Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones
Network based intrusions have become a serious threat to the users of the Internet. Intruders who wish to attack computers attached to the Internet frequently conceal their identity by staging their attacks through intermediate “stepping stones”. This makes tracing the source of the attack substantially more difficult, particularly if the attack traffic is encrypted. In this paper, we address the problem of tracing encrypted connections through stepping stones. The incoming and outgoing connections through a stepping stone must be correlated to accomplish this. We propose a novel correlation scheme based on inter-packet timing characteristics of both encrypted and unencrypted connections. We show that (after some filtering) inter-packet delays (IPDs) of both encrypted and unencrypted, interactive connections are preserved across many router hops and stepping stones. The effectiveness of this method for correlation purposes also requires that timing characteristics be distinctive enough to identify connections. We have found that normal interactive connections such as telnet, SSH and rlogin are almost always distinctive enough to provide correct correlation across stepping stones. The number of packets needed to correctly correlate two connections is also an important metric, and is shown to be quite modest for this method.
Unable to display preview. Download preview PDF.
- M. H. DeGroot. Probability and Statistics. Addison-Wesley, 1989.Google Scholar
- H. Jung, et al. Caller Identification System in the Internet Environment. In Proceedings of 4th USENIX Security Symposium, 1993.Google Scholar
- S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. IETF RFC 2401, September 1998.Google Scholar
- S. C. Lee and C. Shields. Tracing the Source of Network Attack: A Technical, Legal and Social Problem. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, June 2000.Google Scholar
- NLANR Trace Archive. http://pma.nlanr.net/Traces/long/.
- OpenSSH. http://www.openssh.com.
- D. Schnackenberg. Dynamic Cooperating Boundary Controllers. http://www.darpa.mil/ito/Summaries97/E2950.html, Boeing Defense and Space Group, March 1998.
- S. Snapp, et all. DID S (Distributed Intrusion Detection System)-Motivation, Architecture and Early Prototype. In Proceedings of 14th National Computer Security Conference, 1991.Google Scholar
- S. Staniford-Chen, L. T. Heberlein. Holding Intruders Accountable on the Internet. In Proceedings of IEEE Symposium on Security and Privacy, 1995.Google Scholar
- W.R. Stevens. TCP/IP Illustrated, Volume 1: The Protocol. Addison-Wesley, 1994.Google Scholar
- X.Y. Wang, D.S. Reeves, S.F. Wu and J. Yuill. Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework. In Proceedings of 16th International Conference on Information Security (IFIP/Sec’01), June, 2001.Google Scholar
- K. Yoda and H. Etoh. Finding a Connection Chain for Tracing Intruders. In F. Guppens, Y. Deswarte, D. Gollmann and M. Waidner, editors, 6th European Symposium on Research in Computer Security-ESORICS 2000 LNCS-1895, Toulouse, France, October 2000.Google Scholar
- Y. Zhang and V. Paxson. Detecting Stepping Stones. In Proceedings of 9th USENIX Security Symposium, 2000.Google Scholar