Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

Wenyuan Xu,Wade Trappe,Yanyong Zhang

DOI: https://doi.org/10.1145/1352533.1352567

2008-01-01

Abstract:Wireless communication is susceptible to radio interference, which prevents the reception of communications. Although evasion strategies have been proposed, such strategies are costly or ineffective against broadband jammers. In this paper, we explore an alternative to evasion strategies that involves the establishment of a timing channel that exists in spite of the presence of jamming. The timing channel is built using failed packet reception times. We first show that it is possible to detect failed packet events inspite of jamming. We then explore single sender and multisender timing channel constructions that may be used to build a low-rate overlay link-layer. We discuss implementation issues that we have overcome in constructing such jamming-resistant timing channel, and present the results of validation efforts using the MICA2 platform. Finally, we examine additional error correction and authentication mechanisms that may be used to cope with adversaries that both jam and seek to corrupt our timing channel.

Jiliang Wang,Shuo Lian,Wei Dong,Xiang-Yang Li,Yunhao Liu

DOI: https://doi.org/10.1109/TNET.2016.2523127

2016-01-01

Abstract:Delay is an important metric to understand and improve system performance. While existing approaches focus on aggregated delay statistics in pre-programmed granularity and provide results such as average and deviation, those approaches may not provide fine-grained delay measurement and thus may miss important delay characteristics. For example, delay anomaly, which is a critical system performance indicator, may not be captured by coarse-grained approaches. We propose a new measurement structure design called order preserving aggregator OPA. Based on OPA, we can efficiently encode and recover the ordering and loss information by exploiting inherent data characteristics. We then propose a two-layer design to convey both ordering and time stamp, and efficiently derive per-packet delay/loss measurement. We evaluate our approach both analytically and experimentally. The results show that our approach can achieve per-packet delay measurement with an average of per-packet relative error at 2%, and an average of aggregated relative error at $10^{-5}$, while introducing additional communication overhead in the order of $10^{-4}$ in terms of number of packets. While at a low data rate, the computation overhead of OPA is acceptable. Reducing the computation and communication overhead under high data rate, to make OPA more practical in real applications, will be our future direction.

Jiliang Wang,Shuo Lian,Wei Dong,Yunhao Liu,Xiang-Yang Li

DOI: https://doi.org/10.1109/icnp.2014.30

2014-01-01

Abstract:Delay is an important metric to understand and improve system performance. While existing approaches focus on aggregate delay statistics in pre-programmed granularity, providing only statistical results such as averages and deviations, those approaches fail to provide fine-grained delay measurement at a flexible level and thus may miss important delay characteristics. For example, delay anomalies, which are critical system performance indicators, may not be captured by existing coarse grained approaches. In this work, we propose a fine-grained delay measurement approach based on a new measurement structure design called order preserving aggregator (OPA). OPA can efficiently encode the ordering and loss information by exploiting inherent data characteristics. Based on OPA, we propose a two layer design to convey both ordering and time stamp information, and then derive per-packet delay/loss measurement with a small overhead. We evaluate our approach both analytically and experimentally with widely used real-world data sets. The results show that our approach can achieve accurate per-packet delay measurement with an average of per-packet relative error at 2%, and an average of aggregated relative error at 10-5, while introducing less than 4 × 10-4 additional overhead.

Yali Yuan,Jian Ge,Guang Cheng

2024-02-07

Abstract:The network flow watermarking technique associates the two communicating parties by actively modifying certain characteristics of the stream generated by the sender so that it covertly carries some special marking information. Some curious users communicating with the hidden server as a Tor client may attempt de-anonymization attacks to uncover the real identity of the hidden server by using this technique. This compromises the privacy of the anonymized communication system. Therefore, we propose a defense scheme against flow watermarking. The scheme is based on deep neural networks and utilizes generative adversarial networks to convert the original Inter-Packet Delays (IPD) into new IPDs generated by the model. We also adopt the concept of adversarial attacks to ensure that the detector will produce an incorrect classification when detecting these new IPDs. This approach ensures that these IPDs are considered "clean", effectively covering the potential watermarks. This scheme is effective against time-based flow watermarking techniques.

Networking and Internet Architecture

WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

Xu-Qing Zhang,Zhe-Ming Lu

DOI: https://doi.org/10.24507/ijicic.16.06.1973

2020-01-01

Abstract:Watermarking is a good way to protect the safety of audio information. In the fields of watermark research, the ability of defending synchronous attacks has always been the key and difficult point. This paper provides an audio watermark algorithm based on Discrete Fourier Transform (DFT) peak detection, which can commendably defend synchronous attacks like Time Scale Modulation (TSM) and pitch shifting. Discrete Wavelet Transform (DWT) is performed firstly to get the detailed information. Then we divided it into a certain number of segments and for each segment we perform DFT transform, we extract the mark, and we only need to find if there have been peaks. Experiments demonstrate that the watermarked audio is perceptually close to the original one as the average signal-to-noise ratio is about 31.62 dB.

