The Need for Flow Fingerprints to Link Correlated Network Flows

  • Amir Houmansadr
  • Nikita Borisov
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7981)


Linking network flows is an important problem in the detection of stepping stone attacks as well as in compromising anonymity systems. Traffic analysis is an effective tool for linking flows, which works by correlating their communication patterns, e.g., their packet timings. To improve scalability and performance of this process, recent proposals suggest to perform traffic analysis in an active manner by injecting invisible tags into the traffic patterns of network flows; this approach is commonly known as flow watermarking. In this paper, we study an under-explored type of active traffic analysis that we call it flow fingerprinting. Information theoretically, flow watermarking aims at conveying a single bit of information whereas flow fingerprinting tries to reliably send multiple bits of information, hence it is a more challenging problem. Such additional bits help a fingerprinter deliver extra information in addition to the existence of the tag, such as the network origin of the flow and the identity of the fingerprinting entity. In this paper, we introduce and formulate the flow fingerprinting problem and contrast its application scenarios from that of the well-studied flow watermarking. We suggest the use of coding theory to build fingerprinting schemes based on the existing watermarks. In particular, we design a non-blind fingerprint, Fancy, and evaluate its performance. We show that Fancy can reliably fingerprint millions of network flows by tagging only as few as tens of packets from each flow.


Flow fingerprinting traffic analysis linear codes network security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bavier, A., Bowman, M., Chun, B., Culler, D., Karlin, S., Muir, S., Peterson, L., Roscoe, T., Spalink, T., Wawrzoniak, M.: Operating Systems Support for Planetary-Scale Network Services. In: NSDI (2004)Google Scholar
  2. 2.
    Benedetto, S., Biglieri, E.: Principles of Digital Transmission: With Wireless Applications. Information Technology: Transmission, Processing, and Storage. Kluwer Academic/Plenum Press (1999)Google Scholar
  3. 3.
    Blum, A., Song, D., Venkataraman, S.: Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 258–277. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    The coded modulation library (cml),
  5. 5.
    Danezis, G.: The Traffic Analysis of Continuous-Time Mixes. In: PETS (2004)Google Scholar
  6. 6.
    Dingledine, R., Mathewson, N.: Tor Protocol Specification,;hb=HEAD;f=tor-spec.txt
  7. 7.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: USENIX Security Symposium (2004)Google Scholar
  8. 8.
    Dolinar, S., Divsalar, D., Pollara, F.: Code Performance as a Function of Block Size. Technical report, TMO Progress (1998)Google Scholar
  9. 9.
    Donoho, D.L., Flesia, A.G., Shankar, U., Paxson, V., Coit, J., Staniford, S.: Multiscale Stepping-stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 17–35. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Houmansadr, A., Borisov, N.: SWIRL: A Scalable Watermark to Detect Correlated Network Flows. In: NDSS (2011)Google Scholar
  11. 11.
    Houmansadr, A., Borisov, N.: Towards Improving Network Flow Watermarks using the Repeat-accumulate Codes. In: ICASSP (2011)Google Scholar
  12. 12.
    Houmansadr, A., Kiyavash, N., Borisov, N.: Multi-Flow Attack Resistant Watermarks for Network Flows. In: ICASSP (2009)Google Scholar
  13. 13.
    Houmansadr, A., Kiyavash, N., Borisov, N.: RAINBOW: A Robust And Invisible Non-Blind Watermark for Network Flows. In: NDSS (2009)Google Scholar
  14. 14.
    Houmansadr, A., Kiyavash, N., Borisov, N.: Non-blind Watermarking of Network Flows. CRR, arXiv:1203.2273v1 (2012)Google Scholar
  15. 15.
    Kiyavash, N., Houmansadr, A., Borisov, N.: Multi-Flow Attacks Against Network Flow Watermarking Schemes. In: USENIX Security Symposium (2008)Google Scholar
  16. 16.
    Lin, Z., Hopper, N.: New Attacks on Timing-based Network Flow Watermarks. In: USENIX Security (2012)Google Scholar
  17. 17.
    Ling, Z., Luo, J., Yu, W., Fu, X., Xuan, D., Jia, W.: A New Cell Counter Based Attack Against Tor. In: CCS, New York, USA (2009)Google Scholar
  18. 18.
    Mackay, D.J.C.: Information Theory, Inference and Learning Algorithms, 1st edn. Cambridge University Press (June 2003)Google Scholar
  19. 19.
    Pyun, Y., Park, Y., Wang, X., Reeves, D.S., Ning, P.: Tracing Traffic through Intermediate Hosts that Repacketize Flows. In: INFOCOM (2007)Google Scholar
  20. 20.
    Staniford-Chen, S., Heberlein, L.T.: Holding Intruders Accountable on the Internet. In: IEEE S&P (1995)Google Scholar
  21. 21.
    van Lint, J.H.: Introduction to Coding Theory, 3rd edn. Springer, Berlin (1998)Google Scholar
  22. 22.
    Wang, X., Chen, S., Jajodia, S.: Tracking Anonymous Peer-to-peer VoIP Calls on the Internet. In: CCS (2005)Google Scholar
  23. 23.
    Wang, X., Chen, S., Jajodia, S.: Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems. In: IEEE S&P (2007)Google Scholar
  24. 24.
    Wang, X., Reeves, D.S., Wu, S.F.: Inter-Packet Delay Based Correlation for Tracing Encrypted Connections Through Stepping Stones. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 244–263. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  25. 25.
    Wang, X., Reeves, D.S.: Robust Correlation of Encrypted Attack Traffic Through Stepping Stones by Manipulation of Interpacket Delays. In: CCS (2003)Google Scholar
  26. 26.
    Yoda, K., Etoh, H.: Finding a Connection Chain for Tracing Intruders. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 191–205. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  27. 27.
    Yu, W., Fu, X., Graham, S., Xuan, D., Zhao, W.: DSSS-Based Flow Marking Technique for Invisible Traceback. In: IEEE S&P (2007)Google Scholar
  28. 28.
    Zhang, Y., Paxson, V.: Detecting Stepping Stones. In: USENIX Security Symposium (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Amir Houmansadr
    • 1
  • Nikita Borisov
    • 2
  1. 1.The University of Texas at AustinUSA
  2. 2.University of Illinois at Urbana-ChampaignUSA

Personalised recommendations