1 / 32

Invisible Traceback in the Internet

Invisible Traceback in the Internet. Dong Xuan Department of Computer Science and Engineering The Ohio-State University. 李世民. 李立峰. 李亚南. 李勇. 李强. 李文. 李飞. Traceback in the Real World. Animal traceback. Family traceback. Mail traceback. 2/32. Investigator. Evil. Evil.

alka
Download Presentation

Invisible Traceback in the Internet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Invisible Traceback in the Internet Dong Xuan Department of Computer Science and Engineering The Ohio-State University

  2. 李世民 李立峰 李亚南 李勇 李强 李文 李飞 Traceback in the Real World Animal traceback Family traceback Mail traceback 2/32

  3. Investigator Evil Evil Traceback in the Internet • Trace the origin of a packet (or a message) • Trace illegal file distributor and downloader • Trace two cyberspace criminals communicating with each other 3/32

  4. Investigator’s activity of traceback is unaware to suspects (e.g. illegal file down-loaders and cyberspace criminals.) Invisible Traceback in the Internet 4/32

  5. The Internet has become a breeding ground for a variety of crimes Traceback makes the above crimes accountable Significance of Invisible Traceback Virus Distribution Credit Card Fraud Illegal Downloading Cyber-Terrorism 5/32

  6. Invisibility is critical, otherwise, The criminals will simply stop communicating with each other, thereby evading further detection. They may even develop countermeasures to fool or mislead investigators etc. Invisible traceback is an important network forensic technique for legal surveillance Significance of Invisible Traceback (Cont’d) 6/32

  7. The nature of the Internet Large scale and loose control Destination oriented routing and forwarding – easily spoofing source IP address No intimidate node traffic recording Challenges in Invisible Traceback 7/32

  8. Receiver Sender B to R B S to A A to B A Challenges in Invisible Traceback • The availability of anonymous systems Human Spy Network Anonymous Communication 8/32

  9. Suspect Sender is sending traffic through an encrypted and anonymous channel, how can Investigator trace and confirm who receiver is? Wei Yu, Xinwen Fu,  Steve Graham, Dong Xuan and Wei Zhao, DSSS-Based Flow Marking Technique for Invisible Traceback, in Proc. of IEEE Symposium on Security and Privacy (oakland), May 2007, pp. 18-32. Our Focus Sender Receiver Anonymous Channel 9/32

  10. Flow marking-based traceback technique Prototyping Turning into a real-world tool Related work Final remarks Outline 10/32

  11. Packet marking Put some marks into packets, Intuitive Solution Sender Receiver AnonymousNetwork • However, • Packets are encrypted in anonymous systems, careless mark will fail decryption • Visible to the attacker 11/32

  12. Our Solution • Flow marking • Change traffic flow rates • Traffic rate changes represent a “mark”, i.e. a special secret code Sender Receiver AnonymousNetwork Anonymous Channel Interferer Investigator Sniffer Investigator knows that Sender communicates with Receiver! 12/32

  13. Packet Marking Mark is embedded in packets Packet content is changed It is very difficult, if impossible, to hide such changes when packets are encrypted Flow Marking Mark is embedded in flow rate changes No packet content is changed It is feasible to hide flow rate changes in the Internet, typically with dynamic traffic Key Differences between Packet Marking and Flow Marking 13/32

  14. A “small” question How is a mark embedded into flow rate changes? Two “big” questions How to make the traffic rate changes “invisible”? How to make the traffic changes “robust” to burst traffic interference in the Internet? Questions to Flow Marking 14/32

  15. Embedding A Mark into Flow Rate Changes Flow Mark 1 1 1 -1 1 -1 -1 • Mark decides flow rate changes • The key to make flow rate changes “invisible” and “robust” is selecting an appropriate mark • Direct Sequence Spread Spectrum (DSSS) 15/32

  16. Basic Direct Sequence Spread Spectrum (DSSS) • A pseudo-noise code is used for spreading a signal and despreading the spread signal Interferer Sniffer rb dr Spreading Despreading Original Signal dt Recovered Signal tb noisy channel cr ct PN Code PN Code 16/32

  17. Tc (chip) NcTc Example – Spreading and Despreading • Signal dt: 1 -1 • PN code (i.e. DSSS code ) ct: 1 1 1 -1 1 -1 -1 • Spread signal tb=dt.ct=1 1 1 -1 1 -1 -1 -1 -1 -1 1 -1 1 1 • One symbol is “represented” by 7 chips • PN code is random and not visible in time and frequency domains • tb is the mark! • Despreading is the reverse process of spreading +1 dt t -1 tb t +1 t ct -1 Mark 17/32

