Active Timing Based Techniques for Attack Attribution through Stepping Stones

Show full item record

Title: Active Timing Based Techniques for Attack Attribution through Stepping Stones
Author: Peng, Pai
Advisors: Dr. Peng Ning, Committee Chair
Dr. Douglas S. Reeves, Committee Member
Dr. S. Purushothaman Iyer, Committee Member
Dr. Ting Yu, Committee Member
Abstract: The purpose of the research is to study the active timing based techniques used for attack attribution through stepping stone computers, where attackers sequentially connect through multiple intermediate hosts to hide their traces. The difficulties of tracing back such attacks come from not only the normal operations of networks and stepping stones, but also the intentional interference of the attackers. Encryption, repacketization, timing perturbation, and meaningless chaff packets could all significantly affect attribution result. In this thesis, I have investigated multiple research problems related to the active timing based attack attribution. First, I present a correlation scheme that can successfully identify stepping stone connections even if both chaff packets and timing perturbations are introduced by attackers simultaneously. In this scheme, we enhance the existing active watermark schemes and focus on identifying the possible corresponding packets in the flows to be correlated. We develop a series of algorithms to effectively and efficiently decode the embedded watermarks when chaff packets are inserted, and use theoretical analysis and experimental evaluation to validate these algorithms. We also investigate how our correlation scheme can be used to deal with the countermeasure when stepping stone connections are split and then merged, and propose an approach to mitigate the problem of packet loss and retransmission. Next, I present the research on the secrecy issues of the quantization based watermark scheme. We propose an attacking approach based on analyzing the one-way packet transit delays between adjacent stepping stones. Our attack contains several techniques that can infer important watermark parameters and remove/duplicate the embedded watermarks. These techniques enable an attacker to defeat the watermarking system in certain cases by removing watermarks from the stepping stone connections, or replicating watermarks to non-stepping stone connections. We have also developed techniques to detect in realtime whether a stepping stone connection is being watermarked for trace-back purpose. Experiments using real-world data are performed and the results demonstrate that for the quantization based watermark scheme, (1) embedded watermarks can be successfully recovered and duplicated when the watermark parameters are not chosen carefully, and (2) the watermark existence in a network flow can be quickly detected. Third, I present the research result on the secrecy of the probabilistic watermark scheme. Following the ideas of analyzing the quantization based watermark scheme, we propose attacks that can detect the watermark existence, recovery important watermark parameters, and remove/duplicate watermark to effectively defeat the watermark scheme. We also investigate the problem of realtime watermark recovery and removal, and propose an online attacking algorithm. Experiments are then conducted to validate our analysis. Finally, I investigate the secrecy issues of the interval based watermark scheme and propose several security enhancements to deter possible timing analysis attacks. I demonstrate that the interval based scheme is not robust against several attacks we construct, which can quickly detect watermark existence, recover watermark parameters and defeat the watermark scheme. Through experiment, we validate that the improved scheme with security enhancements will significantly increase the resistance to all of these severe attacks.
Date: 2006-08-22
Degree: PhD
Discipline: Computer Science
URI: http://www.lib.ncsu.edu/resolver/1840.16/4166


Files in this item

Files Size Format View
etd.pdf 1.003Mb PDF View/Open

This item appears in the following Collection(s)

Show full item record