Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones
Purchase on Springer.com
$29.95 / €24.95 / £19.95*
* Final gross prices may vary according to local VAT.
Network based intrusions have become a serious threat to the users of the Internet. Intruders who wish to attack computers attached to the Internet frequently conceal their identity by staging their attacks through intermediate “stepping stones”. This makes tracing the source of the attack substantially more difficult, particularly if the attack traffic is encrypted. In this paper, we address the problem of tracing encrypted connections through stepping stones. The incoming and outgoing connections through a stepping stone must be correlated to accomplish this. We propose a novel correlation scheme based on inter-packet timing characteristics of both encrypted and unencrypted connections. We show that (after some filtering) inter-packet delays (IPDs) of both encrypted and unencrypted, interactive connections are preserved across many router hops and stepping stones. The effectiveness of this method for correlation purposes also requires that timing characteristics be distinctive enough to identify connections. We have found that normal interactive connections such as telnet, SSH and rlogin are almost always distinctive enough to provide correct correlation across stepping stones. The number of packets needed to correctly correlate two connections is also an important metric, and is shown to be quite modest for this method.
- M. H. DeGroot. Probability and Statistics. Addison-Wesley, 1989.
- H. Jung, et al. Caller Identification System in the Internet Environment. In Proceedings of 4th USENIX Security Symposium, 1993.
- S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. IETF RFC 2401, September 1998.
- S. C. Lee and C. Shields. Tracing the Source of Network Attack: A Technical, Legal and Social Problem. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, June 2000.
- NLANR Trace Archive. http://pma.nlanr.net/Traces/long/.
- OpenSSH. http://www.openssh.com.
- D. Schnackenberg. Dynamic Cooperating Boundary Controllers. http://www.darpa.mil/ito/Summaries97/E2950.html, Boeing Defense and Space Group, March 1998.
- S. Snapp, et all. DID S (Distributed Intrusion Detection System)-Motivation, Architecture and Early Prototype. In Proceedings of 14th National Computer Security Conference, 1991.
- S. Staniford-Chen, L. T. Heberlein. Holding Intruders Accountable on the Internet. In Proceedings of IEEE Symposium on Security and Privacy, 1995.
- W.R. Stevens. TCP/IP Illustrated, Volume 1: The Protocol. Addison-Wesley, 1994.
- X.Y. Wang, D.S. Reeves, S.F. Wu and J. Yuill. Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework. In Proceedings of 16th International Conference on Information Security (IFIP/Sec’01), June, 2001.
- K. Yoda and H. Etoh. Finding a Connection Chain for Tracing Intruders. In F. Guppens, Y. Deswarte, D. Gollmann and M. Waidner, editors, 6th European Symposium on Research in Computer Security-ESORICS 2000 LNCS-1895, Toulouse, France, October 2000.
- Y. Zhang and V. Paxson. Detecting Stepping Stones. In Proceedings of 9th USENIX Security Symposium, 2000.
- Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones
- Book Title
- Computer Security — ESORICS 2002
- Book Subtitle
- 7th European Symposium on Research in Computer Security Zurich, Switzerland, October 14–16, 2002 Proceedings
- pp 244-263
- Print ISBN
- Online ISBN
- Series Title
- Lecture Notes in Computer Science
- Series Volume
- Series ISSN
- Springer Berlin Heidelberg
- Copyright Holder
- Springer-Verlag Berlin Heidelberg
- Additional Links
- Industry Sectors
- eBook Packages
- Editor Affiliations
- 4. Microsoft Research
- 5. IBM Zurich Research Lab
- Author Affiliations
- 6. Department of Computer Science, USA
- 7. Department of Electrical and Computer Engineering, North Carolina State University, USA
- 8. Department of Computer Science, University of California at Davis, USA
To view the rest of this content please follow the download PDF link above.