active timing based correlation of perturbed traffic
play

Active Timing-Based Correlation of Perturbed Traffic Flows with - PowerPoint PPT Presentation

Oct 16, 2023 •250 likes •460 views

Computer Science Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets Pai Peng, Peng Ning, Douglas Reeves North Carolina State Univ. Xinyuan Wang George Mason Univ. 1 Attack Through Stepping Stones Telnet/ Attack

  1. Computer Science Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets Pai Peng, Peng Ning, Douglas Reeves North Carolina State Univ. Xinyuan Wang George Mason Univ. 1

  2. Attack Through Stepping Stones Telnet/ Attack Telnet/ Telnet/ Attack SSH SSH SSH Attacker Stepping Stepping Victim Victim Attacker Stepping Stone Stone Stone Chain of Stepping Stones Computer Science 2

  3. Attack Trace-back • Stepping stone connection chain: – h 1 ↔ h 2 ↔ … ↔ h n • Stepping stone flows : – h 1 ↔ h 2 : h 1 → h 2 and h 2 ← h 1 – i < j, h i → h i+1 is called an upstream flow of h j → h j+1 , and h j → h j+1 is called a downstream flow of h i → h i+1 • Trace back problem: – Given an upstream flow, to identify its downstream flows. Computer Science 3

  4. Attack Trace-back (cont’d) • Countermeasures: – Content encryption – Timing perturbations – Extra padding packets: Chaff Computer Science 4

  5. Related Work • Correlation based on packet contents – Thumb-printing – Sleepy watermark tracing • Correlation based on timing characteristics – On/off periods – Deviation based – Watermark scheme based on Inter-packet delay (IPD) quantization – Multi-scale – Comparing the numbers of packets in the flows Computer Science 5

  6. Related Work (cont’d) • Probabilistic watermark scheme – Embed watermark through slightly adjusting packet timing – Inter-packet-delay (IPD) of packet p j and p j+d is: ipd = t j+d – t j – Randomly construct 2r IPDs and divide them into 2 groups: ipd 1 and ipd 2 , the average difference between IPDs in group 1 and 2 is: – E(D) = 0 Computer Science 6

  7. Probabilistic Watermarking (cont’d) Computer Science 7

  8. Probabilistic Watermarking (cont’d) • Embed watermark – Embed bit 1: increase D • Increase IPDs in the 1 st group, and • Decrease IPDs in the 2 nd group. – Embed bit 0: decrease D • Decode watermark – Check whether D > 0 or D <= 0 • Robust to timing perturbation, but not chaff – Must known the location of watermark Computer Science 8

  9. Related Work (cont’d) • Zhang et al.: – Finding possible matching packets – Different correlation schemes aiming at timing perturbation or/and chaff packets • Scheme S-IV Computer Science 9

  10. Proposed Approach • Adopt probabilistic watermarking – Encode is ok, need to change decode • Basic idea: – Find possible matching packets – Decode watermarks from all possible matching flows. – Use the “best” watermark that has the smallest hamming distance to the original watermark to determine correlation result. – Can detect any flow that probabilistic watermark scheme can. • Assumptions: – No packet loss/merge through stepping stone connections. – The delays between corresponding packets are bounded by a maximum delay Δ ( timing constraint ). – The orders of packets are kept the same ( order constraint ). Computer Science 10

  11. Matching Packets • For each packet p i in the upstream flow f , we find all its possible matching packets in the suspicious flow f’ : – Matching set: M( p i ) = { p j ’ | 0 <= t j ’ – t i <= Δ } – Matching sets may overlap Computer Science 11

  12. Decoding the “Best” Watermark • Brute-force algorithm – high computation cost • Greedy algorithm : choose the packets that are most likely to produce the desired watermark. – Pros: • Low computation costs • Good detection rate – Cons: • High false positive rate Computer Science 12

  13. Decoding the “Best” Watermark (cont’d) • Use Greedy algorithm to filter out the watermark bits that will not match. • Carefully construct a flow satisfying the order constraint, and decode a watermark w b . • Gradually improve w b by switching to other matching packets – Greedy+ : using heuristics • Adjust the watermark bit that has the smallest IPD difference D first • Cannot affect the bits that are already matched – Greedy* : enumerate all possible combinations of matching packets Computer Science 13

