主动网络流水印技术研究进展

doi:10.3969/j.issn.1000-436x.2014.07.022

摘要/Abstract

摘要：

在匿名网络环境下通信双方关系确认、僵尸网络控制者追踪、中间跳板主机发现等方面，以被动网络流量分析（passive traffic analysis）为核心的传统入侵检测与流关联技术存在空间开销大、实时性差、识别率低、灵活性欠佳、难以应对加密流量等明显缺点。而将主动网络流量分析与数字水印思想相融合的主动网络流水印（ANFW,active network flow watermark）技术能有效克服传统被动网络流量分析方法的不足，已引起了国内外学者的广泛关注。首先阐述了ANFW机制的通用模型，总结了ANFW技术的分类及所涉及的角色关系；其次，详细综述了近年来提出的多种典型的基于不同网络流特征的ANFW技术，并进行对比性总结；最后，概述了当前ANFW技术自身安全威胁及应对措施现状，展望了其未来的研究方向。

关键词: 网络安全, 主动流量分析, 网络流水印, 流特征, 匿名通信, 跳板节点, 僵尸网络

Abstract:

In face of confirming user communication relationship in anonymous network, tracing botmaster and detecting stepping stones, traditional intrusion detection and flow correlation methods which mainly rely on passive traffic analysis have shown many drawbacks obviously, such as high space costs, poor real-time, low accuracy, poor flexibility, fail in dealing with encrypted traffic and so on. However, the active network flow watermark(ANFW) which combined the idea of digital watermarking and active traffic analysis can overcome the drawbacks above effectively. ANFW has aroused extensive attention of scholars at home and abroad. Firstly, the general model of ANFW is presented, and the classifica-tion of existing proposals and roles involved in ANFW are summarized. Then, several representative ANFW approaches using distinct network flow characteristics are presented and compared in detail. Finally, threats against existing ANFW technology and their corresponding countermeasures are overviewed, also some future research directions about ANFW are discussed.

Key words: network security, active traffic analysis, network flow watermark, network flow characteristics, anonymous communication, stepping stones, botnet

郭晓军,程光,朱琛刚,周爱平. 主动网络流水印技术研究进展[J]. 通信学报, 2014, 35(7): 178-192.

Xiao-jun GUO,Guang CHENG,Chen-gang ZHU,Dinh-Tu TRUONG,Ai-ping ZHOU. Progress in research on active network flow watermark[J]. Journal on Communications, 2014, 35(7): 178-192.

