Advertisement

Existing Approaches in Traceback

  • Xinyuan Wang
  • Douglas Reeves
Chapter
  • 383 Downloads
Part of the SpringerBriefs in Computer Science book series (BRIEFSCOMPUTER)

Abstract

Based on source of tracing or correlation information, the traceback and correlation approaches can be divided into two categories: host-based and network-based. Host-based approaches rely on information collected at the hosts that are used for stepping stones. Such information includes user login activity, new arrival of connections and new initiation of connections to other hosts. Network-based approaches use some characteristics of network connections and exploit the property of network connections: the essence or semantics of the application level content of connections is invariant across stepping stones.

Keywords

Intrusion Detection Step Stone Base Correlation Incoming Connection Timing Perturbation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
  2. 2.
  3. 3.
    The Anonymizer. http://anonymizer.com
  4. 4.
    A.C. Snoeren, C. Partridge, L.A. Sanchez, C.E. Jone, F. Tchakountio, S.T. Kent, W.T. Strayer, Hash-based IP traceback, in Proceedings of ACM SIGCOMM 2001, San Diego, Nov 2001, pp. 3–14Google Scholar
  5. 5.
    J.P. Anderson, Computer Security Threat Monitoring and Surveillance. Technical Report, James P. Anderson Co., Fort Washington, Apr 1980Google Scholar
  6. 6.
    A. Beimel, S. Dolev, Buses for anonymous message delivery. J. Cryptol. 16(1), 25–39 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    O. Berthold, H. Federrath, S. Köpsell, Web MIXes: a system for anonymous and unobservable internet access, in Proceedings of Designing Privacy Enhancing Technologies: Workshop on Design Issues in Anonymity and Unobservability, Berkeley, July 2000, pp. 115–129zbMATHGoogle Scholar
  8. 8.
    A. Blum, D. Song, S. Venkataraman, Detection of interactive stepping stones: algorithms and confidence bounds, in Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID 2004), Sophia-Antipolis, Sept 2004, pp. 258–277Google Scholar
  9. 9.
    B. Carrier, C. Shields, A recursive session token protocol for use in computer forensics and TCP traceback, in Proceedings of Proceedings of the 21th Annual Joint Conference of the IEEE Computer and Communications Societies (Infocom 2002), New York, Apr 2002, pp. 1540–1546Google Scholar
  10. 10.
    D. Chaum, Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  11. 11.
    D. Chaum, The dining cryptographers problem: unconditional sender and recipient untraceability. J. Cryptol. 1(1), 65–75 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    D. Chaum, E.V. Heyst, Group signatures, in Proceedings of the 1991 Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology (EUROCRYPT 1991), Brighton, Apr 1991, pp. 257–265zbMATHGoogle Scholar
  13. 13.
    I.J. Cox, M.L. Miller, J.A. Bloom, Digital Watermarking (Morgan-Kaufmann, San Francisco, 2002)Google Scholar
  14. 14.
    G. Danezis, R. Dingledine, N. Mathewson, Mixminion: design of a type III anonymous remailer protocol, in Proceedings of the 2003 IEEE Symposium on Security and Privacy (S&P 2003), Berkeley, May 2003, pp. 183–195Google Scholar
  15. 15.
    D. Dean, M. Franklin, A. Stubblefield, An algebraic approach to IP traceback. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(2):119–137 (2002)Google Scholar
  16. 16.
    M.H. deGroot, Probability and Statistics (Addison-Wesley, Reading, 1989)Google Scholar
  17. 17.
