Full Program »
Traffic watermarking has become an important element in many network security and privacy applications. By injecting a traffic watermark to a network flow, the watermarked traffic could be identified and followed from other network locations. Thus, it can be used for tracing communications among bot-compromised machines, deanonymizing peer-to-peer VoIP calls, and other novel applications. The state-of-the-art traffic watermarking schemes are based on packet timing information. These timing-based watermarks are known to be robust to adversarial network conditions and notoriously difficult to detect. In this paper, however, we show for the first time that even the most sophisticated timing-based watermarking schemes (e.g., RAINBOW and SWIRL) are not invisible. We show this by proposing a new detection system called BACKLIT which can expose several advanced timing-based traffic watermarks. BACKLIT is designed based on the first principle that any practical timing-based watermark will cause noticeable alterations to the intrinsic timing features typical of TCP flows. Based on this principle, we design five metrics which are sufficient for detecting four main watermarks for bulk transfer and interactive traffic. Equally important, BACKLIT can be deployed easily in stepping stones or anonymity networks (e.g., Tor), because it does not rely on unrealistic assumptions and can be realized in either active or passive mode. We have conducted extensive experiments to evaluate BACKLIT's detection performance on the PlanetLab platform, and the results show that BACKLIT can detect watermarked network flows with high accuracy and low false positives.
Author(s):
Xiapu Luo
The Hong Kong Polytechnic University
Hong Kong
Peng Zhou
The Hong Kong Polytechnic University
Hong Kong
Junjie Zhang
Georgia Institute of Technology
United States
Roberto Perdisci
University of Georgia
United States
Wenke Lee
Georgia Institute of Technology
United States
Rocky K. C. Chang
The Hong Kong Polytechnic University
Hong Kong