Stepping-stone Network Attack Kit (SNEAK) For Evading Timing-based Detection Methods Under The Cloak Of Constant Rate Multimedia Streams

With the advent of the Internet, network-based security threats have been constantly on the rise. The source of an attack could be traced by studying the system logs and the source IP address of the attack can be used to identify and prosecute the attacker. To avoid getting traced and to mislead the forensic investigators, attackers usually compromise weaker nodes on less secure networks and use them as stepping stones to attack the victim. This technique makes it difficult for the investigators to trace the real source of attack. Hence, it is important to research the stepping stone detection techniques so that the attackers can be apprehended. An interesting approach towards detecting stepping stones is to correlate incoming and outgoing streams at the stepping stone. A popular way of achieving this is to watermark packet streams as it is effective against a wide range of evasion techniques. Previous investigators have described a promising technique by which an attacker could effectively evade any timing-based detection technique, including watermarking. Their basic idea was to remove timing information from the packet streams by disguising the attack traffic as constant rate multimedia stream. In this thesis, we investigate the effectiveness and plausibility of this approach. We present the design and implementation details of Stepping stone NEtwork Attack Kit (SNEAK), a system that implements the previously described evasion techniques. SNEAK includes implementations of two algorithms for managing traffic at the stepping stone. The first algorithm is the sender-side dropping algorithm, in which the stepping stone makes decisions about dropping packets as needed when packets are sent. The second algorithm is the receiver-side dropping algorithm, in which the stepping stone makes decisions about dropping packets as needed, when packets are received. To counter the packet drop and the packet loss, we maintain redundancy in the packet streams. Both algorithms are suitable for practical use, depending on the needs of the attacker. We defined metrics for robustness, usability and effectiveness, and we studied the trade-offs between them. We implemented a prototype of the SNEAK system and tested it on the PlanetLab network. Our prototype provides reliable transmission and reasonable performance for shell commands over at least two stepping stones and the traffic has the characteristics of a constant rate multimedia stream. We tested the effectiveness of SNEAK against a centroid-interval-based watermarking technique that is currently the best available timing-based detection technique. The experimental results indicate that timing information embedded in the incoming stream is completely eliminated in the outgoing stream. The results also demonstrate that SNEAK is suitable for practical use without affecting the overall usability of the system and SNEAK is effective against all timing based detection techniques. The experimental results demonstrate the need to consider the true potential of the attacker and develop detection methods that use more than low-level timing information to defeat such attacks.