MU Jun-chen,GAN Zhi-hua,XU Hong-yun

DOI: https://doi.org/10.3969/j.issn.1009-3044.2007.06.029

2007-01-01

Abstract:Discrete Fourier transform based on the time domain sequence TCP flow sample x(n) (0,1) standardization sequences. RoQ attack is detected according to it's periodicity etc. A strategy to defense the RoQ attack is proposed. The algorithm of the strategy is given.

Sha Fu,Ping Li,Hong Sang,Minxin Zhao

DOI: https://doi.org/10.1177/01423312241288307

IF: 2.146

2024-11-21

Transactions of the Institute of Measurement and Control

Abstract:Transactions of the Institute of Measurement and Control, Ahead of Print. The proposed detection method in this study, which involves smooth watermarking, encoding, and decoding, aims to address replay attacks in time-delay systems during communication. Implementing an event-triggered technique helps save communication resources and cut down on unnecessary information transmission. A weighted sliding average method is employed to smooth the system's watermark influenced by time delay, decreasing unnecessary fluctuations and boosting anti-attack resilience. The encoding and decoding systems were ingeniously designed to increase the invisibility of the smooth watermarking, making it more sensitive in detecting replay attacks. Multiple attack scenarios are meticulously examined, after which rigorous simulation tests are carried out to prove the proposed scheme's reliability, effectiveness, and substantial superiority.

automation & control systems,instruments & instrumentation

Wangxin Feng,Xiangyang Luo,Tengyao Li,Chunfang Yang

DOI: https://doi.org/10.1016/j.cose.2024.103701

IF: 5.105

2024-01-07

Computers & Security

Abstract:Network flow watermarking (NFW) has been widely used in flow trace back. However, most of the existing NFW methods cannot work efficiently due to the weakness of resisting channel interferences, establishing reliable synchronization, and resisting statistical analysis-based NFW attacks. To this end, a hybrid packet sequence-timing-based flow watermarking (HSTW) method is proposed, for which packet sequence and packet timing constitute a hybrid carrier to carry watermark information. HSTW modulates the packet sequence of the flow and represents the watermark information by the relative time relationship between the packet reordering, which improves the robustness of the watermark against delay jitter and packet loss. By designing a synchronization header based on the specific packet sequence, the information synchronization is achieved at any position of the flow. To resist statistical analysis-based NFW attacks, the packet sequence modulation is carried out in the form of slight packet reordering. The random distribution of the watermark is achieved based on the synchronization header, eliminating the time correlation between multiple watermarked flows. By a large number of experiments based on real-time traffic and public datasets, the results show that in comparison with the existing methods, HSTW has stronger robustness and more reliable synchronization. Compared with timing-based and rate-based methods, the accuracy of HSTW under delay jitter is increased by 32.17% to 34.50%. The accuracy of HSTW under packet loss interference is improved by 20.11% to 26.89% in comparison with sequence-based methods. HSTW can achieve information synchronization even if only partial watermarked flow can be obtained. Furthermore, HSTW can avoid the detection of Kolmogorov-Smirnov test and multi-flow attacks.

computer science, information systems

Qianmei Wu,Fan Zhang,Shize Guo,Kun Yang,Haoting Shen

DOI: https://doi.org/10.1109/tc.2024.3416682

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:As a common defense against side-channel attacks, random delay insertion introduces noise into the executive flow of encryption, which increases attack complexity. Accordingly, various techniques are exploited to mitigate the defense effect of such insertions. As an advanced mathematical technique, wavelet analysis is considered to be a more effective technology according to its detailed and comprehensive interpretation of signals. In this paper, we propose a unified and fully automated wavelet-based attack framework (denoted as UWAF), whose data processing is kept within one unified wavelet domain, with three enhanced components: denoising, alignment and key extraction. We put forward a new idea of combining machine learning with wavelet analysis to realize the full automation of the program for attack framework, rendering it possible to search exhaustively for the optimal combination of parameter settings in wavelet transform. Our proposal finds a new setting of wavelet parameters that have not been exploited ever before and achieves the performance enhancement for about 20 times fewer traces required for successful key recovery. UWAF is compared with several mainstream attack frameworks. Experimental results show that it outperforms those counterparts, and can be considered as an effective framework-level solution to defeat the countermeasure of random delay insertion.

