Table Of ContentSPRINGER BRIEFS IN COMPUTER SCIENCE
Xinyuan Wang
Douglas Reeves
Traceback and
Anonymity
123
SpringerBriefs in Computer Science
SeriesEditors
StanZdonik
ShashiShekhar
JonathanKatz
XindongWu
LakhmiC.Jain
DavidPadua
Xuemin(Sherman)Shen
BorkoFurht
V.S.Subrahmanian
MartialHebert
KatsushiIkeuchi
BrunoSiciliano
SushilJajodia
NewtonLee
Moreinformationaboutthisseriesathttp://www.springer.com/series/10028
Xinyuan Wang • Douglas Reeves
Traceback and Anonymity
123
XinyuanWang DouglasReeves
DepartmentofComputerScience DepartmentofComputerScience
GeorgeMasonUniversity NorthCarolinaStateUniversity
Fairfax,VA,USA Raleigh,NC,USA
ISSN2191-5768 ISSN2191-5776 (electronic)
SpringerBriefsinComputerScience
ISBN978-1-4939-3439-3 ISBN978-1-4939-3441-6 (eBook)
DOI10.1007/978-1-4939-3441-6
LibraryofCongressControlNumber:2015953645
SpringerNewYorkHeidelbergDordrechtLondon
©TheAuthor(s)2015
Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof
thematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation,
broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation
storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology
nowknownorhereafterdeveloped.
Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication
doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant
protectivelawsandregulationsandthereforefreeforgeneraluse.
Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbook
arebelievedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsor
theeditorsgiveawarranty,expressorimplied,withrespecttothematerialcontainedhereinorforany
errorsoromissionsthatmayhavebeenmade.
Printedonacid-freepaper
SpringerScience+BusinessMediaLLCNewYorkispartofSpringerScience+BusinessMedia(www.
springer.com)
Contents
1 Introduction ................................................................... 1
2 TheTracebackProblem...................................................... 5
2.1 Network-BasedAttack................................................... 5
2.2 OverallTracebackModel................................................ 8
2.2.1 CorrelationProblemSolutionModel........................... 10
2.3 EvaluationCriteriaofTraceback........................................ 11
3 ExistingApproachesinTraceback.......................................... 15
3.1 ClassificationofTracebackApproaches................................ 15
3.2 TracebackofUnencryptedAttackTraffic............................... 16
3.2.1 DistributedIntrusionDetectionSystem(DIDS) ............... 16
3.2.2 CallerIdentificationSystem(CIS).............................. 17
3.2.3 Thumbprinting................................................... 17
3.2.4 IntrusionDetectionandIsolationProtocol(IDIP) ............. 17
3.2.5 SessionTokenProtocol(STOP) ................................ 18
3.2.6 SleepyWatermarkTracing(SWT).............................. 19
3.3 TracebackofEncryptedAttackTraffic ................................. 19
3.3.1 ON/OFFBasedApproach....................................... 19
3.3.2 DeviationBasedApproach...................................... 20
3.3.3 IPD-BasedApproach............................................ 20
3.4 Tracing and Correlating Encrypted Connections
withTimingPerturbation................................................ 20
3.4.1 WaveletBasedApproach........................................ 21
3.5 SummaryofExistingTracebackApproaches .......................... 21
4 ActiveTimingBasedTraceback............................................. 23
4.1 OverallFlowWatermarkTracingModel ............................... 24
4.2 QuantizationBasedFlowWatermarking................................ 25
4.2.1 WatermarkingModelandConcept ............................. 25
4.2.2 BasicWatermarkBitEncodingandDecoding ................. 26
4.2.3 MaximumTolerablePerturbation............................... 29
v
vi Contents
4.2.4 Encoding a Single Watermark Bit Over the
AverageofMultipleIPDs ....................................... 30
4.2.5 AnalysisofWatermarkDecodinginthePresence
ofTimingPerturbations ......................................... 31
4.2.6 OptimalityAnalysis ............................................. 38
4.3 ProbabilisticFlowWatermarking ....................................... 40
4.3.1 BasicConceptandNotion....................................... 41
4.3.2 EncodingandDecodingaBinaryBitProbabilistically........ 42
4.3.3 AdvantagesOverQuantizationBasedFlowWatermarking ... 45
