Exposing Invisible Timing-Based Traffic Watermarks with BACKLIT

Xiapu Luo, Peng Zhou, Junjie Zhang, Roberto Perdisci, Wenke Lee, Rocky K.C. Chang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Traffic watermarking is an important element in many network security and privacy applications, such as tracing botnet C&C communications and deanonymizing peer-to-peer VoIP calls. The state-of-the-art traffic watermarking schemes are usually based on packet timing information and they are notoriously difficult to detect. In this paper, we show for the first time that even the most sophisticated timing-based watermarking schemes (e.g., RAINBOW and SWIRL) are not invisible by proposing a new detection system called BACKLIT. BACKLIT is designed according to the observation that any practical timing-based traffic watermark will cause noticeable alterations in the intrinsic timing features typical of TCP flows. We propose five metrics that are sufficient for detecting four state-of-the-art traffic watermarks for bulk transfer and interactive traffic. BACKLIT can be easily deployed in stepping stones and anonymity networks (e.g., Tor), because it does not rely on strong assumptions and can be realized in an active or passive mode. We have conducted extensive experiments to evaluate BACKLIT's detection performance using the PlanetLab platform. The results show that BACKLIT can detect watermarked network flows with high accuracy and few false positives.

Original languageAmerican English
Title of host publicationProceedings - 27th Annual Computer Security Applications Conference, ACSAC 2011
PublisherPubl by ACM
Pages197-206
Number of pages10
ISBN (Print)9781450306720
DOIs
StatePublished - Dec 5 2011
Externally publishedYes
Event27th Annual Computer Security Applications Conference, ACSAC 2011 - Orlando, FL, United States
Duration: Dec 5 2011Dec 9 2011

Conference

Conference27th Annual Computer Security Applications Conference, ACSAC 2011
Country/TerritoryUnited States
CityOrlando, FL
Period12/5/1112/9/11

ASJC Scopus Subject Areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Keywords

  • BACKLIT
  • invisible
  • network security
  • privacy applications
  • timing-based
  • traffic watermarks

Disciplines

  • Computer Sciences
  • Engineering

Cite this