rainbow: a robust and invisible non-blind watermark for ...€¦ · run time: 0.4 microsec for 400...
TRANSCRIPT
![Page 1: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/1.jpg)
RAINBOW: A Robust And Invisible Non-Blind Watermark for Network Flows
Amir HoumansadrNegar KiyavashNikita Borisov
University of Illinois at Urbana-Champaign
![Page 2: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/2.jpg)
Traffic analysis
Low-latency traffic analysis Intrusion detectionCompromising anonymous networks
2NDSS '09
![Page 3: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/3.jpg)
3
Stepping stone detection
Enterprise network
NDSS '09
![Page 4: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/4.jpg)
4
Compromising Anonymity
Tor anonymous network
NDSS '09
![Page 5: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/5.jpg)
Traffic analysisPassive
Analyzing original packet counts, timing, …Common Problem: low efficiency
Slow decision (not real time) , high false errors, …
Active (watermarking)Motivation: improve efficiencyUsing modified packet timing, count, rate, …Multimedia watermarking: QIM, Patchwork, …
5NDSS '09
![Page 6: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/6.jpg)
6
Stepping stone detection
Enterprise network
NDSS '09
![Page 7: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/7.jpg)
7
Compromising Anonymity
Tor anonymous network
NDSS '09
![Page 8: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/8.jpg)
Terminology
Blind Watermarking
NDSS '09 8
Watermark
![Page 9: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/9.jpg)
Terminology
Non-Blind Watermarking
NDSS '09 9
WatermarkFlow Info
![Page 10: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/10.jpg)
10
Motivation of RAINBOWWatermarking: efficient detection Common Problem with watermarking
Blind: Lack of InvisibilityLegitimate-user disturbanceSubject to attacks
Non-Blind: in middle of passive schemes and active blind schemesRobust to network perturbationsRobust and Invisible Non-Blind Watermark
RAINBOW
NDSS '09
![Page 11: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/11.jpg)
Watermark Insertion
Uses Inter-Packet Delay (IPD) information for watermarking
Based on spread spectrum multimedia watermarking
11
Pre-IPD
Post-IPD
NDSS '09
WM
![Page 12: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/12.jpg)
12
Insertion scheme
Post_IPD(tw)=Pre_IPD(tu) +WmRecv_IPD(tr)–Pre_IPD(tu )=Wm+Jitter
NDSS '09
![Page 13: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/13.jpg)
13
IPD databaseFor new flows, watermarker creates an entry in database
Last N packetsUpdate during time
Entry is removed from database, after connection endsResources
Memory: 3.1 MB for an institution with 400 members
NDSS '09
![Page 14: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/14.jpg)
14
Detection schemeUse last N samples of received flowRecv_IPD – Pre_IPD = Wm + Net_Jitter
Detection of spread spectrum signalNetwork jitter model: Laplacian Lap(0,bδ)
Normalized Correlation is an efficient detection ruleDecision based on threshold
NDSS '09
![Page 15: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/15.jpg)
15
System analysisModel system
Jitter IPDs: exponential
SNR : watermark amplitude
Hypothesis testingTrue detection
False detection
δ
γb
a2
=
),0( δδ bLap∝
NDSS '09
)21,0(0 N
LapT ∝
)21,(1 N
LapT γ∝
a
![Page 16: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/16.jpg)
16
System analysis Detection threshold η
MinMax ruleCOER
Neyman-Pearson
neFP 2
21 η−=
neFN 2)(
21 ηγ −−=
H0 H1
NDSS '09
![Page 17: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/17.jpg)
17
MinMax analysis
NDSS '09
a= 10msn=400
FN=10-6
FP=10-6
a= 5msn=1300FN=10-6
FP=10-6
![Page 18: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/18.jpg)
Implementations
PlanetLab infrastructure Larger jitter than normal traffic
SSH traffic
NDSS '09 18
![Page 19: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/19.jpg)
19
Implementation results
NDSS '09
a=10 ms100 flows
![Page 20: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/20.jpg)
20
Implementation results
NDSS '09
n=500jitter=10ms
![Page 21: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/21.jpg)
Practical COER
21NDSS '09
γ=1
a=10msn=400
COER=10-6
![Page 22: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/22.jpg)
22
Selective correlation
Sources of flow modificationProtocol specific causes: duplicated, retransmitted, re-packetized, …Protocol specific packets: TCP ACK/SYN, SSH initial packets, …Initial delay
Matching blockSliding windows
NDSS '09
![Page 23: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/23.jpg)
23
Implementation
r=0%r=10%r=20%
NDSS '09
![Page 24: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/24.jpg)
Invisibility
Using Non-blind spread spectrum watermark we expect high invisibilityConfirmed through information-theoretic tools:
Kolmogorov-Smirnov test98% confidence
Entropy-based tools of Giavencchio for covert channels (CCS’07)
24NDSS '09
![Page 25: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/25.jpg)
Performance comparisonRun time: 0.4 microsec for 400 connections with 5000 packetsDetection time: about 3 min (400 packets)False errors of order 10-6
Passive schemes: 10-2
Blind watermarks: at most 10-5
Invisibility
NDSS '09 25
![Page 26: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/26.jpg)
26
ConclusionsRAINBOW: A novel traffic analysis
In between of passive and blind active
High Detection EfficiencyInvisibilityRobustness to flow modifications
Future work: Use fast coding tools to insert watermarks more efficiently
Effective semi-blind or blind schemes
NDSS '09
![Page 27: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/27.jpg)
Thanks
![Page 28: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/28.jpg)
28
Implementation results
NDSS '09
![Page 29: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/29.jpg)
29r=0%r=5%r=10%NDSS '09
![Page 30: RAINBOW: A Robust And Invisible Non-Blind Watermark for ...€¦ · Run time: 0.4 microsec for 400 connections with 5000 packets Detection time: about 3 min (400 packets) False errors](https://reader034.vdocuments.us/reader034/viewer/2022042620/5f49164b60a65d1f9568bcbb/html5/thumbnails/30.jpg)
Neyman-Pearson analysis
30
FP=10-3 FP=10-6
NDSS '09