RAINBOW: A Robust And Invisible Non-Blind Watermark for Network Flows
Amir HoumansadrNegar KiyavashNikita Borisov
University of Illinois at Urbana-Champaign
Traffic analysis
Low-latency traffic analysis Intrusion detectionCompromising anonymous networks
2NDSS '09
3
Stepping stone detection
Enterprise network
NDSS '09
4
Compromising Anonymity
Tor anonymous network
NDSS '09
Traffic analysisPassive
Analyzing original packet counts, timing, …Common Problem: low efficiency
Slow decision (not real time) , high false errors, …
Active (watermarking)Motivation: improve efficiencyUsing modified packet timing, count, rate, …Multimedia watermarking: QIM, Patchwork, …
5NDSS '09
6
Stepping stone detection
Enterprise network
NDSS '09
7
Compromising Anonymity
Tor anonymous network
NDSS '09
Terminology
Blind Watermarking
NDSS '09 8
Watermark
Terminology
Non-Blind Watermarking
NDSS '09 9
WatermarkFlow Info
10
Motivation of RAINBOWWatermarking: efficient detection Common Problem with watermarking
Blind: Lack of InvisibilityLegitimate-user disturbanceSubject to attacks
Non-Blind: in middle of passive schemes and active blind schemesRobust to network perturbationsRobust and Invisible Non-Blind Watermark
RAINBOW
NDSS '09
Watermark Insertion
Uses Inter-Packet Delay (IPD) information for watermarking
Based on spread spectrum multimedia watermarking
11
Pre-IPD
Post-IPD
NDSS '09
WM
12
Insertion scheme
Post_IPD(tw)=Pre_IPD(tu) +WmRecv_IPD(tr)–Pre_IPD(tu )=Wm+Jitter
NDSS '09
13
IPD databaseFor new flows, watermarker creates an entry in database
Last N packetsUpdate during time
Entry is removed from database, after connection endsResources
Memory: 3.1 MB for an institution with 400 members
NDSS '09
14
Detection schemeUse last N samples of received flowRecv_IPD – Pre_IPD = Wm + Net_Jitter
Detection of spread spectrum signalNetwork jitter model: Laplacian Lap(0,bδ)
Normalized Correlation is an efficient detection ruleDecision based on threshold
NDSS '09
15
System analysisModel system
Jitter IPDs: exponential
SNR : watermark amplitude
Hypothesis testingTrue detection
False detection
δ
γb
a2
=
),0( δδ bLap∝
NDSS '09
)21,0(0 N
LapT ∝
)21,(1 N
LapT γ∝
a
16
System analysis Detection threshold η
MinMax ruleCOER
Neyman-Pearson
neFP 2
21 η−=
neFN 2)(
21 ηγ −−=
H0 H1
NDSS '09
17
MinMax analysis
NDSS '09
a= 10msn=400
FN=10-6
FP=10-6
a= 5msn=1300FN=10-6
FP=10-6
Implementations
PlanetLab infrastructure Larger jitter than normal traffic
SSH traffic
NDSS '09 18
19
Implementation results
NDSS '09
a=10 ms100 flows
20
Implementation results
NDSS '09
n=500jitter=10ms
Practical COER
21NDSS '09
γ=1
a=10msn=400
COER=10-6
22
Selective correlation
Sources of flow modificationProtocol specific causes: duplicated, retransmitted, re-packetized, …Protocol specific packets: TCP ACK/SYN, SSH initial packets, …Initial delay
Matching blockSliding windows
NDSS '09
23
Implementation
r=0%r=10%r=20%
NDSS '09
Invisibility
Using Non-blind spread spectrum watermark we expect high invisibilityConfirmed through information-theoretic tools:
Kolmogorov-Smirnov test98% confidence
Entropy-based tools of Giavencchio for covert channels (CCS’07)
24NDSS '09
Performance comparisonRun time: 0.4 microsec for 400 connections with 5000 packetsDetection time: about 3 min (400 packets)False errors of order 10-6
Passive schemes: 10-2
Blind watermarks: at most 10-5
Invisibility
NDSS '09 25
26
ConclusionsRAINBOW: A novel traffic analysis
In between of passive and blind active
High Detection EfficiencyInvisibilityRobustness to flow modifications
Future work: Use fast coding tools to insert watermarks more efficiently
Effective semi-blind or blind schemes
NDSS '09
Thanks
28
Implementation results
NDSS '09
29r=0%r=5%r=10%NDSS '09
Neyman-Pearson analysis
30
FP=10-3 FP=10-6
NDSS '09