DropWat: An invisible network flow watermark for data exfiltration traceback

Alfonso Iacovazzi, Sanat Sarda, Daniel Frassinelli, Yuval Elovici

IEEE Transactions on Information Forensics and Security 13 (5), 1139-1154, 2017

Network flow watermarking techniques have been proposed during the last ten years as an approach to trace network flows for intrusion detection purposes. These techniques aim to impress a hidden signature on a traffic flow. A central property of network flow watermarking is invisibility, i.e., the ability to go unidentified by an unauthorized third party. Although widely sought after, the development of an invisible watermark is a challenging task that has not yet been accomplished. In this paper, we take a step forward in addressing the invisibility problem with DropWat, an active network flow watermarking technique developed for tracing Internet flows directed to the staging server that is the final destination in a data exfiltration attack, even in the presence of several intermediate stepping stones or with an anonymous network. DropWat is a timing-based technique that indirectly modifies interpacket delays by exploiting …