Detecting Information Flows: Improving Chaff Tolerance by Joint Detection

The problem of detecting encrypted information flows using timing information is considered. An information flow consists of both information-carrying packets and irrelevant packets called chaff. A relay node can perturb the timing of information-carrying packets as well as adding or removing chaff packets. The goal is to detect whether there is an information flow through certain nodes of interest by analyzing the transmission times of these nodes. Under the assumption that the relay of information-carrying packets is subject to a bounded delay constraint, fundamental limits on detection are characterized as the minimum amount of chaff needed for an information flow to mimic independent traffic. A detector based on the optimal chaff-inserting algorithms is proposed. The detector guarantees detection in the presence of an amount of chaff proportional to the total traffic size; furthermore, the proportion increases to 100% exponentially fast as the number of hops on the flow path increases.

[1]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[2]  Douglas S. Reeves,et al.  Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework , 2001, SEC.

[3]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[4]  Lang Tong,et al.  Chaff-inserting Algorithms and Robust Detection Algorithms for Information Flows , 2007 .

[5]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[6]  Peng Ning,et al.  Active timing-based correlation of perturbed traffic flows with chaff packets , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[7]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[8]  H. D. Miller,et al.  The Theory Of Stochastic Processes , 1977, The Mathematical Gazette.

[9]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[10]  Yong Guan,et al.  Detection of stepping stone attack under delay and chaff perturbations , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[11]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[12]  P. Venkitasubramaniam,et al.  Packet Scheduling Against Stepping-Stone Attacks with Chaff , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[13]  David R. Cox,et al.  The Theory of Stochastic Processes , 1967, The Mathematical Gazette.

[14]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[15]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.