Tengyao Li,Kaiyue Liu,Wangxin Feng,Chunfang Yang,Xiangyang Luo

DOI: https://doi.org/10.1016/j.comnet.2022.109424

IF: 5.493

2022-12-24

Computer Networks

Abstract:Tracking back stealthy attackers is still a great challenge in face of complicated Internet environments and increased attacker capabilities. As a possible solution, network flow watermarking has been developed to embed attack labels actively in data flows, trying to identify the attack source accurately in time. However, due to the influences of uncertain network noises, the robustness of watermarking cannot be ensured efficiently in case of non-cooperative network scenarios currently. Meanwhile, it is difficult to enhance robustness and covertness simultaneously when suffering from severe network noises. Thus, a robust network flow watermarking based on Heterogeneous Time Channels (HeteroTiC) is proposed, for which packet order, packet timing and packet size constitute heterogeneous time channels to carry watermarks. The beginning positions are located by packet order to support accurate synchronization, the long watermark sequences are carried by inter-packet delays to improve capabilities against packet dropping and time jitter, the mapping relationships for the watermark sequences on heterogeneous time channels are mixed by packet size of the flow itself to enhance covertness. With multiple layers design of watermarking, HeteroTiC is designed to accomplish fast detection and accurate extraction on watermarks. By experiments, the average detection accuracy reaches 100% and the average extraction accuracy is validated with 94.2%. Furthermore, the same mapping pattern on multiple flows only accounts for 8.11%, which validates the covertness against multiple flow similarities. The extraction accuracy exceeds 9.76%∼18.1% in comparison with classical watermarking methods, which validates the robustness under network noises in Internet.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Lian Yu,Lei Zhang,Yuanyuan Zhang,Weiping Wen,Xuetao Du,Fei Cao

DOI: https://doi.org/10.1109/qrs54544.2021.00016

2021-01-01

Abstract:Transaction systems, such as e-commerce, banking systems, and blockchain-based transaction systems, take the advantages of great developments of network technologies. At the same time, such systems face a variety of threats and attacks. Passive traffic analysis (TA) usually consumes a lot of resources, and responds with tardiness, and no longer meets the current requirements. Network flow watermarking is a typical active TA technique, and IPD, IBW and ICBW are the typical ones, which can track attacks in a covert way. However, these approaches are also disturbed by the complex network conditions, e.g., packet splitting and merging during the transmissions. To improve the robustness of network flow watermarking, this paper proposes an improved scheme, dynamic interval-based watermark (DIBW). The experiments compare DIBW performance with that of IPD, IBW, and ICBW under packet splitting and merging conditions; and change the parameters of DIBW to observe the impacts on the performance of DIBW. The results show that DIBW can improve the robustness of the system. This paper utilizes LDPC code that consumes less time than the traditional ones. In addition, this paper proposes a hybrid watermark scheme of DIBW and IPD to adapt to the file sizes and the situations of network flow, and analyzes the feasibility of the adaptability by experiments.

Wei YU,Guanghui HE,Zucheng ZHOU

DOI: https://doi.org/10.3321/j.issn:1000-0054.2007.01.020

2007-01-01

Abstract:The delayed-ACK(Dly-ACK) scheme is used in IEEE 802.15.3 high-rate WPANs to reduce ACK overhead.For high variable bit rate and delay sensitive video-dominated scenarios in wireless personal area networks(WPANS),immediate acknowledge(Imm-ACK) and fixed delayed acknowledge(Dly-ACK) will significantly degrade the quality of service(QoS) since they are not appropriates for variable bit rate video streams and wireless channel instabilities.Analyses of ImmACK and fixed Dly-ACK schemes for video streaming over IEEE 802.15.3 WPANs led to an application and channel quality aware adaptive Dly-ACK algorithm for video streaming over 802.15.3 WPANs,which includes a frame size and error-rate-based dynamic Dly-ACK burst size adjusting algorithm.Extensive simulations were carried out to evaluate the algorithm.The results show that the algorithm consistently outperforms both Imm-ACK and fixed Dly-ACK schemes for all simulated load levels and channel conditions in terms of the fraction of decodable video frames at 2%-4%.

Hao Liu,Yuzhe Li,Qing-Long Han,Tarek Rassi,Tarek Ra

DOI: https://doi.org/10.1109/tac.2022.3184396

IF: 6.549

2022-01-01

IEEE Transactions on Automatic Control

Abstract:In this article, a novel proactive attack defense strategy is proposed to deal with the secure remote estimation issue in cyber-physical systems with unknown-but-bounded noises in the presence of man-in-the-middle attacks. It is assumed that the residue calculated by the smart sensor is sent to the remote estimator and the abnormal intrusion detector via a wireless network, and the watermark is assumed to belong to a zonotope. In order to guarantee the detection rate, the data processes and the watermark are time-varying and secret to an adversary. Moreover, the effect on system performance caused by the watermark can be removed when the system is attack free. Furthermore, four different attack scenarios are discussed to analyze the detection ability of the proposed defense approach, and the designed strategy can be applied to detect replay attacks. Finally, an unmanned aircraft system subject to malicious attacks is leveraged to illustrate the effectiveness of the proposed proactive defense strategy.

