Linking Correlated Network Flows through Packet Timing: a Game-Theoretic Approach

TL;DR

This paper introduces a game-theoretic framework to analyze flow correlation in network security, considering adversaries that delay, add, or remove packets, and derives Nash equilibria for these scenarios.

Contribution

It develops a novel game-theoretic model for flow correlation under active attacks, deriving Nash equilibria for different adversary capabilities.

Findings

Identifies limits of flow correlation based on packet timing.

Derives Nash equilibria for two adversary models.

Provides insights into the effectiveness of flow correlation defenses.

Abstract

Deciding that two network flows are essentially the same is an important problem in intrusion detection or in tracing anonymous connections. A stepping stone or an anonymity network may try to prevent flow correlation by delaying the packets, introducing chaff traffic, or even splitting the flow in several subflows. We introduce a game-theoretic framework for this problem. The framework is used to derive the Nash equilibrium under two different adversary models: the first one, when the adversary is limited to delaying packets, and the second, when the adversary also adds dummy packets and removes packets from the flow. As the optimal decoder is not computationally feasible, we restrict the possible decoder to one that estimates and compensates the attack. Our analysis can be used for understanding the limits of flow correlation based on packet timings under an active attacker.