4.4 CountermeasuresAgainstActiveTimingBasedTraceback ........... 47
5 Anonymity..................................................................... 49
5.1 TheConceptofAnonymity.............................................. 49
5.2 WaystoAchieveAnonymityandUnobservability..................... 50
5.2.1 MIXandMIXNetwork ......................................... 51
5.2.2 DinningCryptographerNetworkandAnonymousBuses ..... 52
5.3 ProposedAnonymitySystems........................................... 53
5.3.1 High-LatencyAnonymitySystems ............................. 53
5.3.2 Low-LatencyAnonymitySystems.............................. 54
5.4 InteractionBetweenTracebackandAnonymity........................ 55
6 FundamentalLimitationsinLow-LatencyAnonymitySystems......... 57
6.1 Limitations of Low-Latency Anonymity Systems
AgainstPassiveAdversary .............................................. 57
6.2 Limitations of Low-Latency Anonymity Systems
AgainstActiveAdversary ............................................... 58
6.2.1 TimeIntervalandCentroidofTimeInterval................... 59
6.2.2 RandomGroupingofTimeIntervals ........................... 60
6.2.3 IntervalCentroidBasedWatermarkEncoding
andDecoding .................................................... 62
6.2.4 WatermarkDecodingErrorProbabilityAnalysis .............. 64
6.3 FundamentalLimitationsofAddingChaffandCoverTraffic......... 69
6.4 FundamentalLimitationofTimingPerturbation....................... 70
6.4.1 Minimum Brute Force Perturbation Needed
toCompletelyRemoveWatermark ............................. 70
6.4.2 Real-TimeConstraintsandTheirImplications
totheAdversary ................................................. 72
7 Conclusion..................................................................... 75
7.1 Summary ................................................................. 75
7.2 OpenProblemsandFutureWorks ...................................... 76
References.......................................................................... 77
Chapter 1
Introduction
Cyber attack has become a top threat to our society. With more than one billion
hosts[2]connectedtotheInternet,oursocietyisbecomingincreasinglydependent
on the Internet. Now the perpetrators have plenty choices of potential targets and
they could attack the chosen Internet hosts from virtually anywhere in the world
andcausedamagestothevictims.
For example, NASA has been under repeated attacks in the past few years,
and its Jet Propulsion Lab has been found compromised [43]. In the recent data
breach attack on Target, 40 million customers’ credit and debit card information
wasstolen.IntherecentcyberattackonHomeDepot,56millionshoppers’credit
cardinformationwascompromised.Arecentsurvey[62]showedthat“theannual
average cost per company of successful cyber attacks increased to $20.8 million
in financial services, $14.5 million in the technology sector, and $12.7 million in
communicationsindustries.”
Incertaincases,cyberattackscouldevencausethevictimoutofbusiness.InJune
2011,attackerscompromisedtheinformationsystemofDutchcertificateauthority
DigiNotar, and generated over 500 fraudulent security certificates for high-profile
Web sites such as Google, Facebook, Twitter, Microsoft and Skype. Such forged
certificates could be used to impersonate Websites and intercept user information.
A few monthly later, DigiNotar filed bankruptcy after the news broke about the
securitybreach[40].
Besidesfinancialmotivations,cyberattackssuchashacktivismcanbepolitically
motivated.Forexample,ithasbeenreported[41]thathackershavetargetedbankers’
personal data as a way to support the “Occupy Wall Street” movement. McAfee
Predicted[42]thattherewillmoresuchHacktivismin2012.
One major contributor to such growing threat of network-based attacks is the
lack of attack attribution. Unlike the telephone systems, the Internet was never
designed for tracking and tracing users’ behavior. Most existing network security
mechanisms such as firewalls [31], IPSEC [25] and IDS [5, 22] are focused on
intrusion prevention and detection. However, even the perfect intrusion detection
©TheAuthor(s)2015 1
X.Wang,D.Reeves,TracebackandAnonymity,SpringerBriefs
inComputerScience,DOI10.1007/978-1-4939-3441-6_1
2 1 Introduction
willnotbeabletotellwherethedetectedattackscomefrom.Whatismissingfrom
existingnetworksecuritymechanismsisaneffectivewaytoidentifynetworkbased
intrudersandholdthemaccountablefortheirintrusions.
