Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply



Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. M. Deepika, G. Om Sai Prashant / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 6, November- December 2012, pp.925-930 Active Watermark-Based Correlation Scheme for Identifying Source of Attack in Presence of Timing Perturbations M. Deepika, G. Om Sai Prashant Associate Professor Aurora Technological and Research Institute Andhra Pradesh, India. Aurora Technological and Research Institute Hyderabad Andhra Pradesh, IndiaABSTRACT Intruders have changed their mode of attacks. The intermediary nodes, as they believe,operandi in breaking security of IT systems. Of hide the identity of original attacker. This makes itlate they are using different strategies making difficult to identify the source of attack as the attackattacks successfully. One of their strategies is to is made through intermediary nodes by evenattack systems though some intermediary nodes spoofing IP source address of attack traffic. IPin the network instead of making attacks from traceback is the method to identify source of attacktheir own machine. This helps them in hiding in such cases as described in [1] and [2]. Astheir identity. Such attacks can be identified by discussed earlier, the attackers take countermeasuresverifying and correlating incoming and outgoing to IP traceback by making network – basednetwork flows that come through intermediary intrusions through intermediary nodes. This isnodes used in routing the attacks. The problem achieved by attacker by using some remote loginwith this approach lies in the fact that attackers programs like SSH or Telnet and perform attacksmay intentionally alter such flow by disguising it from remote machines in the network. The IPand fooling the detection systems. The existing traceback method being employed in the industry istiming based correlation approaches to solve this not adequate to reach the actual source of attack asproblem are inadequate when attackers the intermediary nodes stand in between.intentionally introduce timing perturbations. From the literature it is understood that theThis paper introduces a new correlation prior works in this area were based on the loginapproach based on watermarking which is activities of the tracking user at various hosts [3],proved to be robust to address such problems. [4]. This has limitations as it fails to reach the actualThis is achieved by timing of some packets source of attack when there are manipulations in theselectively and embedding watermark in to the middle. Later researchers focused on the process ofencrypted flows. This approach is active and can comparing payloads or packets of all theresist timing perturbations done by attackers. connections that are to be correlated [5], [6]. TheseThe empirical results reveal that our approach is are effective but suffer from limitations such asalmost close to providing 100% true positives. inability to accurately finding the source of attack. To overcome these limitations, some researchersIndex Terms – Network intrusion detection, [7], [8], [9] have focused on the features ortiming correlation, network flows, intermediary characteristics of connections for the purpose ofnodes, and timing perturbations. comparing and correlating encrypted connections. Timing based correlations suffer from the drawbackINTRODUCTION that the adversaries may be able to perturb the The information systems in the real world timing based correlations intentionally. Addressinghave been victims of network based attacks. This is this problem is challenging as the encrypted trafficsthe cause of concern though there are many security are subjected to time based perturbations.mechanisms in place to prevent such attacks. As To overcome the drawback of the timingsecurity mechanisms grow in robustness in based correlations, this paper introduces an efficientaddressing many possible attacks, the attackers are correlation scheme that is provide to be robust toalso changing their strategies in making attacks such attacks. The proposed scheme is watermark –successfully. This has become every growing based which is active in nature. This means that itproblem that needs continuous attention and need to dynamically embeds watermark into encryptedhave on going research efforts. When attack is flows. This is performed by slightly adjusting themade, it is very essential to have the ability to trace timing of selected packets. Out approach also needsand identify the source of attack. When attackers significantly less number of packets to achieve this.conceal their identity by not making attacks from This is in contrast to the existing passive timingtheir machine directly, it is challenging to find the correlation schemes. The experimental results revealsource of attack. Obviously attackers over network the fact that our approach is close to 100% trueare using some intermediary nodes to execute their positives. 925 | P a g e