图/表 15

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

图12

图13

表1

表2

参考文献 58

[59]	樊昌信，曹丽娜 . 通信原理（第6版）[M]. 北京：国防工业出版社， 2006. FAN C X , CAO L N . Communication Principles(6th Edition)[M]. Beijing: National Defence Industry Press, 2006.
[60]	BALDINI A , DE C L , RISSO F . Increasing performances of TCP data transfers through multiple parallel connections[A]. Proc of the 2009 IEEE Symposium on Computers and Communications[C]. Sousse, Tunisia, 2009. 630-636.
[61]	IHM S , PAI V S . Towards understanding modern web traffic[A]. Proc of the 2011 ACM SIGCOMM on Internet Measurement Conference (IMC'11)[C]. Berlin, Germany, 2011. 295-312.
[62]	RAO A , LEGOUT A , LIM Y S , et al. Network characteristics of video streaming traffic[A]. Proc of the 7th Conference on Emerging Networking Experiments and Technologies(CoNEXT'11)[C]. Tokyo, Japan, 2011.
[63]	XI B W , CHEN H , CLEVELAND W S , et al. Statistical analysis and modeling of Internet VoIP traffic for network engineering[J]. Electronic Journal of Statistics, 2010,4:58-116.
[64]	RATTI S , HARIRI B , SHIRMOHAMMADI S . A survey of First-Person shooter gaming traffic on the Internet[J]. IEEE Internet Computing, 2010,14(5):60-69.
[65]	ARCHIBALD R , GHOSAL D . A covert timing channel based on Fountain Codes[A]. Proc of the 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom'12)[C]. Liverpool, UK, 2012. 970-977.
[66]	ROY S D , LI X , SHOSHAN Y , et al. Hardware implementation of a digital watermarking system for video authentication[J]. IEEE Trans-actions on Circuits and Systems for Video Technology, 2013,23(2):289-301.
[67]	HOLUB V , FRIDRICH J . Digital image steganography using universal distortion[A]. Proc of the 1st ACM Workshop on Information Hiding And Multimedia Security[C]. Montpellier, France, 2013. 59-68.
[68]	FATEMEH D , SAEED M . Watermarking in binary document images using fractal codes[J]. Pattern Recognition Letters, 2014,35:120-129.
[69]	钱玉文，赵邦信，孔建寿等. 一种基于Web的可靠网络隐蔽时间信道的研究 [J]. 计算机研究与发展， 2011,48(3):423-431. QIAN Y W , ZHAO B X , KONG J S , et al. Robust covert timing channel based on web[J]. Journal of Computer Research and Devel-opment, 2011,48(3):423-431.
[70]	SEBASTIAN Z , GRENVILLE A , PHILIP B . Stealthier inter-packet timing covert channels[A]. Proc of the 10th International IFIP TC 6 Networking Conference[C]. Valencia, Spain, 2011. 458-470.
[71]	FURON T , BAS P . A new measure of watermarking security applied on QIM[A]. Proc of 14th International Conference on Information Hiding(IH'12)[C]. Berkeley, USA, 2012. 207-223.
[72]	Trusted computer system evaluation criteria (TCSEC)[EB/OL]. , WIKIPEDIA. 2013.
[1]	YLONEN T . The secure shell (SSH) protocol architecture[EB/OL]. , http://www.ietf.org/rfc/rfc4251.txt, 2006.
[2]	IPSEC WORKING GROUP. IP security protocol(IPSec)[EB/OL]. , http://datatracker.ietf.org/wg/ipsec/, 1995.
[3]	ZHANG Y , PAXSON V . Detecting stepping stones[A]. Proc of the 9th USENIX Security Symposium[C]. Denver, Colorado, 2000. 171-184.
[4]	BLUM A , SONG D , VENKATARAMAN S . Detection of interactive stepping stones: algorithms and confidence bounds[A]. Proc of the 7th International Symposium on Recent Advances in Intrusion Detec-tion[C]. Sophia Antipolis, France, 2004. 258-277.
[73]	MOHAN D , JUSTIN S RENATA T , et al. Fathom: a browser-based network measurement platform[A]. Proc of the 2012 ACM conference on Internet Measurement Conference(IMC'12)[C]. Boston, USA, 2012. 73-86.
[74]	SNOEREN A C , PARTRIDGE C , SANCHEZ L A , et al. Single-packet IP traceback[J]. IEEE/ACM Transactions on Networking, 2002,10(6):721-734.
[5]	HE T , TONG L . Detecting encrypted stepping stone connections[J]. IEEE Transactions on Signal Processing, 2007,55(4):1612-1623.
