Zhong Guan,Chang Liu,Gang Xiong,Zhen Li,Gaopeng Gou

DOI: https://doi.org/10.1016/j.cose.2022.103018

IF: 5.105

2023-01-01

Computers & Security

Abstract:Tor is the most widely used anonymous network which provides anonymity by using proxy nodes to route data. However, many researches have proved that flow correlation attacks can break the anonymity of users’ communication relationships: once attackers have access to the ingress and egress traffic flows at both ends of the network, they will find the specific user who is visiting a monitored Internet service by observing the traffic shape. Existing flow correlation attacks have limited effects because of insufficient traffic shape features, network noise influence and lack of differentiated learning on unrelated flows. In this paper, we propose an improved flow correlation attacking model named FlowTracker which contains four modules: In flow cumulative representation module, raw and normalized cumulative sequences are combined to construct robust traffic shape features. In noise resistant mapping module, stacked auto-encoders are adopted to learn the mapping relationship between related ingress and egress cumulative representations and filter out the network noise. Moreover, we leverage contrast learning in distance optimization module to generate the optimized representation in which difference between unrelated representations is amplified, further reducing the false correlation rate with similar but unrelated flows. Finally, the target flow is reported through a multi-layer decision process in the hierarchical judgment module. We evaluate FlowTracker and other advanced comparison methods on the public and self-built datasets with the more realistic unidirectional setting, experiment results demonstrate that FlowTracker has the highest attacking success rate under general and targeted scenarios, especially when the traffic shape is seriously destroyed by traffic obfuscation.

Jiangtao Zhai,Kaijie Zhang,Xiaolong Zeng,Yufei Meng,Guangjie Liu

DOI: https://doi.org/10.1155/2024/8823511

IF: 8.993

2024-10-31

International Journal of Intelligent Systems

Abstract:Anonymous network tracing is a significant research subject in the field of network security, and flow correlation technology serves as a fundamental technique for deanonymizing network traffic. Existing flow correlation techniques are considered ineffective and unreliable when applied on a large scale because they exhibit high false‐positive rates or require impractically long periods of traffic observation to achieve reliable correlations. To address this issue, this paper proposed an innovative flow correlation approach for the typical and most widely used Tor anonymous network by combining graph convolutional neural networks with triplet networks. Our proposed method involves extracting features such as packet intervals, packet lengths, and directions from Tor network traffic and encoding each flow into a graph representation. The integration of triplet networks enhances the internode relationships, which can effectively fuse flow representations with node associations. The graph convolutional neural network extracts features from the input graph topology, mapping them to distinct representations in the embedding space, thus effectively distinguishing different Tor flows. Experimental results demonstrate that with a false‐positive rate as low as 0.1%, the correlation accuracy reaches 86.4%, showcasing a 5.1% accuracy improvement compared to the existing state‐of‐the‐art methods.

computer science, artificial intelligence

Jianhua Yang,Lixin Wang

DOI: https://doi.org/10.3390/electronics13163258

IF: 2.9

2024-08-18

Electronics

Abstract:In the past three decades, stepping-stone intrusion has become a professional and primary way used by intruders to launch their attacks since they can be protected behind a long TCP connection chain. Many different algorithms have been proposed to detect stepping-stone intrusion since 1995. But most algorithms cannot resist intruders' session manipulation. In this paper, we propose a novel approach using the distribution of round-trip time (RTT) of network traffic to detect stepping-stone intrusion. This approach can resist intruders' chaff-perturbation since the round-trip time of network packets can fairly be affected by chaffed packets. The ratio between the standard deviation of the RTTs between Send and Echo packets and the standard deviation of the RTTs between Send and Ack packets can be used to predict if a stepping-stone intrusion exists. The closer to 0 the ratio, the more suspicious a stepping-stone intrusion.

engineering, electrical & electronic,computer science, information systems,physics, applied

Hansika Weerasena,Prabhat Mishra

DOI: https://doi.org/10.1145/3677034

IF: 2.013

2024-07-10

ACM Journal on Emerging Technologies in Computing Systems

Abstract:Network-on-Chip (NoC) is widely used to facilitate communication between components in sophisticated System-on-Chip (SoC) designs. Security of the on-chip communication is crucial because exploiting any vulnerability in shared NoC would be a goldmine for an attacker that puts the entire computing infrastructure at risk. We investigate the security strength of existing anonymous routing protocols in NoC architectures, making two pivotal contributions. Firstly, we develop and perform a machine learning (ML)-based flow correlation attack on existing anonymous routing techniques in Network-on-Chip (NoC) systems, revealing that they provide only packet-level anonymity. Secondly, we propose a novel, lightweight anonymous routing protocol featuring outbound traffic tunneling and traffic obfuscation. This protocol is designed to provide robust defense against ML-based flow correlation attacks, ensuring both packet-level and flow-level anonymity. Experimental evaluation using both real and synthetic traffic demonstrates that our proposed attack successfully deanonymizes state-of-the-art anonymous routing in NoC architectures with high accuracy (up to 99%) for diverse traffic patterns. It also reveals that our lightweight anonymous routing protocol can defend against ML-based attacks with minor hardware and performance overhead.

