A highly optimized flow-correlation attack

TL;DR

This paper introduces a highly optimized passive flow correlation attack that outperforms existing watermarking schemes in detecting similar network flows, even under adversarial countermeasures, with practical implementation on live networks.

Contribution

It presents a novel passive correlation technique based on Neyman-Pearson lemma, achieving high performance and undetectability, and demonstrates superiority over state-of-the-art methods.

Findings

Outperforms existing watermarking schemes in detection accuracy.

Requires only tens to hundreds of packets for reliable detection.

Effective in real-world network scenarios with countermeasures.

Abstract

Deciding that two network flows are essentially the same is an important problem in intrusion detection and in tracing anonymous connections. A stepping stone or an anonymity network may try to prevent flow correlation by adding chaff traffic, splitting the flow in several subflows or adding random delays. A well-known attack for these types of systems is active watermarking. However, active watermarking systems can be detected and an attacker can modify the flow in such a way that the watermark is removed and can no longer be decoded. This leads to the two basic features of our scheme: a highlyoptimized algorithm that achieves very good performance and a passive analysis that is undetectable. We propose a new passive analysis technique where detection is based on Neyman-Pearson lemma. We correlate the inter-packet delays (IPDs) from both flows. Then, we derive a modification to deal with stronger adversary models that add chaff traffic, split the flows or add random delays. We empirically validate the detectors with a simulator. Afterwards, we create a watermarkbased version of our scheme to study the trade-off between performance and detectability. Then, we compare the results with other state-of-the-art traffic watermarking schemes in several scenarios concluding that our scheme outperforms the rest. Finally, we present results using an implementation of our method on live networks, showing that the conclusions can be extended to real-world scenarios. Our scheme needs only tens of packets under normal network interference and a few hundreds of packets when a number of countermeasures are taken.