Tracing Intruders behind Stepping Stones

Show full item record

Title: Tracing Intruders behind Stepping Stones
Author: Wang, Xinyuan
Advisors: Dr. Douglas S. Reeves, Committee Chair
Dr. Peng Ning, Committee Member
Dr. George N. Rouskas, Committee Member
Dr. Gregory T. Byrd, Committee Member
Abstract: Network based intruders seldom attack directly from their own hosts but rather stage their attacks through intermediate 'stepping stones' to conceal their identity and origin. To track down and apprehend those perpetrators behind stepping stones, it is critically important to be able to correlate connections through stepping stones. Tracing intruders behind stepping stones and correlating intrusion connections through stepping stones are challenging due to various readily available evasive countermeasures by intruders: •Installing and using backdoor relays (i.e. netcat) at intermediate stepping stones to evade logging of normal logins. •Using different types of connections (i.e. TCP, UDP) at different portions of the connection chain through stepping stones to complicate connection matching. •Using encrypted connections (with different keys) across stepping stones to defeat any content based comparison. • Introducing timing perturbation at intermediate stepping stones to counteract timing based correlation of encrypted connections. In this dissertation, we address these challenges in detail and design solutions to them. For unencrypted intrusion connections through stepping stones, we design and implement a novel intrusion tracing framework called Sleepy Watermark Tracing (SWT), which applies principles of steganography and active networking. SWT is "sleepy" in that it does not introduce overhead when no intrusion is detected. Yet it is "active" in that when an intrusion is detected, the host under attack will inject a watermark into the backward connection of the intrusion, and wake up and collaborate with intermediate routers along the intrusion path. Our prototype shows that SWT can trace back to the trustworthy security gateway closest to the origin of the intrusion, with only a single packet from the intruder. With its unique active tracing, SWT can even trace when intrusion connections are idle. Encryption of connections through stepping stones defeats any content based correlation and makes correlation of intrusion connections more difficult. Based on inter-packet timing characteristics, we develop a novel correlation scheme of both encrypted and unencrypted connections. We show that (after some filtering) inter-packet delays (IPDs) of both encrypted and unencrypted, interactive connections are preserved across many router hops and stepping stones. The effectiveness of IPD based correlation requires that timing characteristics be distinctive enough to identify connections. We have found that normal interactive connections such as telnet, SSH and rlogin are almost always distinctive enough to provide correct correlation across stepping stones. The timing perturbation at intermediate stepping stones of packet flows poses additional challenge in correlating encrypted connections through stepping stones. The timing perturbation could either make unrelated flows have similar timing characteristics or make related flows exhibit different timing characteristics, which would either increase the false positive rate or decrease the true positive rate of timing-based correlation. To address this new challenge, we develop a novel watermark based correlation scheme that is designed to be specifically robust against such kinds of timing perturbation. The idea is to actively embed a unique watermark into the flow by slightly adjusting the timing of selected packets of the flow. If the embedded watermark is unique enough and robust enough against the timing perturbation by the adversary, the watermarked flow could be uniquely identified and thus effectively correlated. By utilizing redundancy techniques, we develop a robust watermark correlation framework that reveals a rather surprising result on the inherent limits of independent and identically distributed (iid) random timing perturbations over sufficiently long flows. We also identify the tradeoffs between the defining characteristics of the timing perturbation and the achievable correlation effectiveness. Our experiments show that our watermark based correlation performs significantly better than existing passive timing based correlation in the face of random timing perturbation. In this research, we learn some general lessons about tracing and correlating intrusion connections through stepping stones. Specifically, we demonstrate the significant advantages of active correlation approach over passive correlation approaches in the presence of active countermeasures. We also demonstrate that information hiding and redundancy techniques can be used to build highly effective intrusion tracing and correlation frameworks.
Date: 2005-08-06
Degree: PhD
Discipline: Computer Science

Files in this item

Files Size Format View
etd.pdf 1.021Mb PDF View/Open

This item appears in the following Collection(s)

Show full item record