    R. Dingledine, N. Mathewson, P. Syverson, Tor: the second-generation onion routing, in Proceedings of the 13th USENIX Security Symposium, San Diego, Aug 2004, pp. 303–320. USENIXGoogle Scholar
  18. 18.
    D.L. Donoho, A.G. Flesia, U. Shankar, V. Paxson, J. Coit, S. Staniford, Multiscale stepping stone detection: detecting pairs of jittered interactive streams by exploiting maximum tolerable delay, in Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), Zurich, Oct 2002, pp. 17–35zbMATHGoogle Scholar
  19. 19.
    M.J. Freedman, R. Morris, Tarzan: a peer-to-peer anonymizing network layer, in Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), Washington, DC, Nov 2002, pp. 193–206Google Scholar
  20. 20.
    M.T. Goodrich, Efficient packet marking for large-scale IP traceback, in Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), Washington, DC, Nov 2002, pp. 117–126Google Scholar
  21. 21.
    Y. Guan, X. Fu, D. Xuan, P.U. Shenoy, R. Bettati, W. Zhao, Netcamo: camouflaging network traffic for qosguaranteed. IEEE Trans. Syst. Man Cybern. 34(4), 253–265 (2001)CrossRefGoogle Scholar
  22. 22.
    L.T. Heberlein, K. Levitt, B. Mukherjee, Internetwork security monitor: an intrusion-detection system for large-scale networks, in Proceedings of the 15th National Computer Security Conference, Baltimore, Oct 1992Google Scholar
  23. 23.
    S. Helmers, A Brief History of anon.penet.fi – The Legendary Anonymous Remailer. http://www.december.com/cmc/mag/1997/sep/helmers.html
  24. 24.
    H.T. Jung, H.L. Kim, Y.M. Seo, G. Choe, S. Min, C.S. Kim, K. Koh, Caller identification system in the internet environment, in Proceedings of the 4th USENIX Security Symposium, Santa Clara, Aug 1993, pp. 69–78Google Scholar
  25. 25.
    S. Kent, K. Seo, Security architecture for the internet protocol, RFC 4301, IETF, Dec 2005Google Scholar
  26. 26.
    D. Kesdogan, D. Agrawal, V. Pham, D. Agrawal, Fundamental limits on the anonymity provided by the MIX technique, in Proceedings of the 2006 IEEE Symposium on Security & Privacy (S&P 2006), Oakland, May 2006, pp. 86–99Google Scholar
  27. 27.
    B.N. Levine, M.K. Reiter, C. Wang, M.K. Wright, Timing attacks in low-latency mix-based systems, in Proceedings of Financial Cryptography (FC ’04), ed. by A. Juels. LNCS, vol. 3110 (Springer, Berlin/Heidelberg, 2004), pp. 251–265Google Scholar
  28. 28.
    U. Moeller, L. Cottrell, P. Palfrader, L. Sassaman, Mixmaster Protocol Version 2. Internet-Draft, IETF, Dec 2004Google Scholar
  29. 29.
    P. Moulin, Information-hiding games, in Proceedings of International Workshop on Digital Watermarking (IWDW 2003), Seoul, May 2003, pp. 82–91Google Scholar
  30. 30.
    P. Moulin, J.A. O’Sullivan, Information-theoretic analysis of information hiding. IEEE Trans. Inf. Theory 49(3), 563–593 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    R. Oppliger, Internet security: firewalls and beyond. Commun. ACM 40(5), 92–102 (1997)CrossRefGoogle Scholar
  32. 32.
    L. Øverlier, P. Syverson, Locating hidden servers, in Proceedings of the 2006 IEEE Symposium on Security & Privacy (S&P 2006), Oakland, May 2006, pp. 100–114Google Scholar
  33. 33.
    K. Park, H. Lee, On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack, in Proceedings of the 20th Annual Joint Conference of the IEEE Computer and Communications Societies (Infocom 2001), Anchorage, Apr 2001, pp. 338–347Google Scholar
  34. 34.
    P. Peng, P. Ning, D.S. Reeves, X. Wang, Active timing-based correlation of perturbed traffic flows with chaff packets, in Proceedings of the 2nd International Workshop on Security in Distributed Computing Systems (SDCS-2005), Columbus, Ohio, USA, June 2005, pp. 107–113Google Scholar