automation & control systems,engineering, electrical & electronic

Xinyuan Wang,Shiping Chen,Sushil Jajodia

DOI: https://doi.org/10.1145/1102120.1102133

2005-01-01

Abstract:Peer-to-peer VoIP calls are becoming increasingly popular due to their advantages in cost and convenience. When these calls are encrypted from end to end and anonymized by low latency anonymizing network, they are considered by many people to be both secure and anonymous.In this paper, we present a watermark technique that could be used for effectively identifying and correlating encrypted, peer-to-peer VoIP calls even if they are anonymized by low latency anonymizing networks. This result is in contrast to many people's perception. The key idea is to embed a unique watermark into the encrypted VoIP flow by slightly adjusting the timing of selected packets. Our analysis shows that it only takes several milliseconds time adjustment to make normal VoIP flows highly unique and the embedded watermark could be preserved across the low latency anonymizing network if appropriate redundancy is applied. Our analytical results are backed up by the real-time experiments performed on leading peer-to-peer VoIP client and on a commercially deployed anonymizing network. Our results demonstrate that (1) tracking anonymous peer-to-peer VoIP calls on the Internet is feasible and (2) low latency anonymizing networks are susceptible to timing attacks.

Shui Yu,Guofeng Zhao,Wanchun Dou,Simon James

DOI: https://doi.org/10.1109/tifs.2012.2197392

IF: 7.231

2012-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Anonymous communication has become a hot research topic in order to meet the increasing demand for web privacy protection. However, there are few such systems which can provide high level anonymity for web browsing. The reason is the current dominant dummy packet padding method for anonymization against traffic analysis attacks. This method inherits huge delay and bandwidth waste, which inhibits its use for web browsing. In this paper, we propose a predicted packet padding strategy to replace the dummy packet padding method for anonymous web browsing systems. The proposed strategy mitigates delay and bandwidth waste significantly on average. We formulated the traffic analysis attack and defense problem, and defined a metric, cost coefficient of anonymization (CCA), to measure the performance of anonymization. We thoroughly analyzed the problem with the characteristics of web browsing and concluded that the proposed strategy is better than the current dummy packet padding strategy in theory. We have conducted extensive experiments on two real world data sets, and the results confirmed the advantage of the proposed method.

Guang Jin,Jiangang Yang,Wei Wei,Yabo Dong

DOI: https://doi.org/10.1109/CHINACOM.2007.4498433

2007-01-01

Abstract:A novel packet marking scheme is proposed to defend against network or bandwidth DDoS attacks, especially where malicious packets do not target the victim directly. A recent study shows that packet-level symmetry exists in legitimate Internet traffic while malicious flooding traffic often exhibits packet asymmetry. Our scheme utilizes the packet asymmetry to differentiate malicious and legitimate traffic. When a packet to a destination host is transmitted from a router, a packet asymmetry score, the ratio of transmitted to received packets of the destination host over the last interval, is calculated and recorded into the packet's header additively. Malicious packets should carry higher scores because of the absence of reverse packets. When packets with packet asymmetry scores arrive at a downstream router, where some packets are dropped because of congestion, the router should drop packets with higher scores preferentially. Simulation results show the scheme is effective to defend against DDoS attacks targeting network resources.

Yiqun Hui,Daoshun Wang,Xianghui Zhao,Shundong Li

2018-01-01

International Journal on Future Revolution in Computer Science & Communication Engineering

Abstract:The watermarking scheme based on finite state machine can achieve temporal desynchronization without additional synchronization signals or exhaustive search. However, the resistance to the frame dropping attack and the decimation attack is highly dependent on the repetition redundancy unit. When the video is truncated, permuted and reassembled, the extracted watermark has a low bit correct rate (BCR). In this work, we analyze and improve the correlation-based extracting method for spread-spectrum watermarking and propose a non-synchronization extracting strategy based on statistical inference. The proposed method is resistant to most of the temporal synchronization attacks.

W Li,XY Xue,PZ Lu

DOI: https://doi.org/10.1109/tmm.2005.861291

IF: 7.3

2006-01-01

IEEE Transactions on Multimedia

Abstract:Synchronization attacks like random cropping and time-scale modification are very challenging problems to audio watermarking techniques. To combat these attacks, a novel content-dependent localized robust audio watermarking scheme is proposed. The basic idea is to first select steady high-energy local regions that represent music edges like note attacks, transitions or drum sounds by using different methods, then embed the watermark in these regions. Such regions are of great importance to the understanding of music and will not be changed much for maintaining high auditory quality. In this way, the embedded watermark has the potential to escape all kinds of distortions. Experimental results show strong robustness against common audio signal processing, time-domain synchronization attacks, and most distortions introduced in Stirmark for Audio.