DROPWAT: an Invisible Network Flow Watermark for Data Exfiltration Traceback
Alfonso Iacovazzi, Sanat Sarda, Daniel Frassinelli, and Yuval Elovici

TL;DR
DROPWAT is a novel timing-based network flow watermarking technique that invisibly traces data exfiltration flows across complex networks, including anonymous and multi-hop paths, with high detection accuracy.
Contribution
It introduces DROPWAT, the first active watermarking method that remains invisible to third parties while effectively tracing exfiltration traffic through various network conditions.
Findings
Watermark is invisible to third-party observers.
Detection accuracy exceeds 95% in experiments.
Effective across different network scenarios including TOR.
Abstract
Watermarking techniques have been proposed during the last 10 years as an approach to trace network flows for intrusion detection purposes. These techniques aim to impress a hidden signature on a traffic flow. A central property of network flow watermarking is invisibility, i.e., the ability to go unidentified by an unauthorized third party. Although widely sought after, the development of an invisible watermark is a challenging task that has not yet been accomplished. In this paper we take a step forward in addressing the invisibility problem with DROPWAT, an active network flow watermarking technique developed for tracing Internet flows directed to the staging server that is the final destination in a data exfiltration attack, even in the presence of several intermediate stepping stones or an anonymous network. DROPWAT is a timing-based technique that indirectly modifies interpacket…
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11
Figure 12
Figure 13
Figure 14
Figure 15
Figure 16
Figure 17
Figure 18
Figure 19
Figure 20
Figure 21
Figure 22
Figure 23
Figure 24Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