Withouteffectiveintrusionsourcetracingandidentification,thosenetworkbased
intrudershaveallthepotentialgainswithvirtuallynoriskofbeingcaught.Onthe
other hand, an effective and accurate attack tracing capability helps to eliminate
network based attack from its root by identifying and catching those perpetrators
responsible for the attack. From the attacker’s point of view, if the risk of being
caughtandtheconsequentpenaltyarehighenoughcomparedwiththepotentialgain
ofnetworkbasedattack,heorshewouldbereluctanttoattackagain.Thusevenan
imperfectattacktracingcapabilitycouldhelptorepelpotentialfutureattacks.
BecauseofthecurrentInternetarchitecture,itismucheasierfornetworkbased
attackerstoconcealtheiroriginthanfordefenderstotraceandidentifytheirorigin.
To avoid being identified and tracked, attackers use all kinds of techniques to
evade detection [37] and tracking. One common technique to conceal the attack
source is to launder the attack through hosts of third party. Recent trend of
cloud computing enables attackers to launch attacks from rented hosts from cloud
provider.Specifically,recentattackonSony’sPlaystationNetworkusedrentedhosts
inAmazonEC2[44].Allthesewouldmakeitharderfortheattackvictimtofindout
thetruesourceoftheattackerafteridentifyingtheattack.Consequently,thereisa
pressingneedtodevelopacapabilityforidentifyingthesourceofdetectedattacks.
Network based attack can not be effectively repelled or eliminated until its source
isknown.
Besidestheneedsoftraceback,therearelegitimatereasonstokeepcertainonline
activities anonymous. For example, to encourage candid expression of opinions,
an online survey may want to keep each response anonymous. In addition, people
maywanttokeeptheironlineactivitiesprivateanddonotwantothersknowfrom
where they browse the Internet and what web sites they visit. To help provide
the anonymity and privacy to certain online activities, various anonymity systems
havebeendevelopedanddeployed.Specifically,Tor[17]andAnonymizer[3]use
intermediateproxiesandencryptiontoanonymizeuser’sinternettraffic.
Thegoalofanonymitysystemisexactlytheoppositetothatoftracebackinthat
itaimstoremoveorconcealthetrueidentityoftheuserorhis/herInternetactivity.
While anonymity system helps protect the privacy and anonymity of legitimate
online activities, they can also be abused by perpetrators to disguise the source
of their attacks. For example, attackers can easily launder their attacks through
low-latencyanonymousnetworksuchasTor,anonymizerbeforeattackingthefinal
targets. Therefore, it is necessary to understand how effective existing anonymity
techniquesareandwhetherwecan“break”throughexistinganonymitysystemsin
ordertotracetheattackersbehindanonymitysystems.
Inthispaper,wewanttoleavethecontroversyaboutthetracebackandanonymity
aside, and focus on the technical aspects of achieving traceback and anonymity.
Specifically, we want to investigate the interaction between traceback and
anonymity,andwewanttounderstandthefundamentallimitationofbothtraceback
andlow-latencyanonymitysystems.
1 Introduction 3
The rest of this paper is organized as the following. Chapter 2 formulates the
tracebackproblem.Chapter3describesexistingapproachesintraceback.Chapter4
presentsactivetimingbasedtracebackapproachesandthecountermeasuresagainst
suchactivetimingbasedapproaches.Chapter5formulatestheanonymityproblem.
Chapter 6 investigates fundamental limitations in low-latency anonymity systems.
Chapter7concludesthepaper.
Description:This brief systematically examines the trackback problem and its interaction with low-latency anonymous communication. First, it provides an overview of the common techniques a network-based attack may use to hide its origin and identity. Then the authors explore the MIX-based anonymity and the buil