  • 2. M. Deepika, G. Om Sai Prashant / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 6, November- December 2012, pp.925-930RELATED WORK analysis causes false positives to be increased. When attacks are made through However, the true positives are increased withintermediary nodes by intruders it is very timing – perturbed flows usage. The limitations ofchallenging to establish the source of attack timing perturbations is studied in [8]. However, theyaccurately. This section provides insights into the did not address these problems in their paper. Inliterature in which many existing works on similar [10] and [7] other positive timing based correlationlines are reviewed. The existing solutions pertaining methods came into existing and they consider falseto connection correlation such as CIS [3], SWT [6], positives and true positives at a time. They tend toThumbprinting [5], and DIDS [4] were developed derive both lower and upper bounds on the numberbased on certain features or characteristics. They of packets required to achieve false positive rate andinclude inter-packet timing characteristics, host 100% rate of true positives. The work of thoseactivity and connection content such as packet papers could not provide any experimentalpayload. The main drawback of these solutions is evidences. He et al. [11] and Zhang et al. [12] of latethat the host activity related data collected from proposed many timing based correlation methodsintermediary node which is intended to find the based on the assumptions used in [7] and theirsource of attack is not trustworthy. This is because approach has been proved to be better. However,the attack is expected to have full control over all they are using passive timing based approach.intermediary nodesand his node it is possible for Information theoretic game is explored in [13].attacker to manipulate the traffic to conceal him Their analysis is based on the packet reorderingfrom being traced. As the attacker has logged into channels. Watermark based correlation is studied inremote intermediary machines through remote login [10] recently and provided a statistical method inprograms such as SSH and Telnet he has gained order to detect the presence of watermark in packetaccess to the resources of the intermediary nodes. flow. Their method has some assumptions such asThe drawback of content based correlation having access to flows containing watermark and noapproaches is that they assume that the payload of watermark. Overall, the existing approaches arepackets is not changed across the intermediary passive in measuring the possibility of timingnodes. As encryption of such content can be made perturbations done by intruders. The existingby attacker, these approaches are suitable only for approaches fail to cope with when intruders useunencrypted connections. Other approaches such as timing perturbations in encrypted connections. Totiming based approaches passively monitor overcome this problem, this paper proposed anincoming and outgoing traffic and correlate the active timing based correlation approach withoutflows. The main drawback of these approaches is any assumptions, without any usage of randomthat the attacker can perform timing based process , robust and requires very less packets whenperturbations to deceive the detection systems. compared to passive approaches for ensuring theTherefore these systems tend to fail in this case. same level of accuracy in finding the source of The first generation of correlation attack and showing close to 100% true positives.approaches that are timing – based were veryeffective. They were able to correlate encrypted OVERVIEW OF OUR APPROCHconnections and establish the actual source of attack The proposed watermarking-basedsuccessfully and accurately. However, in the later correlation