  35. 35.
    A. Pfitzmann, M. Hansen, A terminology for talking about privacy by data minimization: anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management, 2010. http://dud.inf.tu-dresden.de/literatur/Anon_Terminology_v0.34.pdf
  36. 36.
    B. Pfitzmann, A. Pfizmann, How to break the direct RSA-implementation of mixes, in Proceedings of the 1989 Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology (EUROCRYPT 1989), Houthalen, Apr 1989, pp. 373–381Google Scholar
  37. 37.
  38. 38.
    Y. Pyun, D.S. Reeves, Deployment of network monitors for attack attribution, in Proceedings of the Fourth International Conference on Broadband Communications, Networks, and Systems (IEEE Broadnets 2007), Raleigh, Sept 2007, pp. 525–534Google Scholar
  39. 39.
    Y.J. Pyun, Y.H. Park, X. Wang, D.S. Reeves, P. Ning, Tracing traffic through intermediate hosts that repacketize flows, in Proceedings of the 26th Annual IEEE Conference on Computer Communications (Infocom 2007), Anchorage, May 2007. IEEEGoogle Scholar
  40. 40.
  41. 41.
    F. Rashid, Hackers Target Bankers’ Personal Data as Part of “Occupy Wall Street”. http://securitywatch.eweek.com/hactivism/hackers_target_bankers_personal_data_as_part_of_occupy_wall_street.html
  42. 42.
  43. 43.
    F. Rashid, NASA Repeatedly Attacked, Jet Propulsion Lab Compromised. http://securitywatch.eweek.com/data_breach/nasa_repeatedly_attacked_jet_propulsion_lab_compromised.html
  44. 44.
  45. 45.
    M.G. Reed, P.F. Syverson, D.M. Goldschlag, Anonymous connections and onion routing. IEEE JSAC Copyr. Priv. Prot. 16(4), 482–494 (1998)Google Scholar
  46. 46.
    M. Reiter, A. Rubin, Crowds: anonymity for web transactions. ACM TISSEC 1(1), 66–92 (1998)CrossRefGoogle Scholar
  47. 47.
    M. Rennhard, B. Plattner, Introducing MorphMix: peer-to-peer based anonymous internet usage with collusion detection, in Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society (WPES 2002), Washington, DC, Nov 2002, pp. 91–102Google Scholar
  48. 48.
    R.L. Rivest, A. Shamir, Y. Tauman, How to leak a secret, in Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology (ASIACRYPT 2001) (Springer, Berlin/Heidelberg, 2001), pp. 554–567Google Scholar
  49. 49.
    S. Savage, D. Wetherall, A. Karlin, T. Anderson, Practical network support for IP traceback, in Proceedings of ACM SIGCOMM 2000, Stockholm, Sept 2000, pp. 295–306Google Scholar
  50. 50.
    D. Schnackenberg, K. Djahandari, D. Strene, Infrastructure for intrusion detection and response, in Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (DISCEX 2000), Hilton Head, 2000, pp. 3–11Google Scholar
  51. 51.
    R. Sherwood, B. Bhattacharjee, A. Srinivasan, P5: a protocol for scalable anonymous communication, in Proceedings of 2002 IEEE Symposium on Security and Privacy (S&P 2002), Oakland, May 2002Google Scholar
  52. 52.
    C. Shields, B.N. Levine, A protocol for anonymous communication over the internet, in Proceedings of the 7th ACM Conference on Computer and Communications Security (CCS 2000), Athens, Nov 2000, pp. 33–42Google Scholar
  53. 53.
    S.R. Snapp, J. Brentano, G.V. Dias, T.L. Goan, L.T. Heberlein, C. lin Ho, K.N. Levitt, B. Mukherjee, S.E. Smaha, T. Grance, D.M. Teal, D. Mansur, DIDS (distributed intrusion detection system) – motivation, architecture, and an early prototype, in Proceedings of the 14th National Computer Security Conference, Baltimore, 1991, pp. 167–176Google Scholar
