Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay

Donoho, David L.; Flesia, Ana Georgina; Shankar, Umesh; Paxson, Vern; Coit, Jason; Staniford, Stuart

doi:10.1007/3-540-36084-0_2

Cited by 130 publications

(132 citation statements)

References 5 publications

Supporting

Mentioning

131

Contrasting

Order By: Relevance

“…In fact, this approach is passive traffic analysis, which has extensively been studied in the literature [3,9,25]. Unfortunately, this approach may result in high rates of false detection, especially when the evaluated flows are cross-correlated.…”

Section: Alternative Designsmentioning

confidence: 99%

“…Early traffic analysis schemes [5,9,20,24,26,28] work in a passive manner, i.e., they record the communication characteristics of incoming flows and correlate them with that of the observed outgoing flows. The right place to do this is often at the border router of an enterprise, so the overhead of this technique is the space used to store the stream characteristics long enough to check against correlated relayed streams, and the CPU time needed to perform the correlations.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

The Need for Flow Fingerprints to Link Correlated Network Flows

Houmansadr

Borisov

2013

Privacy Enhancing Technologies

View full text Add to dashboard Cite

Abstract. Linking network flows is an important problem in the detection of stepping stone attacks as well as in compromising anonymity systems. Traffic analysis is an effective tool for linking flows, which works by correlating their communication patterns, e.g., their packet timings. To improve scalability and performance of this process, recent proposals suggest to perform traffic analysis in an active manner by injecting invisible tags into the traffic patterns of network flows; this approach is commonly known as flow watermarking. In this paper, we study an under-explored type of active traffic analysis that we call it flow fingerprinting. Information theoretically, flow watermarking aims at conveying a single bit of information whereas flow fingerprinting tries to reliably send multiple bits of information, hence it is a more challenging problem. Such additional bits help a fingerprinter deliver extra information in addition to the existence of the tag, such as the network origin of the flow and the identity of the fingerprinting entity. In this paper, we introduce and formulate the flow fingerprinting problem and contrast its application scenarios from that of the well-studied flow watermarking. We suggest the use of coding theory to build fingerprinting schemes based on the existing watermarks. In particular, we design a non-blind fingerprint, Fancy, and evaluate its performance. We show that Fancy can reliably fingerprint millions of network flows by tagging only as few as tens of packets from each flow.

show abstract

Section: Alternative Designsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

The Need for Flow Fingerprints to Link Correlated Network Flows

Houmansadr

Borisov

2013

Privacy Enhancing Technologies

View full text Add to dashboard Cite

show abstract

“…There are a few results on detecting encrypted, perturbed steppingstone connections; see [2,7,8]. The key assumption of these approaches is that there is a limit on the attacker's ability to alter the traffic.…”

Section: Related Workmentioning

confidence: 99%

“…The key assumption of these approaches is that there is a limit on the attacker's ability to alter the traffic. Specifically, in [2] it is assumed that there is a maximum tolerable delay for attacking packets, in [7] the attacker's timing perturbation is independent and identically distributed across packets, and in [8] there are constraints not only on the maximum delay, but also on the maximum number of packets that can be sent during the delay. From an algorithmic point of view, Blum, Song and Venkataraman [8] develop the first detection algorithms which require provable (polynomial) sample sizes to achieve certain false alarm probabilities.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Detecting Encrypted Interactive Stepping-Stone Connections

Tong

2006 IEEE International Conference on Acoustics Speed and Signal Processing Proceedings

View full text Add to dashboard Cite

Network intruders often hide their identities by sending attacks through a chain of compromised hosts that are used as "stepping stones". The difficulty in defending against such attacks lies in detecting stepping-stone connections at the compromised hosts. In this paper, to distinguish normal from attacking connections, we consider strategies that do not depend on the content of the traffic so that they are applicable to encrypted traffic. We propose a low complexity detection algorithm that has no miss detection and an exponentially-decaying false alarm probability. A sequential strategy is then developed to reduce the required number of testing packets.

show abstract

Attack Traceback and Attribution

Guan

Zhang

2008

Wiley Handbook of Science and Technology for Homeland Security

View full text Add to dashboard Cite

Traceback and attribution are performed during or after cyber violations and attacks to identify where an attack originated; how it propagated; and what computer(s) and person(s) were responsible. The goal of traceback capabilities is to determine the path from a victimized network or system through any intermediate systems and communication pathways, back to the point of attack origination. In some cases, the computers launching an attack may themselves be compromised hosts being controlled remotely from a system one or more levels further removed from the system under attack. Attribution is the process of determining the identity of the source of a cyber attack. Types of attribution can include both digital identity (computer, user account, Internet Protocol (IP) address, or enabling software) and physical identity (the actual person using the computer from which an attack originated).

show abstract

Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay

Cited by 130 publications

References 5 publications

The Need for Flow Fingerprints to Link Correlated Network Flows

The Need for Flow Fingerprints to Link Correlated Network Flows

Detecting Encrypted Interactive Stepping-Stone Connections

Attack Traceback and Attribution

Contact Info

Product

Resources

About