engineering, electrical & electronic,computer science, hardware & architecture,nanoscience & nanotechnology

Zhong Guan,Chang Liu,Gaopeng Gou,Zhen Li,Gang Xiong,Yangyang Ding,Chengshang Hou

DOI: https://doi.org/10.1016/j.comnet.2024.110831

2024-01-01

Abstract:Tor is the most widely used anonymous communication system at present which can anonymize users' network behavior. At the same time, many illegal network activities also appear more frequently with the help of Tor, posing serious challenges for cyberspace security. Therefore, flow fingerprinting and flow correlation analysis methods are put forward to de-anonymize the malicious anonymous behaviors, which utilize external traffic features as the side-channel information. However, the adversary often reduces the ability of above two methods by adding the disturbance to the anonymous traffic. As a countermeasure against the interference, disturbance-resistant analysis methods can effectively identify those adversarial behaviors while knowing how the traffic is modified. However, in real scenarios, it is unrealistic to distinguish between disturbed and nondisturbed anonymous traffic, let alone to have a clear grasp of the disturbing strategy. In this paper, we propose a blind anonymous traffic analysis method called Blind Analyzer based on pattern reconstruction skills in a "masking-generation" manner. Specifically, Blind Analyzer extracts the pattern knowledge from non-disturbed traffic samples by masking and reconstructing them. During the method application, disturbed anonymous traces are processed following the same way, aiming at removing the incremental noise at the masking stage and restoring the original shape at the reconstruction stage. Besides, a conditional discriminator is designed to determine whether the generated sample has obvious class characteristics. Benefited from the proposed method, we can improve the effectiveness of the anonymous network behavior analysis since the disturbed traffic can be restored as normal ones accurately enough. Experiment results on three datasets show that reconstructed traffic samples output by Blind Analyzer are more useful for base analysis models, which improve the corresponding metric values by 11.23% and 6.61% in max for flow fingerprinting and correlation tasks, respectively.

Xingang Shi,Chi-Kin Chau,Dah-Ming Chiu

DOI: https://doi.org/10.1109/INFCOM.2011.5934899

2011-01-01

Abstract:The information of temporal correlations among network-wide data flows is crucial to a wide range of network management applications, such as root-cause analysis, threat monitoring, and traffic profiling. While several prior work had only studied the centralized and offline computation of flow correlations, we present DisTrack, a space-efficient network management mechanism for online tracking of network-wide temporal flow correlations. The major benefits of DisTrack include low space complexity, high processing speed, and ease of distributed deployment. This paper presents its randomized data structures, with theoretical analysis on the trade-off between space complexity and accuracy. We further provide extensive empirical evaluations on real network traces.

Jing Tian,Gaopeng Gou,Yangyang Guan,Wei Xia,Gang Xiong,Chang Liu

DOI: https://doi.org/10.1109/IPCCC51483.2021.9679433

2021-01-01

Abstract:Tor is a popular anonymous social network. However, it is also concerned by censors or other malicious attackers. A large body of work examines Tor’s susceptibility to flow correlation attacks. Moreover, the existing methods to defend against such attacks have two inherent drawbacks. One is they will bring high delay to the system, the other is they lack of theoretical basis to prove their effecti...

Xinwen Fu,Ye Zhu,Bryan Graham,Riccardo Bettati,Wei Zhao

DOI: https://doi.org/10.1166/juci.2007.005

2007-04-01

Journal of Ubiquitous Computing and Intelligence

Abstract:This paper studies the degradation of anonymity in a flow-based wireless mix network under flow marking attacks, in which an adversary embeds a recognizable pattern of marks into wireless traffic flows by electromagnetic interference. We find that traditional mix technologies are not effective in defeating flow marking attacks, and it may take an adversary only a few seconds to recognize the communication relationship between hosts by tracking such intentional marks. Flow marking attacks utilize frequency domain analytical techniques and convert time domain marks into invariant feature frequencies. To counter flow marking attacks, we propose a new class of countermeasure based on digital filtering technology and show that this filter-based countermeasure can effectively defend a wireless mix network from flow marking attacks.