  14. Experimental Evaluation • Compare the detection rates, false positive rates and computation costs of Greedy, Greedy+, Greedy*, probabilistic watermarking, and scheme S-IV. • Using both real flows and synthetic flows. Computer Science 14

  15. Detection Rate Computer Science 15

  16. False Positive Rate Computer Science 16

  17. Computation Cost: Correlated Flows Computer Science 17

  18. Computation Cost: Uncorrelated Flows Computer Science 18

  19. Conclusion • A correlation scheme that can deal with both timing perturbation and chaff packets • Different algorithms to achieve the best performance in terms of detection rate, false positive rate and computation cost. • Through experimental evaluation, Greedy+ has shown the best result. Computer Science 19

  20. Thank you! • Questions? Computer Science 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Timing and Bandwidth Issues in Active Measurement or Physical Constraints on Active Probing

Timing and Bandwidth Issues in Active Measurement or Physical Constraints on Active Probing

Timing and Bandwidth Issues in Active Measurement or Physical Constraints on Active Probing MICRO-TUTORIAL ISMA 2003 Bandwidth Estimation Workshop (BEst) Darryl Veitch Essentials of Active Measurement Tap Tap

240 views • 7 slides
Measurement of Timing Error Detection Performance of Software-based Error Detection Mechanisms

Measurement of Timing Error Detection Performance of Software-based Error Detection Mechanisms

Measurement of Timing Error Detection Performance of Software-based Error Detection Mechanisms and Its Correlation with Simulation Yutaka Masuda, Masanori Hashimoto, Takao Onoye Dept. of Information Systems Eng., Osaka University

376 views • 18 slides
Automatic Failure Diagnosis Support in Distributed Large-Scale Software Systems based on Timing

Automatic Failure Diagnosis Support in Distributed Large-Scale Software Systems based on Timing

Automatic Failure Diagnosis Support in Distributed Large-Scale Software Systems based on Timing Behavior Anomaly Correlation Presentation at 13th European Conference on Software Maintenance and Reengineering Nina Marwede 1 , Matthias Rohr 1 ,

439 views • 42 slides
Linear Solvers for Singularly Perturbed Problems Numerical Analysis for Singularly Perturbed

Linear Solvers for Singularly Perturbed Problems Numerical Analysis for Singularly Perturbed

Linear Solvers for Singularly Perturbed Problems Numerical Analysis for Singularly Perturbed Problems (dedicated to the 60 th birthday of Martin Stynes) 16 th 18 th Nov, 2011 Niall Madden, NUI Galway Joint work with Scott MacLachlan, Tufts

661 views • 39 slides
Notice Correlation and Covert-Timing Channels Michael Dopheide &amp; Ross Gegan BroCon ESnet

Notice Correlation and Covert-Timing Channels Michael Dopheide &amp; Ross Gegan BroCon ESnet

Notice Correlation and Covert-Timing Channels Michael Dopheide &amp; Ross Gegan BroCon ESnet Austin, TX Lawrence Berkeley National Laboratory Sept, 13, 2016 Table of Contents Introduction Something Important Part 1: Multi-Notice

862 views • 52 slides
Correlation Course Title Correlation Correlation coe ffi cient between -1 and 1 Sign

Correlation Course Title Correlation Correlation coe ffi cient between -1 and 1 Sign

CORRELATION AND REGRESSION Correlation Course Title Correlation Correlation coe ffi cient between -1 and 1 Sign &gt; direction Magnitude &gt; strength Correlation and Regression Near perfect correlation Correlation and

929 views • 35 slides
1 Outline Introduction to WMSNs Spatial correlation for visual information in WMSNs

1 Outline Introduction to WMSNs Spatial correlation for visual information in WMSNs

1 Outline Introduction to WMSNs Spatial correlation for visual information in WMSNs Correlation function Entropy-based analytical framework Correlation and coding efficiency Correlation-aware routing protocol design