[6]	ROBERT S , JIE C , PING J , et al. A survey of research in step-ping-stone detection[J]. International Journal of Electronic Commerce Studies, 2011,2(2):103-126.
[7]	DINGLEDINE R , MATHEWSON N , SYVERSON P . Tor: the second-generation onion router[A]. Proc of the 13th USENIX Security Symposium[C]. San Diego, USA, 2004. 303-320.
[8]	REITER M K , RUBIN A D . Anonymous Web transactions with crowds[J]. Communications of the ACM, 1999,42(2):32-38.
[75]	LIN I H , PENG S H . A probabilistic packet marking scheme with LT code for IP traceback[J]. Journal of Internet Technology, 2013,14(2):189-202.
[76]	BATES A , MOOD B , PLETCHER J , et al. Detecting co-residency with active traffic analysis techniques[A]. Proc of the 2012 ACM Workshop on Cloud Computing Security Workshop[C]. Raleigh, USA, 2012. 1-12.
[9]	FREEDMAN M J , MORRIS R . Tarzan: a peer-to-peer anonymizing network layer[A]. Proc of the 9th ACM Conference on Computer and Communications Security[C]. Washington DC, USA, 2002. 193-206.
[10]	PASSERINI E , PALEARI R , MARTIGNONI J , et al. FluXOR: de-tecting and monitoring fast-flux service networks[A]. Proc. of the 5th Detection of Intrusions and Malware, and Vulnerability Assessment[C]. Paris, France, 2008. 186-206.
[77]	罗军舟，吴文甲，杨明 . 移动互联网：终端、网络与服务[J]. 计算机学报， 2011,34(11):2029-2051. LUO J Z , WU W J , YANG M . Mobile Internet: terminal devices, networks and services[J]. Chinese Journal of Computers, 2011,34(11):2029-2051.
[78]	周昌令，钱群，赵伊秋等. 校园无线网用户群体的移动行为聚集分析[J]. 通信学报， 2013,34(Z2):111-116. ZHOU C L , QIAN Q , ZHAO Y Q , et al. Modularity analysis of users' mobile behavior in campus wireless network[J]. Journal on Commu-nications, 2013,34(Z2):111-116.
[11]	江健，诸葛建伟，段海新等. 僵尸网络机理与防御技术[J]. 软件学报， 2012,23(1):82-96. JIANG J , ZHUGE J W , DUAN H X , et al. Research on botnet mechanisms and defenses[J]. Journal of Software, 2012,23(1):82-96.
[12]	HOLZ T , GORECKI C , RIECK K , et al. Measuring and detecting fast-flux service networks[A]. Proc of the 15th Network and Distrib-uted System Security Symposium (NDSS'08)[C]. San Diego, USA, 2008.
[13]	YODA K , ETOH H . Finding a connection chain for tracing intrud-ers[A]. Proc of the 6th European Symposium on Research in Com-puter Security[C]. Toulouse, France, 2000. 191-205.
[14]	ZHU Y , FU X W , GRAHAM B , et al. On flow correlation attacks and countermeasures in mix networks[A]. Proc of 2004 Privacy Enhancing Technologies(PET'04)[C]. Toronto, Canada, 2004. 207-225.
[15]	DONOHO D L , FLESIA A G , SHANKAR U , et al. Multiscale step-ping-stone detection: detecting pairs of jittered interactive streams by exploiting maximum tolerable delay[A]. Proc of the 5th International Symposium on Recent Advances in Intrusion Detection[C]. Zurich,Switzerland, 2002. 17-35.
[16]	WANG X , REEVES D , WU S F . Inter-packet delay based correlation for tracing encrypted connections through stepping stones[A]. Proc of the 7th European Symposium on Research in Computer Security[C]. Zurich,Switzerland, 2002. 244-263.
[17]	COX J , MILLER L , BLOOM J , et al. Digital watermarking[M]. San Francisco:Morgan-Kaufmann, 2001.
[18]	程光，龚俭 . 互联网流测量[M]. 南京：东南大学出版社， 2008. CHENG G , GONG J . Internet Flow Measurement[M]. Nanjing: South-east University Press, 2008.
[79]	NDN Testbed[EB/OL]. , http://named-data.net/ndn-testbed/, 2013-11.
[80]	AFANASYEV A , MOISEENKO I , ZHANG L X . NDNSIM: NDN Simulator for NS-3[R]. NDN Technical Report NDN-0005, 2012.
[19]	HOUMANSADR A , KIYAVASHY N , BORISOV N . Rainbow: a robust and invisible non-blind watermark for network flows[A]. Proc of the 16th Network and Distributed System Security Symposium (NDSS'09)[C]. San Diego,USA, 2009.
