TY - GEN
T1 - Tracing back attacks against encrypted protocols
AU - Taleb, Tarik
AU - Fadlullah, Zubair Md
AU - Hashimoto, Kazuo
AU - Nemoto, Yoshiaki
AU - Kato, Nei
PY - 2007
Y1 - 2007
N2 - Attacks against encrypted protocols have become increasingly popular and sophisticated. Such attacks are often undetectable by the traditional Intrusion Detection Systems (IDSs). Additionally, the encrypted attack-traffic makes tracing the source of the attack substantially more difficult. In this paper, we address these issues and devise a mechanism to trace back attackers against encrypted protocols. In our efforts to combat attacks against cryptographic protocols, we have integrated a traceback mechanism at the monitoring stubs (MSs), which were introduced in one of our previous works. While we previously focused on strategically placing monitoring stubs to detect attacks against encrypted protocols, in this work we aim at equipping MSs with a traceback feature. In our approach, when a given MS detects an attack, it starts tracing back to the root of the attack. The traceback mechanism relies on monitoring the extracted features at different MSs, i.e., in different points of the target network. At each MS, the monitored features over time provide a pattern which is compared or correlated with the monitored patterns at the neighboring MSs. A high correlation value in the patterns observed by two adjacent MSs indicates that the attack traffic propagated through the network elements covered by these MSs. Based on these correlation values and a prior knowledge of the network topology, the system can then construct a path back to the attacking hosts. The effectiveness of the proposed traceback scheme is verified by simulations.
AB - Attacks against encrypted protocols have become increasingly popular and sophisticated. Such attacks are often undetectable by the traditional Intrusion Detection Systems (IDSs). Additionally, the encrypted attack-traffic makes tracing the source of the attack substantially more difficult. In this paper, we address these issues and devise a mechanism to trace back attackers against encrypted protocols. In our efforts to combat attacks against cryptographic protocols, we have integrated a traceback mechanism at the monitoring stubs (MSs), which were introduced in one of our previous works. While we previously focused on strategically placing monitoring stubs to detect attacks against encrypted protocols, in this work we aim at equipping MSs with a traceback feature. In our approach, when a given MS detects an attack, it starts tracing back to the root of the attack. The traceback mechanism relies on monitoring the extracted features at different MSs, i.e., in different points of the target network. At each MS, the monitored features over time provide a pattern which is compared or correlated with the monitored patterns at the neighboring MSs. A high correlation value in the patterns observed by two adjacent MSs indicates that the attack traffic propagated through the network elements covered by these MSs. Based on these correlation values and a prior knowledge of the network topology, the system can then construct a path back to the attacking hosts. The effectiveness of the proposed traceback scheme is verified by simulations.
KW - Encryption
KW - Intrusion detection system (IDS)
KW - Traceback
UR - http://www.scopus.com/inward/record.url?scp=36849007415&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=36849007415&partnerID=8YFLogxK
U2 - 10.1145/1280940.1280966
DO - 10.1145/1280940.1280966
M3 - Conference contribution
AN - SCOPUS:36849007415
SN - 1595936955
SN - 9781595936950
T3 - IWCMC 2007: Proceedings of the 2007 International Wireless Communications and Mobile Computing Conference
SP - 121
EP - 126
BT - IWCMC 2007
T2 - IWCMC 2007: 2007 International Wireless Communications and Mobile Computing Conference
Y2 - 12 August 2007 through 16 August 2007
ER -