677 views • 28 slides
STATE PROJECT 0171-0421 CRCOG COMPUTERIZED TRAFFIC SIGNAL SYSTEM (CTSS) TIMING PLAN

STATE PROJECT 0171-0421 CRCOG COMPUTERIZED TRAFFIC SIGNAL SYSTEM (CTSS) TIMING PLAN

STATE PROJECT 0171-0421 CRCOG COMPUTERIZED TRAFFIC SIGNAL SYSTEM (CTSS) TIMING PLAN EVALUATION Evaluate timing plans (Cycle-Split-Offset) and daily schedules for State owned CTSS in CRCOG area. Initiated in response to &quot;Urban

558 views • 9 slides
Quantifying the Regularity of Perturbed Triangular Lattices using CoV-Based Metrics for Modeling

Quantifying the Regularity of Perturbed Triangular Lattices using CoV-Based Metrics for Modeling

Quantifying the Regularity of Perturbed Triangular Lattices using CoV-Based Metrics for Modeling the Locations of Base Stations in HetNets By: Faraj Lagum, Sebastian S. Szyszkowicz and Halim Yanikomeroglu Email: {faraj.lagum, sz,

550 views • 17 slides
Webinar: Active Traffic Management (ATM) Implementation and Operations Guidance October 17,

Webinar: Active Traffic Management (ATM) Implementation and Operations Guidance October 17,

The Future of Transportation - 2010 APWA Annual Congress and Exposition Webinar: Active Traffic Management (ATM) Implementation and Operations Guidance October 17, 2017 Agenda Housekeeping Introductions Overview of Active Transportation

1k views • 86 slides
Comparing Object Correlation Metrics for Effective Space Traffic Management Julie Zhang -

Comparing Object Correlation Metrics for Effective Space Traffic Management Julie Zhang -

Comparing Object Correlation Metrics for Effective Space Traffic Management Julie Zhang - University of Washington With Theodore Faust, Adam Quinn Jaffe, and Marvin Pe na Institute of Pure and Applied Mathematics, University of California,

962 views • 60 slides
City of Torontos Congestion &amp; Active Traffic Management February 15, 2017 Congestion

City of Torontos Congestion &amp; Active Traffic Management February 15, 2017 Congestion

Lucas Oleniuk / Toronto Star City of Torontos Congestion &amp; Active Traffic Management February 15, 2017 Congestion Management Plan (CMP) Objectives: Improve traffic flow Improve safety Improve management of traffic

428 views • 27 slides
TIMING RESOLUTION OF ACTIVE GANGING OF 48 SiPMs ESTEBAN CRISTALDO JORGE MOLINA Laboratorio de

TIMING RESOLUTION OF ACTIVE GANGING OF 48 SiPMs ESTEBAN CRISTALDO JORGE MOLINA Laboratorio de

TIMING RESOLUTION OF ACTIVE GANGING OF 48 SiPMs ESTEBAN CRISTALDO JORGE MOLINA Laboratorio de Mecnica y Energa (LME) Facultad de Ingeniera de la Universidad Nacional de Asuncin (FIUNA) Brief description I will present the

542 views • 20 slides
A Spectral Approach Towards Analyzing Air Traffic Network Disruptions (Li et al., ATM2019) Two

A Spectral Approach Towards Analyzing Air Traffic Network Disruptions (Li et al., ATM2019) Two

A Spectral Approach Towards Analyzing Air Traffic Network Disruptions (Li et al., ATM2019) Two knowledge gaps: high delay high delay correlation correlation How do we distinguish BOS delays: 90 min BOS delays: 10 min unexpected spatial

357 views • 3 slides
Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification, Measurement, and Analysis and Analysis ISC/CAIDA Data Collaboration Workshop October 22, 2012 David Plonka &amp; Paul Barford

1.33k views • 26 slides
Clean Air Parents Network Webinar 21 st July 2020 Low Traffic Neighbourhoods WHY LOW TRAFFIC

Clean Air Parents Network Webinar 21 st July 2020 Low Traffic Neighbourhoods WHY LOW TRAFFIC