Zhijie Liu,Chongjun Wang,Shifu Chen

DOI: https://doi.org/10.1109/ISA.2008.11

2008-01-01

Abstract:Most cyber-attacks are not single attack actions. They are multi-step attacks composed by a set of attack actions. Although techniques used by attackers can be diverse, attack patterns are generally finite. So we need to find attack steps that are correlated in an attack scenario. By studying the patterns of multi-step cyber attacks, an algorithm is presented for correlating multi-step cyber attacks and constructing attack scenario system based on modeling multi-step cyber attacks. When alerts appear, the algorithm turns them into corresponding attack models based on the knowledge base and correlates them, whether alert or not is based on the weighted cost in the attack path graph and the attack degree of the corresponding host. And attack scenarios can be constructed by correlating the attack path graphs. Moreover, the model can detect intrusion alerts in real time and revise the attack scenarios. Experiments on the DARPA IDS test dataset show the validity of the algorithm.

Shui Yu,Wanlei Zhou,Weijia Jia,Song Guo,Yong Xiang,Feilong Tang

DOI: https://doi.org/10.1109/tpds.2011.262

IF: 5.3

2012-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Distributed Denial of Service (DDoS) attack is a critical threat to the Internet, and botnets are usually the engines behind them. Sophisticated botmasters attempt to disable detectors by mimicking the traffic patterns of flash crowds. This poses a critical challenge to those who defend against DDoS attacks. In our deep study of the size and organization of current botnets, we found that the current attack flows are usually more similar to each other compared to the flows of flash crowds. Based on this, we proposed a discrimination algorithm using the flow correlation coefficient as a similarity metric among suspicious flows. We formulated the problem, and presented theoretical proofs for the feasibility of the proposed discrimination method in theory. Our extensive experiments confirmed the theoretical analysis and demonstrated the effectiveness of the proposed method in practice.

Jie Ma,Zhitang Li,Weiming Li

DOI: https://doi.org/10.1109/FSKD.2008.522

2008-01-01

Abstract:Signature based network intrusion detection systems (NIDSs) often report a massive number of elementary alerts of low-level security-related events which are logically involved in a single multi-stage attack. Since be overwhelmed by these alerts, security administrators almost unable to discover complicated multistage attack in time. It is necessary to develop a real-time system to extracting useful attack strategies from the alert stream, which enables network administrators to launches appropriate response to stop attacks and prevent them form escalating. This paper focuses on developing a new alert clustering and correlation technique to automatically discover attack strategies from the evolving alert stream, without specific prior knowledge. The proposed algorithms can discovery various attack sequential patterns in different kinds of time horizons or user-defined time periods. Experiments show our approach can effectively construct attack scenarios and accordingly predict next most possible attack behavior.

Mingyan Li,Cailian Chen,Cunqing Hua,Xinping Guan

DOI: https://doi.org/10.1109/icc.2019.8761224

2019-01-01

Abstract:Traffic monitoring is instrumental to a number of applications such as traffic engineering, QoS routing, anomaly detection and so on. With an accurate global view, software defined networking (SDN) has the capability to offer flexible, non-intrusive flow measurement by using wildcard matching in both direct per-flow and indirect aggregated manners. As a result, the complete and fine-grained traffic matrix (TM) monitoring, which is a challenge in traditional large-scale sensor networks, becomes more accessible. However, exiting SDN monitoring solutions have a poor trade-off between the resource-hungry nature of full sampling and limited accuracy of TM inference. Thus, in this paper, we aim to address this issue by developing CFlow, a lightweight compressive flow statistics collection (FSC) scheme for SDNs. By taking advantage of the low-rank and short-term stability features of real-world TMs, CFlow selectively samples flow statistics through custom-tailored wildcard rules, with which the final TMs are recovered via the matrix completion technique. Moreover, since the accurate measurement of large flows can improve the overall TM estimation performance, CFlow successively learns these informative flows with additional observation from both per-flow statistics collection and the latest recovered TMs. Simulation results based on real TMs demonstrate that CFlow can not only provide fine-grain visibility into network traffic but also avoid considerable monitoring overhead.

