Interval-based flow watermarking for tracing interactive traffic

Tracing interactive attack traffic that traverses stepping stones (i.e., intermediate hosts) is challenging, as the packet headers, lengths, and contents can all be changed by the stepping stones. The traffic timing (delays between packets) has therefore been studied as a means of tracing traffic. One such technique uses traffic timing as a side channel into which a watermark, or identifying tag, can be embedded to aid with tracing. The effectiveness of such techniques is greatly reduced when the packet count of the traffic is changed at the stepping stone. Such transformations may occur as a result of either active countermeasures (e.g. chaff packets, flow splitting) by an adversary attempting to defeat tracing, or by incidental repacketization of the traffic by network interfaces.This paper presents a new method of embedding a watermark in traffic timing, for purposes of tracing the traffic in the presence of flow splitting, chaff packets, timing perturbation, and repacketization. This method uses an invariant characteristic of two connection flows which are part of the same stepping stone chain, namely, the elapsed time of the flows. The duration of each flow is sliced into short fixed-length intervals. Packet timing is adjusted to manipulate the packet count in specific intervals (without adding or deleting any packets), for purposes of embedding the watermark. The method is self-synchronizing and does not require clock synchronization between the watermark encoder and decoder.A statistical analysis of the method, with no assumptions or limitations concerning the distribution of packet times, proves the effectiveness of the method given a sufficient number of packets, despite natural and/or deliberate repacketization and countermeasures by an adversary. The method has been implemented and tested on a large number of SSH traffic flows. The results demonstrate that 100% detection rates and very low false positive rates are achieved under conditions of multiple countermeasures, and using only a few hundred packets.