A novel sequential watermark detection model for efficient traceback of secret network attack flows

Network watermarking schemes have been proposed to trace secret network attack flows transferred through stepping stones as well as anonymous channels. However, most existing network flow watermark detection techniques focus on a fixed sample size of network data to achieve the required accuracy. Irrespective of the uncertainty or information content of successive observations, such detection techniques will result in low efficiency of watermark detection. We herein propose a novel sequential watermark detection model (SWDM) supporting three sequential detectors for efficient traceback of network attack flows. By exploiting the sequential probability ratio test approach, we first propose the intuitive paired-intervals-based optimum watermark detector (POWD) and the single-interval-based optimum watermark detector (SOWD) under the assumption of known parameters of the observed attack flow. We then propose the sequential sign watermark detector (SSWD) that operates on two-level quantized observations for nonparametric watermark detection. Based on our SWDM model, a statistical analysis of sequential detectors, with no assumptions or limitations concerning the distribution of the timing of packets, proves their effectiveness despite traffic timing perturbations. The experiments using a large number of synthetically-generated SSH traffic flows demonstrate that there is a significant advantage in using our sequential watermark detectors based on the proposed SWDM model over the existing fixed sample size watermark detector (FSWD). Compared to the FSWD detector, the POWD detector achieves almost 28% savings in the average number of packets. Especially, given the required probability of detection errors, the SOWD detector and the SSWD detector can achieve almost 47% and 29% savings, respectively, in the average number of required packets, thus resulting in not only guaranteed rates of detection errors but also high efficiency of flow traceback.