004.

R. C. Chakinala, A. Kumarasubramanian, R. Manokaran, G. Noubir, C. Pandu Rangan, and R. Sundaram. Steganographic Communication in Ordered Channels. In Proceedings of the 8th Information Hiding International Conference (IH 2006), 2006.

T.M. Cover and J.A. Thomas. Elements of Information Theory. John Wiley & Sons, Inc., 1991.

I. Cox, M. Miller, and J. Bloom. Digital Watermarking. Morgan- Kaufmann Publishers, 2002.

P. Danzig and S. Jamin. Tcplib: A Library of TCP Internetwork Traffic Characteristics. Technical Report USC-CS-91-495, University of Southern California, 1991.

P. Danzig, S. Jamin, R. Cacerest, D. Mitzel, and E. Estrin. An Empirical Workload Model for Driving Wide-Aea TCP/IP Network Simulations.Journal of Internetworking, 3(1) pages 1–26, March 1992.

M. DeGroot. Probability and Statistics. Addison-Wesley Publishing Company, 1989.

D. Donoho. et al. Multiscale Stepping Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002): LNCS-2516, pages 17–35. Springer, October 2002.

M. T. Goodrich. Efficient packet marking for large-scale ip traceback. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), pages 117–126. ACM, October 2002.

T. He and L. Tong, Detecting Encrypted Stepping-Stone Connections. In IEEE Transactions on Signal Processing, 55(5), pages 1612-1623, 2006.

H. Jung. et al. Caller Identification System in the Internet Environment. In Proceedings of the 4th USENIX Security Symposium, USENIX, 1993.

S. Kent and R. Atkinson. RFC 2401: Security Architecture for the Internet Protocol. IETF, September 1998.

G. Kramer. Generator of Self-Similar Network Traffic. URL. http://wwwcsif.cs.ucdavis.edu/ kramer/code/trf gen2.html.

J. Li, M. Sung, J. Xu and L. Li. Large Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation. In Proceedings of the 2004 IEEE Symposium on Security and Privacy, IEEE, 2004.

P. Moulin. Information-Hiding Games. In Proceedings of International Workshop on Digital Watermarking (IWDW 2003), LNCS–2613, May 2003.

P. Moulin and J.A. O’Sullivan. Information-Theoretic Analysis of Information Hiding. In IEEE Transaction on Information Theory, 49(3), pages 563–593, March 2003.

NLANR Trace Archive. URL. http://pma.nlanr.net/Traces/long/.

OpenSSH. URL. http://www.openssh.com.

P. Peng, P. Ning, D. S. Reeves, On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques. In Proceedings of the 2006 IEEE Symposium on Security & Privacy (S&P 2006), May 2006.

P. Peng, P. Ning, D. Reeves and X. Wang. Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets. In Proceedings of the 2nd International Workshop on Security in Distributed Computing Systems (SDCS-2005), June, 2005.

Y. J. Pyun, Y. H. Park, X. Wang, D. S. Reeves and P. Ning. Tracing Traffic through Intermediate Hosts that Repacketize Flows. In Proceedings of the 26th Annual IEEE Conference on Computer Communications (Infocom 2007). May 2007.

Y.J. Pyun and D. S. Reeves. Deployment of Network Monitors for Attack Attribution. To appear in Proceedings of the Fourth International Conference on Broadband Communications, Networks, and Systems (IEEE Broadnets 2007), September 2007.

S. Savage, D. Wetherall, A. Karlin, and T. Anderson. Practical Network Support for IP Traceback. In Proceedings of ACM SIGCOMM 2000, pages 295–306. ACM, September 2000.

C. E. Shannon. A Mathematical Theory of Communication. In Bell System Technical Journal, 27, pages 379–423 and 623-656, July and October, 1948.

S. Snapp. et al. DIDS (Distributed Intrusion Detection System) - Motivation, Architecture, and Early Prototype. In Proceedings of the 14th National Computer Security Conference, pages 167–176, 1991.

A. Snoeren, C. Patridge, et. al. Hash-based IP Traceback. In Proceedings of ACM SIGCOMM 2001, pages 3–14. ACM, September 2001.

S. Staniford-Chen and L. Heberlein. Holding Intruders Accountable on the Internet. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 39–49. IEEE, 1995.

C. Stoll. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Pocket Books, 2000.

M. S. Taqqu, W. Willinger, and R. Sherman. Proof of a Fundamental Result in Self-Similar Traffic Modeling. ACM Computer Communication Review, 27:5–23, 1997.

X. Wang, S. Chen and S. Jajodia. Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems. In Proceedings of the 2007 IEEE Symposium on Security & Privacy (S&P 2007), May 2007.

X. Wang and D. Reeves. Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Manipulation of Interpacket Delays. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), pages 20–29. ACM, October 2003.