  54. 54.
    D. Song, A. Perrig, Advanced and authenticated marking scheme for IP traceback, in Proceedings of the 20th Annual Joint Conference of the IEEE Computer and Communications Societies (Infocom 2001), Anchorage, Apr 2001, pp. 878–886Google Scholar
  55. 55.
    S. Staniford-Chen, L.T. Heberlein, Holding intruders accountable on the internet, in Proceedings of the 1995 IEEE Symposium on Security & Privacy (S&P 1995), Oakland, May 1995, pp. 39–49CrossRefGoogle Scholar
  56. 56.
    C. Stoll, The Cuckoo’s Egg: Tracking Spy Through the Maze of Computer Espionage (Pocket Books, New York, 1990)Google Scholar
  57. 57.
    P. Tabriz, N. Borisov, Breaking the collusion detection mechanism of morphmix, in Proceedings of the 6th International Conference on Privacy Enhancing Technologies (PET 2006), Cambridge, June 2006, pp. 368–383Google Scholar
  58. 58.
    C.E.R. Team, CERT Advisory CA-96.21: CERT Advisory TCP SYN Flooding and IP Spoofing Attacks. http://www.cert.org/advisories/CA-96.21.tcp_syn_flooding.html
  59. 59.
    C.E.R. Team, CERT Advisory CA-96.26: Denial-of-Service Attack via Pings. http://www.cert.org/advisories/CA-96.26.ping.html
  60. 60.
    C.E.R. Team, CERT Advisory CA-98.01: CERT Advisory “smurf” IP Denial-of-Service. http://www.cert.org/advisories/CA-98.01.smurf.html
  61. 61.
    P. Venkitasubramaniam, L. Tong, Anonymous networking with minimum latency in multihop networks, in Proceedings of the 2008 IEEE Symposium on Security & Privacy (S&P 2008), Oakland, May 2008, pp. 18–32CrossRefGoogle Scholar
  62. 62.
    R. Walters, Cyber Attacks on U.S. Companies in 2014, 2014. http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014
  63. 63.
    X. Wang, S. Chen, S. Jajodia, Network flow watermarking attack on low-latency anonymous communication systems, in Proceedings of the 2007 IEEE Symposium on Security & Privacy (S&P 2007), Oakland, May 2007, pp. 116–130Google Scholar
  64. 64.
    X. Wang, D.S. Reeves, S.F. Wu, Inter-packet delay based correlation for tracing encrypted connections through stepping stones, in Proceedings of the 7th European Symposium on Research in Computer Security (ESORICS 2002), Zurich, Oct 2002, pp. 244–263Google Scholar
  65. 65.
    X. Wang, D.S. Reeves, S.F. Wu, J. Yuill, Sleepy watermark tracing: an active network-based intrusion response framework, in Proceedings of the 16th International Conference on Information Security (IFIP/Sec 2001), Paris, June 2001, pp. 369–384Google Scholar
  66. 66.
    T. Ylonen, C. Lonvick, The Secure Shell (SSH) Protocol Architecture. RFC 4251, IETF, Jan 2006Google Scholar
  67. 67.
    K. Yoda, H. Etoh, Finding a connection chain for tracing intruders, in Proceedings of the 6th European Symposium on Research in Computer Security (ESORICS 2000), Toulouse, Oct 2000, pp. 191–205Google Scholar
  68. 68.
    W. Yu, X. Fu, S. Graham, D. Xuan, W. Zhao, DSSS-based flow marking technique for invisible traceback, in Proceedings of the 2007 IEEE Symposium on Security & Privacy (S&P 2007), Oakland, May 2007, pp. 18–32CrossRefGoogle Scholar
  69. 69.
    Y. Zhang, V. Paxson, Detecting stepping stones, in Proceedings of the 9th USENIX Security Symposium, Denver, Aug 2000, pp. 171–184Google Scholar

Copyright information

© The Author(s) 2015

Authors and Affiliations

  • Xinyuan Wang
    • 1
  • Douglas Reeves
    • 2
  1. 1.Department of Computer ScienceGeorge Mason UniversityFairfaxUSA
  2. 2.Department of Computer ScienceNorth Carolina State UniversityRaleighUSA

Personalised recommendations