Chong Fu,Jie Wang,Xiaoguang Chen,Zhiguang Qin,Mingyuan Zhao,Weizhong Qian

2011-01-01

Journal of Computational Information Systems

Abstract:Dependent Link Padding algorithm (DLP) is one of the most effective flow transformation methods to fight against the timing attack on the anonymous communication system. However, it causes significant negative effects on the communication performance due to the high volume of dummy packets sent during the processing. In order to improve the feasibility and the efficiency of DLP, we propose an extended DLP algorithm Hi-WAP-DLP in this paper. By applying Hierarchical Weighted Affinity Propagation (Hi-WAP) to cluster the flows based on flow density, DLP flow transformation is implemented on each flow cluster separately instead of handling all flows as a whole bundle. Through this mechanism, the dummy packets which generated by flow transformation are remarkably reduced. The simulation with the real Internet trace files proves that our proposed Hi-WAP-DLP algorithm can significantly improve the system performance and meet against the requirement of least acceptable anonymity. © 2011 Binary Information Press.

Jie Ying,Tiantian Zhu,Wenrui Cheng,Qixuan Yuan,Mingjun Ma,Chunlin Xiong,Tieming Chen,Mingqi Lv,Yan Chen

2024-05-04

Abstract:As the complexity and destructiveness of Advanced Persistent Threat (APT) increase, there is a growing tendency to identify a series of actions undertaken to achieve the attacker's target, called attack investigation. Currently, analysts construct the provenance graph to perform causality analysis on Point-Of-Interest (POI) event for capturing critical events (related to the attack). However, due to the vast size of the provenance graph and the rarity of critical events, existing attack investigation methods suffer from problems of high false positives, high overhead, and high latency. To this end, we propose SPARSE, an efficient and real-time system for constructing critical component graphs (i.e., consisting of critical events) from streaming logs. Our key observation is 1) Critical events exist in a suspicious semantic graph (SSG) composed of interaction flows between suspicious entities, and 2) Information flows that accomplish attacker's goal exist in the form of paths. Therefore, SPARSE uses a two-stage framework to implement attack investigation (i.e., constructing the SSG and performing path-level contextual analysis). First, SPARSE operates in a state-based mode where events are consumed as streams, allowing easy access to the SSG related to the POI event through semantic transfer rule and storage strategy. Then, SPARSE identifies all suspicious flow paths (SFPs) related to the POI event from the SSG, quantifies the influence of each path to filter irrelevant events. Our evaluation on a real large-scale attack dataset shows that SPARSE can generate a critical component graph (~ 113 edges) in 1.6 seconds, which is 2014 X smaller than the backtracking graph (~ 227,589 edges). SPARSE is 25 X more effective than other state-of-the-art techniques in filtering irrelevant edges.

Cryptography and Security

Xiaofei Bu,Yu-E Sun,Yang Du,Xiaocan Wu,Boyu Zhang,He Huang

DOI: https://doi.org/10.1007/s12083-020-01036-8

2021-01-11

Abstract:Detecting the flows with abnormally large spreads over big network data can help us identify network attacks, such as DDoS attacks and scanners. Most per-flow measurement studies use compact data structures to reduce their memory requirements, fitting in the limited on-chip memory and catching up with the line rate. In this paper, we study a novel problem called spread estimation among multi-periods to measure the total number of distinct elements or the number of distinct <i>k</i>-persistent elements in a flow among multiple traffic measurement periods. In our design, we use an on-chip/off-chip model to record the per-flow traffic information, which uses small on-chip memory and matches the line rate, <i>i.e.</i>, we use on-chip memory to filter out the duplicates, sample the elements, and store the sampled traffic data in off-chip memory. By performing the set operations on the sampled traffic data, we can derive the total number of distinct elements and the number of distinct <i>k</i>-persistent elements among multiple periods based on probability analysis. The experimental results on real Internet traffic traces show that, when performing spread estimation among multiple periods, our estimator is efficient in memory usage and estimation accuracy and can efficiently detect the stealthy DDoS attack and scanners.

computer science, information systems,telecommunications

Raja Giryes,Lior Shafir,Avishai Wool

DOI: https://doi.org/10.48550/arXiv.2405.07232

2024-05-12

Abstract:Distributed Denial of Service (DDoS) attacks are getting increasingly harmful to the Internet, showing no signs of slowing down. Developing an accurate detection mechanism to thwart DDoS attacks is still a big challenge due to the rich variety of these attacks and the emergence of new attack vectors. In this paper, we propose a new tree-based DDoS detection approach that operates on a flow as a stream structure, rather than the traditional fixed-size record structure containing aggregated flow statistics. Although aggregated flow records have gained popularity over the past decade, providing an effective means for flow-based intrusion detection by inspecting only a fraction of the total traffic volume, they are inherently constrained. Their detection precision is limited not only by the lack of packet payloads, but also by their structure, which is unable to model fine-grained inter-packet relations, such as packet order and temporal relations. Additionally, inferring aggregated flow statistics must wait for the complete flow to end. Here we show that considering flow inputs as variable-length streams composed of their associated packet headers, allows for very accurate and fast detection of malicious flows. We evaluate our proposed strategy on the CICDDoS2019 and CICIDS2017 datasets, which contain a comprehensive variety of DDoS attacks. Our approach matches or exceeds existing machine learning techniques' accuracy, including state-of-the-art deep learning methods. Furthermore, our method achieves significantly earlier detection, e.g., with CICDDoS2019 detection based on the first 2 packets, which corresponds to an average time-saving of 99.79% and uses only 4--6% of the traffic volume.

