Network based intruders seldom attack directly from their own hosts, but rather stage their attacks through intermediate "stepping stones" to conceal their identity and origin. To identify attackers behind stepping stones, it is necessary to be able to correlate connections through stepping stones, even if those connections are encrypted or perturbed by the intruder to prevent traceability.The timing-based approach is the most capable and promising current method for correlating encrypted connections. However, previous timing-based approaches are vulnerable to packet timing perturbations introduced by the attacker at stepping stones. In this paper, we propose a novel watermark-based correlation scheme that is designed specifically to be robust against timing perturbations. The watermark is introduced by slightly adjusting the timing of selected packets of the flow. By utilizing redundancy techniques, we have developed a robust watermark correlation framework that reveals a rather surprising result on the inherent limits of independent and identically distributed (iid) random timing perturbations over sufficiently long flows. We also identify the tradeoffs between timing perturbation characteristics and achievable correlation effectiveness. Experiments show that the new method performs significantly better than existing, passive, timing-based correlation in the presence of random packet timing perturbations.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Ingemar Cox , Matthew L. Miller , Jeffery A. Bloom, Digital watermarking, Morgan Kaufmann Publishers Inc., San Francisco, CA, 2001
	2	P. B. Danzig and S. Jamin. tcplib: A Library of TCP Internetwork Traffic Characteristics. USC Technical Report, USC-CS-91--495.
	3	P. B. Danzig, S. Jamin, R. Cacerest, D. J. Mitzel and E. Estrin. An Empirical Workload Model for Driving Wide-Area TCP/IP Network Simulations. In Journal of Internetworking 3:1, pages 1--26 March 1992.
	4	M. H. DeGroot. Probability and Statistics. Addison-Wesley Publishing Company, 1989.
	5	D. Donoho, A.G. Flesia, U. Shanka, V. Paxson, J. Coit and S. Staniford. Multiscale Stepping Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), October, 2002. Springer Verlag Lecture Notes in Computer Science, #2516.
	6	Michael T. Goodrich, Efficient packet marking for large-scale IP traceback, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA  [doi>10.1145/586110.586128]
	7	H. Jung, et al. Caller Identification System in the Internet Environment. In Proceedings of 4th USENIX Security Symposium, 1993.
	8	S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. IETF RFC 2401, September 1998.
	9	NLANR Trace Archive. <http://pma.nlanr.net/Traces/long/>.
	10	OpenSSH. <http://www.openssh.com>.
	11	Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.295-306, August 28-September 01, 2000, Stockholm, Sweden
	12	S. Snapp, et al. DIDS (Distributed Intrusion Detection System) - Motivation, Architecture and Early Prototype. In Proceedings of 14th National Computer Security Conference, pages 167--176, 1991.
	13	D. Song and A. Perrig. Advanced and Authenticated Marking Scheme for IP Traceback. In Proceedings of IEEE INFOCOM'01, April 2001.
	14	S. Staniford-Chen , L. T. Heberlein, Holding intruders accountable on the Internet, Proceedings of the 1995 IEEE Symposium on Security and Privacy, p.39, May 08-10, 1995
	15	Clifford Stoll, The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage, Pocket Books, 2000
	16	Xinyuan Wang , Douglas S. Reeves , Shyhtsun Felix Wu, Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones, Proceedings of the 7th European Symposium on Research in Computer Security, p.244-263, October 14-16, 2002
	17	X. Wang , Douglas S. Reeves , Shyhtsun Felix Wu , Jim Yuill, Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework, Proceedings of the IFIP TC11 Sixteenth Annual Working Conference on Information Security: Trusted Information: The New Decade Challenge, p.369-384, June 11-13, 2001
	18	T. Ylonen, et al. SSH Protocol Architecture. IETF Internet Draft: draft-ietf-secsh-architecture-4.txt, July 2003.
	19	Kunikazu Yoda , Hiroaki Etoh, Finding a Connection Chain for Tracing Intruders, Proceedings of the 6th European Symposium on Research in Computer Security, p.191-205, October 04-06, 2000
	20	Y. Zhang and V. Paxson. Detecting Stepping Stones. In Proceedings of the 9th USENIX Security Symposium, pages 171--184, 2000.

• Data structures for quadtree approximation and compression Communications of the ACM   28, 9
  Hanan Samet
  
  
• A hierarchical single-key-lock access control using the Chinese remainder theorem Proceedings of the 1992 ACM/SIGAPP Symposium on Applied computing
  Kim S. Lee ,  Huizhu Lu ,  D. D. Fisher
  
  
• An intelligent component database for behavioral synthesis Proceedings of the 27th ACM/IEEE conference on Design automation
  Gwo-Dong Chen ,  Daniel D. Gajski
  
  
• The GemStone object database management system Communications of the ACM   34, 10
  Paul Butterworth ,  Allen Otis ,  Jacob Stein
  
  
• Putting innovation to work: adoption strategies for multimedia communication systems Communications of the ACM   34, 12
  Ellen Francik ,  Susan Ehrlich Rudman ,  Donna Cooper ,  Stephen Levine