18-07-2012, 02:42 PM
stepping stones
stepping stones.docx (Size: 2.61 MB / Downloads: 21)
INTRODUCTION & OBJECTIVE
Network-based intruders seldom attack their victims directly from their own computer. Often, they stage their attacks through intermediate “stepping stones” in order to conceal their identity and origin. To identify the source of the attack behind the stepping stone(s), it is necessary to correlate the incoming and outgoing flows or connections of a stepping stone. To resist attempts at correlation, the attacker may encrypt or otherwise manipulate the connection traffic. Timing-based correlation approaches have been shown to be quite effective in correlating encrypted connections. However, timing-based correlation approaches are subject to timing perturbations that may be deliberately introduced by the attacker at stepping stones.
We propose a novel watermark based correlation scheme that is designed specifically to be robust against timing perturbations. Unlike most previous timing-based correlation approaches, our watermark-based approach is “active” in that it embeds a unique watermark into the encrypted flows by slightly adjusting the timing of selected packets. The unique watermark that is embedded in the encrypted flow gives us a number of advantages over passive timing-based correlation in resisting timing perturbations by the attacker. In contrast to the existing passive correlation approaches, our active watermark-based correlation does not make any limiting assumptions about the distribution or random process of the original inters packet timing of the packet flow.
EXISTING SYSTEM
NETWORK-BASED attacks have become a serious threat to the critical information infrastructure on which we depend. To stop or repel network-based attacks, it is critical to be able to identify the source of the attack. Attackers, however, go to some lengths to conceal their identities and origin, using a variety of countermeasures. As an example, they may spoof the IP source address of the attack traffic. Methods of tracing spoofed traffic, generally known as IP trace back has been developed to address this countermeasure. Another common and effective countermeasure used by network-based intruders to hide their identity is to connect through a sequence of intermediate hosts, or stepping stones, before attacking the final target. For example, an attacker at host A may telnet or SSH into host B, and from there, launch an attack on host C. In effect, the incoming packets of an attack connection from A to B are forwarded by B, and become outgoing packets of a connection from B to C. The two connections or flows are related in such a case. The victim host C can use IP trace back to determine the second flow originated from host B, but trace back will not be able to correlate this with the attack flow originating from host A. To trace attacks through a stepping stone, it is necessary to correlate the incoming traffic with the outgoing traffic at the stepping stone. This would allow the attack to be traced back to host A in the example.
Disadvantages:
• The major drawback of host activity based methods is that the host activity collected from each stepping stone is generally not trustworthy.
• The attacker is assumed to have full control over each stepping stone; he/she can easily modify, delete or forge user login information.
• This defeat the ability to correlate based on host activity.
PROPOSED SYSTEM
Watermark-Tracing Model:
The watermark-tracing approach exploits the observation that interactive connections (i.e., telnet, SSH) are bidirectional. The idea is to watermark the backward traffic (from victim back to the attacker) of the bidirectional attack connections by slightly adjusting the timing of selected Packets. If the embedded watermark is both robust and unique, the watermarked back traffic can be effectively correlated and traced across stepping stones, from the victim all the way back to the attacker. As shown in Fig. 1, the attacker may connect through a number of hosts (H1; . . .; Hn) before attacking the final target.