Abstract. Intruders on the Internet often prefer to launch network intrusions indirectly, i.e., using a chain of hosts on the Internet as relay machines using protocols such as Telnet or SSH. This type of attack is called a stepping-stone attack. In this paper, we propose and analyze algorithms for stepping-stone detection using ideas from Computational Learning Theory and the analysis of random walks. Our results are the first to achieve provable (polynomial) upper bounds on the number of packets needed to confidently detect and identify encrypted steppingstone streams with proven guarantees on the probability of falsely accusing non-attacking pairs. Moreover, our methods and analysis rely on mild assumptions, especially in comparison to previous work. We also examine the consequences when the attacker inserts chaff into the stepping-stone traffic, and give bounds on the amount of chaff that an attacker would have to send to evade detection. Our results are based on a new approach which can detect correlation of streams at a fine-grained level. Our approach may also apply to more generalized traffic analysis domains, such as anonymous communication. Key words: Network intrusion detection. Evasion. Stepping stones. Interactive sessions. Random walks. 1

Current intrusion detection systems point out suspicious states or events but do not show how the suspicious state or events relate to other states or events in the system. We show how to enrich an IDS alert with information about how those alerts causally lead to or result from other events in the system. By enriching IDS alerts with this type of causal information, we can leverage existing IDS alerts to learn more about the suspected attack. Backward causal graphs can be used to find which host allowed a multi-hop attack (such as a worm) to enter a local network; forward causal graphs can be used to find the other hosts that were affected by the multi-hop attack. We demonstrate this use of causality on a local network by tracking the Slapper worm, a manual attack that spreads via several attack vectors, and an e-mail virus. Causality can also be used to correlate distinct network and host IDS alerts. We demonstrate this use of causality by correlating Snort and host IDS alerts to reduce false positives on a testbed system connected to the Internet. 1.

We propose a novel technique that can determine both the host responsible for originating a propagating worm attack and the set of attack flows that make up the initial stages of the attack tree via which the worm infected successive generations of victims. We argue that knowledge of both is important for combating worms: knowledge of the origin supports law enforcement, and knowledge of the causal flows that advance the attack supports diagnosis of how network defenses were breached. Our technique exploits the “wide tree ” shape of a worm propagation emanating from the source by performing random “moonwalks” backward in time along paths of flows. Correlating the repeated walks reveals the initial causal flows, thereby aiding in identifying the source. Using analysis, simulation, and experiments with real world traces, we show how the technique works against both today’s fast propagating worms and stealthy worms that attempt to hide their attack flows among background traffic. 1

Many proposed low-latency anonymous communication systems have used various flow transformations such as traffic padding, adding cover traffic (or bogus packets), packet dropping, flow mixing, flow splitting, and flow merging to achieve anonymity. It has long been believed that these flow transformations would effectively disguise network flows, thus achieve good anonymity. In this paper, we investigate the fundamental limitations of flow transformations in achieving anonymity, and we show that flow transformations do not necessarily provide the level of anonymity people have expected or believed. By injecting unique watermark into the inter-packet timing domain of a packet flow, we are able to make any sufficiently long flow uniquely identifiable even if 1) it is disguised by substantial amount of

Timing-based active watermarking schemes are developed to trace back attackers through stepping stone connections or anonymizing networks. By slightly changing packet timing, these schemes achieve robust correlation for encrypted network connections under timing perturbation. However, the manipulation on packet timing makes the schemes themselves a potential target of intelligent attackers. In this paper, we analyze the secrecy of the timingbased active watermarking techniques for tracing through stepping stones, and propose an attack scheme based on analyzing the packet delays between adjacent stepping stones. We develop attack techniques to infer important watermark parameters, and to recover and duplicate embedded watermarks. The resulting techniques enable an attacker to defeat the tracing systems in certain cases by removing watermarks from the stepping stone connections, or replicating watermarks in non-stepping stone connections. We also develop techniques to determine in real-time whether a stepping stone connection is being watermarked for trace-back purposes. We have performed substantial experiments using real-world data to evaluate these techniques. The experimental results demonstrate that for the watermark scheme being attacked (1) embedded watermarks can be successfully recovered and duplicated when the watermark parameters are not chosen carefully, and (2) the existence of watermarks in a network flow can always be quickly detected. 1.

The detection of covert timing channels is of increasing interest in light of recent practice on the exploitation of covert timing channels over the Internet. However, due to the high variation in legitimate network traffic, detecting covert timing channels is a challenging task. The existing detection schemes are ineffective to detect most of the covert timing channels known to the security community. In this paper, we introduce a new entropy-based approach to detecting various covert timing channels. Our new approach is based on the observation that the creation of a covert timing channel has certain effects on the entropy of the original process, and hence, a change in the entropy of a process provides a critical clue for covert timing channel detection. Exploiting this observation, we investigate the use of entropy and conditional entropy in detecting covert timing channels. Our experimental results show that our entropy-based approach is sensitive to the current covert timing channels, and is capable of detecting them in an accurate manner.