approach is aware of bidirectionalstages, the intruders changed the way they make communication nature of remote login programsattacks. They started using encrypted connections such as SSH or Telnet. This is because when attacksand also perform timing perturbations. Thus these are made by adversaries trough intermediary nodesfirst generation correlation approaches became and by making use of remote login programs, it isineffective hence they are vulnerable when attackers essential to trace it back from the victim node to theuse active timing perturbations. In [8] Donoho et al. attacker’s actual machine. Figure 1 shows outline offirst of all identified the limits of the attackers on the proposed model. As can be seen in the figure,performing active timing perturbations and injection between attacker and intended victim or targetof bogus packets. They showed that correlation machines, there lay a set of intermediary nodesbased long time behavior is possible in spite of named H1, H2, and H3. These are considered fortiming perturbations from attackers. According to illustrative purpose only. There might be n numberthem this can be achieved by using multiple of intermediary nodes between the source andtimescale analysis techniques. However, in [8] they destination. The attacker here does not make ancould not provide information on tradeoffs between attempt to execute attacks directly on the target.the scale of timing perturbation and the required Instead, by using remote login programs such aslevel of correlation effectiveness and the packets Telnet, SSH, etc. he will execute the attacks throughneeded. Other issue that could not be addressed by intermediary programs and machines. This makes[8] is the jitter used by intruders. the security personnel at target machine to establish Due to the drawbacks in first generation the source of attack accurately.timing based correlation techniques, the coarse scale 926 | P a g e
  • 3. M. Deepika, G. Om Sai Prashant / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 6, November- December 2012, pp.925-930Attacker H1 S1 S2 S3 1 3 Embed watermarkFig. 1 – Outline of watermark tracing model As can be seen in the proposed model infig. 1, there are network sensors named S1, S2, and EXPERIMENTAL RESULTS3. These sensors are responsible to monitor the Analysis of Watermark Delectabilitynetwork flows and also involved in preventing Watermark detection is a process ofdisguised attacks from the adversaries. When attack checking whether the given watermark is embeddedis made by intruder, before it reaches final target in flows. The proposed watermark detector followedmachine, the proposed watermarking – based steps described here. Decode l-bit from given flow;scheme will watermark the backward traffic and compare the decoded l-bit (wf) with w; if theinform the fact to all sensors that are employed in Hamming distance between wf and w indicate thethe network. Afterwards, the sensors monitor the decoded l-bits report that watermark is detected.traffic and inform the target machines about anyoccurrence of watermark in the traffic flows. The 30sensors are deployed at strategic places such as edgerouter, firewall and gateway that are part of the 25 Expectnetwork. The traffic that comes backward from the edattack node back to actual source, the backwardtraffic which has been watermarked by the target’s 20 Detecti Probabilitysecurity framework, it can’t be controlled by onadversary. The attacker has no access to un- 15watermarked version of traffic. This very reason Expectmakes it difficult for the adversary to know the 10 edpackets that are delayed. To follow any distribution Collisomechanism to be effective the correlation method n 5proposed here does not require the random timingperturbation provided by the attackers. Only oneassumption made in this paper pertaining to timing 0perturbations. 1 2 3 4 5 6 7 8 9 10 11 Hamming DistancePROPOSED WATERMARK BITEMBEDDING AND DECODINGAs intruders can perform timing based perturbations Fig. 2 – Effect of threshold on detection andto encrypted flows, the watermark embedding is collision rates of watermarking method As can be seen in fig. 2, the derived probabilitydone at target machine. First of all IPD is quantizedusing the function. distribution is plotted in Y axis while the Hammingq (ipd,s)=round (ipd/s), distance in X axis for the expected detection andThen the embedding process is done using the collision rates.functionE(ipd,w,s) = [q (ipd + s/2,s) +∆] X s,In accordance with the above function, thewatermark-bit-decoding is done as follows. d(ipdw,s) = d (ipdw,s) mod 2. 927 | P a g e
