Exposing invisible timing-based traffic watermarks with BACKLIT

Xiapu Luo, Peng Zhou, Junjie Zhang, Roberto Perdisci, Wenke Lee, Kow Chuen Chang

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review

28 Citations (Scopus)

Abstract

Traffic watermarking is an important element in many network security and privacy applications, such as tracing botnet C&C communications and deanonymizing peer-to-peer VoIP calls. The state-of- the-art traffic watermarking schemes are usually based on packet timing information and they are notoriously difficult to detect. In this paper, we show for the first time that even the most sophisticated timing-based watermarking schemes (e.g., RAINBOW and SWIRL) are not invisible by proposing a new detection system called BACKLIT. BACKLIT is designed according to the observation that any practical timing-based traffic watermark will cause noticeable alterations in the intrinsic timing features typical of TCP flows. We propose five metrics that are sufficient for detecting four state-of-the-art traffic watermarks for bulk transfer and interactive traffic. BACKLIT can be easily deployed in stepping stones and anonymity networks (e.g., Tor), because it does not rely on strong assumptions and can be realized in an active or passive mode. We have conducted extensive experiments to evaluate BACKLIT's detection performance using the PlanetLab platform. The results show that BACKLIT can detect watermarked network flows with high accuracy and few false positives.
Original languageEnglish
Title of host publicationProceedings - 27th Annual Computer Security Applications Conference, ACSAC 2011
Pages197-206
Number of pages10
DOIs
Publication statusPublished - 1 Dec 2011
Event27th Annual Computer Security Applications Conference, ACSAC 2011 - Orlando, FL, United States
Duration: 5 Dec 20119 Dec 2011

Conference

Conference27th Annual Computer Security Applications Conference, ACSAC 2011
CountryUnited States
CityOrlando, FL
Period5/12/119/12/11

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Cite this