This paper introduces JitterBugs, a class of inline interception mechanisms that covertly transmit data by perturbing the timing of input events likely to affect externally observable network traffic. JitterBugs positioned at input devices deep within the trusted environment (e.g., hidden in cables or connectors) can leak sensitive data without compromising the host or its software. In particular, we show a practical Keyboard JitterBug that solves the data exfiltration problem for keystroke loggers by leaking captured passwords through small variations in the precise times at which keyboard events are delivered to the host. Whenever an interactive communication application (such as SSH, Telnet, instant messaging, etc) is running, a receiver monitoring the host’s network traffic can recover the leaked data, even when the session or link is encrypted. Our experiments suggest that simple Keyboard JitterBugs can be a practical technique for capturing and exfiltrating typed secrets under conventional OSes and interactive network applications, even when the receiver is many hops away on the Internet. 1

Abstract—Stepping-stone attacks are often used by network intruders to hide their identities. In a stepping-stone attack, attacking commands are sent indirectly to the victim through a chain of compromised hosts acting as “stepping stones. ” In defending against such attacks, it is necessary to detect stepping-stone connections at the compromised hosts. The use of encrypted connections by the attacker complicates the detection problem and the attacker’s active timing perturbation and insertion of chaff make it even more challenging. This paper considers strategies to identify stepping-stone connections when the attacker is able to encrypt the attacking packets and perturb their timing. Furthermore, the attacker can also add chaff packets in the attacking stream. The paper first considers stepping-stone connections subject to packet-conserving transformations by the attacker. Two activity-based algorithms are proposed to detect stepping-stone connections with bounded memory or bounded delay perturbation, respectively. These algorithms are proven to have exponentially decaying false alarm probabilities if normal traffic can be modelled as Poisson processes. It is shown that the proposed algorithms improve the performance of an existing stepping-stone detection algorithm. This paper then addresses the detection of stepping-stone connections with both timing perturbation and chaff. Robust algorithms are developed to deal with chaff evasion. It is proven that the proposed robust algorithms can tolerate a number of chaff packets proportional to the size of the attacking traffic, and have vanishing false alarm probabilities for Poisson traffic. Simulations using synthetic data are used to validate the theoretical analysis. Further results using actual Internet traces are shown to demonstrate the performance of the proposed algorithms. Index Terms—Intrusion detection, network security, nonparametric detection, testing on point processes. I.

Abstract — Unauthorized rogue access points (APs), such as those brought into a corporate campus by employees, pose a security threat as they may be poorly managed or insufficiently secured. Any attacker in the vicinity can easily get onto the internal network through a rogue AP, bypassing all perimeter security measures. Existing detection solutions work well for detecting layer-2 rogue APs. It is a challenge, however, to accurately detect a layer-3 rogue AP that is protected by WEP or other security measures. In this paper, we describe a new rogue AP detection method to address this problem. Our solution uses a verifier on the internal wired network to send test traffic towards wireless edge, and uses wireless sniffers to identify rouge APs that relay the test packets. To quickly sweep all possible rogue APs, the verifier uses a greedy algorithm to schedule the channels for the sniffers to listen to. To work with the encrypted AP traffic, the sniffers use a probabilistic algorithm that only relies on observed packet size. Using extensive experiments, we show that the proposed approach can robustly detect rogue APs with moderate network overhead. I.

Tracing interactive traffic that traverses stepping stones (i.e., intermediate hosts) is challenging, as the packet headers, lengths, and contents can all be changed by the stepping stones. The traffic timing has therefore been studied as a means of tracing traffic. One such technique uses traffic timing as a side channel into which a watermark, or identifying tag, can be embedded to aid with tracing. The effectiveness of such techniques is greatly reduced when repacketization of the traffic occurs at the stepping stones. Repacketization is a natural effect of many applications, including SSH, and therefore poses a serious challenge for traffic tracing. This paper presents a new method of embedding a watermark in traffic timing, for purposes of tracing the traffic in the presence of repacketization. This method uses an invariant characteristic of two traffic flows which are part of the same stepping stone chain, namely, elapsed time of the flows. The duration of each flow is sliced into short fixed-length intervals. Packet timing is adjusted to manipulate the packet count in specific intervals, for purposes of embedding the watermark. A statistical analysis of the method, with no assumptions or limitations concerning the distribution of packet times, proves the effectiveness of the method given a sufficient number of packets, despite natural and/or deliberate repacketization and perturbation of the traffic timing by an adversary. The method has been implemented and tested on a large number of synthetically-generated SSH traffic flows. The results demonstrate that 100 % detection rates and less than 1 % false positive rates are achievable under conditions of 2 seconds of maximum timing perturbation and 12 % repacketization rate, using fewer than 1000 packets.