  18. Marks show a white noise-like pattern in both time and frequency domains Mark amplitude can be very small Suspects don’t know the code, it is very difficult for them to recognize marks Tc (chip) +1 dt t -1 tb +1 t ct -1 Invisibility of Flow Marking Mark 18/32

  19. Spread/despread processes make the mark immune to burst interference introduced by internet background traffic Tc (chip) +1 dt t -1 tb +1 t ct -1 Accuracy of Flow Marking Recognition Mark 19/32

  20. Receiver Sender Interferer A Prototype System Anonymous Network Flow Modulator Flow Demodulator Signal Modulator Signal Modulator Signal (e.g., 1 -1) Recovered Signal Sniffer 20/32

  21. Choose a random signalof length n: (1 -1) Signal modulator: obtain the spread signal Flow modulator: modulate a target traffic flow by appropriate interference Bit 1: without interference Bit -1: with interference Embedding Signal into Traffic at Interferer Signal Signal Modulator PN Code (1 1 1 -1 1 -1 -1 -1 -1 -1 1 -1 1 1) Flow Modulator Internet spread signal + noise 21/32

  22. Flow demodulator: Sniff the target traffic Sample target traffic to derive traffic rate time series Use high-pass filter to remove direct component by Fast Fourier Transform (FFT) Signal demodulator: Despreading by the PN code Use low-pass filter to remove high-frequency noise (1 -1) Decision rule: Recovered signal == Original signal? Recovering Signal at Sniffer spread signal + noise Flow Demodulator High-pass Filter Signal Demodulator PN Code Low-pass Filter Decision Rule 22/32

  23. 1 bit signal detection rate: the probability that we recognize one signal bit if we know when the signal appears where erfc(.) is complementary error function, and Nc is the PN code length n bit signal detection rate SNR influences accuracy as well as invisibility A Analytical Results (1) (2) Signal to Noise Ratio (SNR) (3) 23/32

  24. The flow modulator at the interferer uses denial of service attack in wired networks Tor: a popular anonymous network on the Internet (http://www.torproject.org/) Real World Experiment Setup 24/32

  25. Evaluation Setup Sender Sniffer Interferer Receiver 25/32

  26. Overlapping Traffic Rate Curves for Traffic without Marks and with Marks in Time and Frequency Domains Traceback Invisibility 26/32

  27. Traceback Accuracy 27/32

  28. Remaining issues Not totally invisible Not accurate to low rate traffic Robustness Applied to different scenarios One-to-one => group Orthogonal codes => parallel flow marking Wireless/wired networks Turning into A Real World Tool 28/32

  29. IP packet marking based traceback (UC Berkeley, Purdue Univ.) [1, 2] Have routers on the path add its IP address to packet; victim will read path from the packet Disadvantage: require extra space in the packet; need network infrastructure involve Packet interval arrival time based traceback (North Carolina State Univ., George Mason Univ.) [3, 4] Adjust the packet interval time conveying information Advantage: fewer packets Disadvantage: sensitive to interference; need of more controlled network segments Correlation based traceback (UT-Arlington, Univ. of Cambridge) [5, 6] Correlate traffic at different locations (passively or actively) Advantage: passive and no interference of target traffic (good secrecy) Disadvantage: need of a threshold to determine whether traffic at at different locations is related Related Work 29/32

  30. Invisible traceback is important but hard We develop a novel traceback technique based on flow marking with Spread Spectrum We prototype a system based on the above technique Our technique possesses a high potential to be further developed into a real-world tool Final Remarks 30/32

  31. References [1] D. X. Song and A. Perrig, “Advanced and authenticated marking schemes for IP traceback”, in Proc. of IEEE Infocom, 2001 [2] K. Park and H. Lee, “On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack”, in proc. of IEEE Infocom 2001. [3] X. Wang, S. Chen, , and S. Jajodia, “Tracking anonymous peer-to-peer voip calls on the internet,” in Proc. of the 12th ACM Conference on Computer Communications Security (CCS), 2005. [4] P. Peng, P. Ning, and D. S. Reeves, “On the secrecy of timing-based active watermarking trace-back techniques,” in Proc. of the IEEE Security and Privacy Symposium (S&P), 2006. [5] Y. Zhu, X. Fu, B. Graham, R. Bettati, and W. Zhao, “On flow correlation attacks and countermeasures in mix networks,” in Proc. of Workshop on Privacy Enhancing Technologies (PET), 2004. [6] B. N. Levine, M. Reiter, C. Wang, and M. Wright, “Timing analysis in low-latency mix systems,”in Proc. of the 8th International Conference on Financial Cryptography, 2004. 31/32

  32. Thank You ! Questions? 32/32

More Related