Cryptography and Security

Lixin Wang,Jianhua Yang,Xiaohua Xu,Peng-Jun Wan

DOI: https://doi.org/10.1155/2021/6632671

2021-03-03

Wireless Communications and Mobile Computing

Abstract:Intruders on the Internet usually launch network attacks through compromised hosts, called stepping stones, in order to reduce the chance of being detected. With stepping-stone intrusions, an attacker uses tools such as SSH to log in several compromised hosts remotely and create an interactive connection chain and then sends attacking packets to a target system. An effective method to detect such an intrusion is to estimate the length of a connection chain. In this paper, we develop an efficient algorithm to detect stepping-stone intrusion by mining network traffic using the k -means clustering. Existing approaches for connection-chain-based stepping-stone intrusion detection either are not effective or require a large number of TCP packets to be captured and processed and, thus, are not efficient. Our proposed detection algorithm can accurately determine the length of a connection chain without requiring a large number of TCP packets being captured and processed, so it is more efficient. Our proposed detection algorithm is also easier to implement than all existing approaches for stepping-stone intrusion detection. The effectiveness, correctness, and efficiency of our proposed detection algorithm are verified through well-designed network experiments.

computer science, information systems,telecommunications,engineering, electrical & electronic

Negar Kiyavash,Amir Houmansadr,Nikita Borisov

DOI: https://doi.org/10.48550/arXiv.1203.1390

2012-03-11

Abstract:In this paper, we analyze several recent schemes for watermarking network flows that are based on splitting the flow into timing intervals. We show that this approach creates time-dependent correlations that enable an attack that combines multiple watermarked flows. Such an attack can easily be mounted in nearly all applications of network flow watermarking, both in anonymous communication and stepping stone detection. The attack can be used to detect the presence of a watermark, recover the secret parameters, and remove the watermark from a flow. The attack can be effective even if different flows are marked with different values of a watermark. We analyze the efficacy of our attack using a probabilistic model and a Markov-Modulated Poisson Process (MMPP) model of interactive traffic. We also implement our attack and test it using both synthetic and real-world traces, showing that our attack is effective with as few as 10 watermarked flows. Finally, we propose possible countermeasures to defeat the multi-flow attack.

Cryptography and Security

Chuanpu Fu,Qi Li,Ke Xu

DOI: https://doi.org/10.1109/tnet.2024.3370851

2024-01-01

IEEE/ACM Transactions on Networking

Abstract:Nowadays traffic on the Internet has been widely encrypted to protect its confidentiality and privacy. However, traffic encryption is always abused by attackers to conceal their malicious behaviors. Since encrypted malicious traffic is similar to benign flows, it can easily evade traditional detection. In particular, the existing encrypted traffic detection methods are supervised which rely on the prior knowledge of known attacks (e.g., labeled datasets). Detecting unknown encrypted malicious traffic, which does not require prior knowledge, is still an open problem. In this paper, we propose, an unsupervised machine learning (ML) based malicious traffic detection system. Particularly, is able to detect unknown patterns of encrypted malicious traffic by utilizing a graph built upon flow interaction patterns, instead of learning the features of specific known attacks. We develop an unsupervised graph learning method to detect abnormal interaction patterns by analyzing the graph features, which allows to detect unknown attacks without requiring any labeled datasets. Moreover, we establish an information theory model to prove the effectiveness of . We show the performance of by real-world experiments with 140 attacks. The experimental results illustrate that outperforms the state-of-the-art methods by 13.9% accuracy improvement. Moreover, achieves 15.82 Mpps detection throughput with the average detection latency of 0.29s.

telecommunications,computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

YE Lin,ZHANG Hongli,HE Hui

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.12.040

2007-01-01

Abstract:Network traffic is composed of many connections between hosts, which send all kinds of traffic data. Most studies focus on the statistic of integrated traffic, ignoring the microscopic relationship of different network flows. The paper focuses on analyzing the integrated traffic in a microscopic view, trying to find the relationship of network flows which are based on source and destination IP addresses and studying the difference of normal network flows and attack network flows in correlation.