Clean Air Parents Network Webinar 21 st July 2020 Low Traffic Neighbourhoods WHY LOW TRAFFIC NEIGHBOURHOODS? Part of the response to the damage motor traffic causes road casualties, air quality, community, public health and active

257 views • 13 slides
HALF YEAR RESULTS TO SEPTEMBER 2014 26 NOVEMBER 2014 www.londonmetric.com AGENDA HIGHLIGHTS

HALF YEAR RESULTS TO SEPTEMBER 2014 26 NOVEMBER 2014 www.londonmetric.com AGENDA HIGHLIGHTS

HALF YEAR RESULTS TO SEPTEMBER 2014 26 NOVEMBER 2014 www.londonmetric.com AGENDA HIGHLIGHTS STRATEGY FINANCIAL RESULTS INVESTMENT ACTIVITY ASSET MANAGEMENT ACTIVITY OUTLOOK Q&amp;A 2 FINANCIAL HIGHLIGHTS H1 H1 FY 2014/15 2013/14

965 views • 49 slides
Results for the year ended 31 March 2014 Investing in the future of primary care property

Results for the year ended 31 March 2014 Investing in the future of primary care property

Results for the year ended 31 March 2014 Investing in the future of primary care property Introduction Graham Roberts Investing in the future of primary care property A year of significant achievement Major transaction completed Trinity

766 views • 60 slides
Liability Claims Against Architects, Engineers and Construction Design Professionals Navigating

Liability Claims Against Architects, Engineers and Construction Design Professionals Navigating

Presenting a live 90-minute webinar with interactive Q&amp;A Liability Claims Against Architects, Engineers and Construction Design Professionals Navigating Evolving Theories of Liability and Defenses, Minimizing Risk Through Contract Provisions

1.23k views • 108 slides
State of Design-Build in the San Diego Community College District Presented to Design-Build

State of Design-Build in the San Diego Community College District Presented to Design-Build

SAN DIEGO COMMUNITY COLLEGE DISTRICT State of Design-Build in the San Diego Community College District Presented to Design-Build Institute of America - Western Pacific Region Thursday, December 1, 2011 SDCCD Propositions S and N Overview

596 views • 13 slides
Contents About RapidSMS Tools needed to use RapidSMS Challenges Rationale Next Steps Use in

Contents About RapidSMS Tools needed to use RapidSMS Challenges Rationale Next Steps Use in

7/ 15/ 2010 Contents About RapidSMS Tools needed to use RapidSMS Challenges Rationale Next Steps Use in the Nigerian Health Sector: Future Vision Hands-on/ Practica l Sessions Experience with LLIN Campaign Use of RapidSMS Register

547 views • 7 slides
Nitrosamines in sartans: A scandal or an unfortunate incident? Thurloch OCriodain QP Forum 23

Nitrosamines in sartans: A scandal or an unfortunate incident? Thurloch OCriodain QP Forum 23

Nitrosamines in sartans: A scandal or an unfortunate incident? Thurloch OCriodain QP Forum 23 rd April 2020 TOC Consulting 23/04/2020 1 Disclaimer The issues and actions presented here are specific to the company and manufacturing

341 views • 33 slides
1 Acknowledgments For specific content in Additional Collaborators these slides

1 Acknowledgments For specific content in Additional Collaborators these slides

Architectures and Algorithms for Internet-Scale (P2P) Data Management Joe Hellerstein Intel Research &amp; UC Berkeley Powerpoint Compatibility Note This file was generated using MS PowerPoint 2004 for Mac. It may not display correctly in

869 views • 58 slides
b ANSA AS A PRE-PROCESSOR FOR LS-OPT BETA OPTIMIZATION APPLICATIONS CAE Systems SA Georgios

b ANSA AS A PRE-PROCESSOR FOR LS-OPT BETA OPTIMIZATION APPLICATIONS CAE Systems SA Georgios

b ANSA AS A PRE-PROCESSOR FOR LS-OPT BETA OPTIMIZATION APPLICATIONS CAE Systems SA Georgios Korbetis DYNAmore Optimization Week - June 2 - 6, 2008 - Stuttgart, Germany Summary Problem Definition Optimization Run Morphing

523 views • 40 slides

More recommend