  • 4. M. Deepika, G. Om Sai Prashant / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 6, November- December 2012, pp.925-930 200 As can be seen in fig. 5, the measured watermark 180 correlation true positives under a variety of self Origin similar perturbations are presented. It is evident that 160 al the bounded self – similar perturbation gives rise to 140 Packet Timing Packe much higher true positive rates. 120 t Flow 120 100 Pertur Expec 80 100 ted bed 60 IPDW True Positive (%) Packe 80 MCor 40 t Flow r TP 20 60 0 IPDW 1 3 5 7 9 11 13 15 40 MCor Packet Number r 20 (FS2) TP Fig. 3 – Difference between original and perturbed packet flow 0 As can be seen in fig. 3, it is evident that when 1 2 3 4 5 6 7 8 9 10 11 timing based perturbation is employed, there is difference between the original packet flow and Max Batch-Releasing Perturbation (ms) perturbed packet flow. Fig. 6 – Correlation true positive rates (Batch 120 releasing, random timing perturbations) As can be seen in fig. 6, the measured 100 watermark correlation true positives under batch IPDCorr releasing timing perturbations are presented. TheTrue Positive (%) 80 TP measured true positive rates are close to the expected values. This indicates that our approach is 60 effective. 9 Flo 40 IPDWM 8 w- Corr W 20 (FS1) TP 7 Collision Rate M 6 FP 0 5 W 1 2 Uniform Perturbation 8 9 4 M- Max 3 4 5 6 7 (ms) 3 Flo w 2 FP Fig. 4 – True positive rates of correlation 1 Exp As can be seen in fig. 4, under uniformly distributed 0 ect random timing perturbations, correlation true ed positives are visualized. It shows IPD based 2 3 4 5 6 7 8 FP correlation and also watermark based correlation on Hamming Distance Threshold h FS1 and FS2 under various levels of uniformly distributed random timing perturbations. IPDW Fig. 7 – Correlation false positive rates vs. 120 MCorr hamming distance True Positive Rate (%) 100 (FS1) As seen in fig. 7, the false positive rates are TP shown for various hamming distance thresholds 80 with fixed length 24 bit watermarks. Average of 100 60 separate experiments is presented in the figure. IPDW 40 MCorr 20 (FS1- Int) TP 0 Max 2 3 4 5 6 7 8 (ms) 1 Self-Similar Perturbation 9 Fig. 5 – Correlation of true positive rates (Max self-similar perturbation) 928 | P a g e
  • 5. M. Deepika, G. Om Sai Prashant / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 6, November- December 2012, pp.925-930 6 100 FS1 WM Detectio WM Detection Rate (%) 5 Flo 80 n Rate w- FS1-Int 4 Collision Rate W 60 WM M Detectio FP 3 40 n Rate W FS2 WM Detectio 2 M- Flo 20 n Rate w 1 FP 0 0 Exp Hamming 3 4 threshold 7 1 2 distance 5 6 h ect 1 2 3 4 5 6 7 ed FP Fig. 10 - Watermark detection rate with Watermark Bit Number l hamming distance threshold hFig. 8 - Correlation false positive rates vs. 100 FS1 WMwatermark bits 90 Detectio n Rate As seen in fig. 8, the false positive rates are 80 WM Detection Rate (%)shown for various watermark lengths with a fixed FS1-Int 70 WMhamming distance length 5. Average of 100 separate Detectioexperiments is presented in the figure. Figures 9, 10 60 n Rateand 11 are to present experimental results pertaining 50 FS2 WMto watermark detection rate tradeoffs with Detectioredundancy number m, hamming distance threshold 40 n Rateh and number of watermark bits l respectively. The 30 Expectedresults are average of 100 experiments for the WMmeasured watermark detection rates of FS1 and 20 DetectioFS1-Int. In case of watermark detection rates of FS2 n Rate 10average of 10 experiments is used. They are part ofthe proposed quantitative tradeoff models. 0 120 1 2 3 4 5 6 7 FS1 WM Watermark Bit Number l 100 Detecti WM Detection Rate (%) on Fig. 11 - Watermark detection rate with number Rate of watermark bits 80 FS1-Int 60 WM CONCLUSION AND FUTURE WORK Detecti Accurate identification of source of attack on is a challenging problem when attackers make use 40 Rate of intermediary nodes to exercise their attacks. This FS2 is especially true when the traffic of attack is 20 WM encrypted and the timing is altered by the attackers. Detecti on The passive timing based correlation techniques are 0 Rate not effective for this reason. In this paper, we 1 2 3 4 5 6 presented a new active timing based correlation approach that can effectively handle random timing Numeber of Redudant IPDs m perturbations. The proposed scheme embeds unique watermark into inter-packet timing in such a wayFig. 9 – Watermark detection rate with that the encrypted flows are correlated and it isredundancy number m robust to random timing perturbations employed by intruders. The experimental results reveal the fact that the proposed approach results in close to 100% true positives and 0% false positives. When compared with passive correlation approaches our 929 | P a g e
