首页> 外文期刊>Dependable and Secure Computing, IEEE Transactions on >Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking
【24h】

Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking

机译:流水印对通过踏脚石的加密攻击流量的鲁棒相关性

获取原文
获取原文并翻译 | 示例

摘要

Network-based intruders seldom attack their victims directly from their own computer. Often, they stage their attacks through intermediate ȁC;stepping stonesȁD; in order to conceal their identity and origin. To identify the source of the attack behind the stepping stone(s), it is necessary to correlate the incoming and outgoing flows or connections of a stepping stone. To resist attempts at correlation, the attacker may encrypt or otherwise manipulate the connection traffic. Timing-based correlation approaches have been shown to be quite effective in correlating encrypted connections. However, timing-based correlation approaches are subject to timing perturbations that may be deliberately introduced by the attacker at stepping stones. In this paper, we propose a novel watermark-based-correlation scheme that is designed specifically to be robust against timing perturbations. Unlike most previous timing-based correlation approaches, our watermark-based approach is ȁC;activeȁD; in that it embeds a unique watermark into the encrypted flows by slightly adjusting the timing of selected packets. The unique watermark that is embedded in the encrypted flow gives us a number of advantages over passive timing-based correlation in resisting timing perturbations by the attacker. In contrast to the existing passive correlation approaches, our active watermark-based correlation does not make any limiting assumptions about the distribution or random process of the original interpacket timing of the packet flow. In theory, our watermark-based correlation can achieve arbitrarily close to 100 percent correlation true positive rate (TPR), and arbitrarily close to 0 percent false positive rate (FPR) at the same time for sufficiently long flows, despite arbitrarily large (but bounded) timing perturbations of any distribution by the attacker. Our paper is the first that identifies 1) accurate quantitative tradeoffs between the achievable correlation effectivene-n-nss and the defining characteristics of the timing perturbation; and 2) a provable upper bound on the number of packets needed to achieve a desired correlation effectiveness, given the amount of timing perturbation. Experimental results show that our active watermark-based correlation performs better and requires fewer packets than existing, passive timing-based correlation methods in the presence of random timing perturbations.
机译:基于网络的入侵者很少直接从自己的计算机攻击受害者。通常,他们会通过中间ȁC,垫脚石ȁD进行攻击。为了掩饰其身份和出身。为了识别垫脚石后面的攻击源,有必要将垫脚石的流入和流出流或连接关联起来。为了抵制相关尝试,攻击者可以加密或操纵连接流量。基于时间的关联方法已显示在关联加密连接方面非常有效。但是,基于时序的相关方法会受到时序干扰,攻击者可能在踏脚石上故意引入时序干扰。在本文中,我们提出了一种新颖的基于水印的相关方案,该方案专为抵抗时序干扰而设计。与大多数以前的基于时序的相关方法不同,我们基于水印的方法是ȁC;activeȁD;通过稍微调整所选数据包的时序,它将唯一的水印嵌入到加密流中。嵌入在加密流中的唯一水印在抵抗攻击者的时间扰动方面,比基于被动时间的相关性具有许多优势。与现有的被动相关方法相比,我们基于主动水印的相关方法对数据包流的原始数据包间时序的分布或随机过程没有做出任何限制性假设。从理论上讲,尽管足够大(但有界),但对于足够长的流量,基于水印的相关可以同时达到任意接近100%的相关真实阳性率(TPR)和任意接近0%的假阳性率(FPR)。 )攻击者对任何分发的时间扰动。我们的论文是第一个确定以下内容的论文:1)可以实现的相关有效度-n-nss与定时扰动的定义特征之间的精确定量权衡; 2)给定定时扰动量,为达到期望的相关有效性而需要的数据包数量的可证明上限。实验结果表明,在存在随机时序扰动的情况下,与现有的基于被动时序的相关方法相比,基于主动水印的主动相关性能更好,所需的数据包也更少。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有
  • 客服微信

  • 服务号