  • 6. M. Deepika, G. Om Sai Prashant / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 2, Issue 6, November- December 2012, pp.925-930approach has many advantages including no 2000), LNCS-1895, pages 191–assumptions are required about original inter-packet 205.Springer-Verlag, October 2002.timing and flow; very less packets are required. [10] X. Wang and D. Reeves. RobustFurther research can be made in the area of flow Correlation of Encrypted Attackwatermarking to make it more robust and works Trafficthrough Stepping Stones bywith even fewer packets. Manipulation of Interpacket Delays. InProceedings of the 10th ACMREFERENCES Conference on Computer and [1] M. T. Goodrich. Efficient packet marking CommunicationsSecurity (CCS 2003), for large-scale ip traceback.In Proceedings pages 20–29. ACM, October 2003. of the 9th ACM Conference on Computer [11] T. He and L. Tong, Detecting Encrypted and CommunicationsSecurity (CCS 2002), Stepping-Stone Connections.In IEEE pages 117–126. ACM, October 2002. Transactions on Signal Processing, 55(5), [2] J. Li, M. Sung, J. Xu and L. Li. Large Scale pages 1612-1623,2006. IP Traceback in High-Speed Internet: [12] L. Zhang, A. G. Persaud, A. Johnson, and Practical Techniques and Theoretical Y. Guan.Detectionof Stepping Stone Foundation. InProceedings of the 2004 Attack under Delay and Chaff IEEE Symposium on Security and Perturbations. InProceedings of the 25th Privacy,IEEE, 2004. IEEE International Performance [3] H. Jung. et al. Caller Identification System Computingand Communications in the Internet Environment.In Proceedings Conference (IPCCC 2006), April 2006. of the 4th USENIX Security Symposium, [13] R. C. Chakinala, A. Kumarasubramanian, USENIX, 1993. R. Manokaran, G. Noubir, C. Pandu [4] S. Snapp. et al. DIDS (Distributed Intrusion Rangan, and R. Sundaram.Steganographic Detection System) -Motivation, Communication in Ordered Channels.In Architecture, and Early Prototype. In Proceedings of the 8th Information Proceedings of the14th National Computer HidingInternational Conference (IH 2006), Security Conference, pages 167–176, 1991. 2006. [5] S. Staniford-Chen and L. Heberlein.Holding Intruders Accountable onthe Internet. In Proceedings of the 1995 AUTHORS IEEE Symposium on Securityand Privacy, pages 39–49. IEEE, 1995. [6] X. Wang, D. Reeves, S. F. Wu, and J. Yuill. Sleepy WatermarkTracing: An Active Network-Based Intrusion Response Framework. InProceedings of the 16th M.Deepika is Associate Professor in Aurora Internatinal Conference on Information Security(IFIP/Sec 2001), pages 369–384. Technological amd Research Institute, Hyderabad, Kluwer Academic Publishers, June2001. AP, INDIA. She has received B.Tech Degree [7] A. Blum, D. Song, and S. Venkataraman. Information Technology, M.Tech Degree in Detection of Interactive Stepping Stones: computer science and engineering. Her main Algorithms and Confidence Bounds. In research interest includes data mining. Cloud Proceedingsof the 7th International computing. Symposium on Recent Advances in IntrusionDetection (RAID 2004). Springer, October 2004. [8] D. Donoho. et al. Multiscale Stepping Stone Detection: Detecting Pairsof Jittered Interactive Streams by Exploiting G. Om Sai Prashant is student Maximum Tolerable Delay.In Proceedings of Aurora Technological amd Research Institute, of the 5th International Symposium on Hyderabad, AP, INDIA. He has received B.Tech Recent Advancesin Intrusion Detection Degree in Information Technology, M.Tech Degree (RAID 2002): LNCS-2516, pages 17–35. in Web Technologies. His main research interest Springer,October 2002. includes data mining. Cloud computing. [9] K. Yoda and H. Etoh.Finding a Connection Chain for TracingIntruders. In Proceedings of the 6th European Symposium on Researchin Computer Security (ESORICS 930 | P a g e