[20]	PARK Y H , REEVES D S . Adaptive watermarking against deliberate random delay for attack attribution through stepping stones[A]. Proc of the 9th International Conference on Information and Communica-tions Security[C]. Zhengzhou, China, 2007.
[21]	YU W , FU X W , GRAHAM S , et al. DSSS-based flow marking tech-nique for invisible traceback[A]. Proc of the 2007 IEEE Symposium on Security and Privacy[C]. Oakland, USA, 2007. 18-32.
[22]	傅翀，钱伟中，赵明渊等. 匿名通信系统时间攻击的时延规范化防御方法[J]. 东南大学学报(自然科学版)， 2009,39(4):738-741. FU C , QIAN W Z , ZHAO M Y , et al. Delay normalization method of defending against timing-based attacks on anonymous communication systems[J]. Journal of Southeast University (Natural Science Edition), 2009,39(4):738-741.
[23]	RAMSBROCK D , WANG X Y , JIANG X Z . A first step towards live botmaster traceback[A]. Proc of the 11th International Symposium on Recent Advances in Intrusion Detection[C]. Cambridge, USA, 2008. 59-77.
[24]	王小刚 . 基于网络流水印的入侵追踪技术研究[D]. 南京：东南大学， 2012. WANG X G . Research on Intrusion Traceback Exploiting Network Flow Watermarking[D]. Nanjing: Southeast University, 2012.
[25]	WANG X Y , REEVES D S , WU S F , et al. Sleepy watermark tracing:an active network-based intrusion response framework[A]. Proc of the IFIP TC11 16th Annual Working Conference on Information Security:Trusted Information: the New Decade Challenge[C]. Paris, France, 2001. 369-384.
[26]	ZHAO Q J , LU H T . A PCA-based watermarking scheme for tam-per-proof of Web pages[J]. Pattern Recognition, 2005,38(8):1321-1323.
[27]	HUANG H J , WANG Y J , XIE L L , et al. An active anti-phishing solution based on semi-fragile watermark[J]. Information Technology Journal, 2013,12(1):198-203.
[28]	HUANG J W , PAN X , FU X W , et al. Long PN code based DSSS watermarking[A]. Proc of the IEEE INFOCOM 2011[C]. Shanghai, China, 2011. 2426-2434.
[29]	FU X W , ZHU Y , GRAHAM B , et al. On flow marking attacks in wireless anonymous communication networks[A]. Proc of the 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05)[C]. Columbus, USA, 2005. 493-503.
[30]	WANG X Y , REEVES D S . Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket de-lays[A]. Proc of the 10th ACM Conference on Computer And Com-munications Security[C]. Washington DC, USA, 2003. 20-29.
[31]	WANG X Y , CHEN S P , JAJODIA S S . Tracking anonymous peer-to-peer VoIP calls on the internet[A]. Proc of the 12th ACM Con-ference on Computer And Communications Security[C]. Alexandria, USA, 2005. 81-91.
[32]	ZHANG L , LUO J Z , YANG M . An improved DSSS-based flow marking technique for anonymous communication traceback[A]. Proc of the 2009 Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing(UIC-ATC'09)[C]. Brisbane, Australia, 2009. 563-567.
[33]	张连成，王振兴，徐静 . 一种新的隐形流水印技术[J]. 应用科学学报， 2012,30(5):524-530. ZHANG L C , WANG Z X , XU J . A novel invisible and private flow watermarking scheme[J]. Journal of Applied Sciences, 2012,30(5):524-530.
[34]	WANG X Y , CHEN S P , JAJODIA S S . Network flow watermarking attack on low-latency anonymous communication systems[A]. Proc of the 2007 IEEE Symposium on Security and Privacy[C]. Oakland, USA, 2007. 116-130.
[35]	WANG X G , LUO J Z , YANG M . A double interval centroid-based watermark for network flow traceback[A]. Proc of the 14th Interna-tional Conference on Computer Supported Cooperative Work in De-sign[C]. Shanghai, China, 2010. 146-151.
[36]	LUO J Z , WANG X G , YANG M . An interval centroid based spread spectrum watermarking scheme for multi-flow traceback[J]. Journal of Network and Computer Applications, 2012,35(1):60-71.
[37]	PYUN Y J , PARK Y H , WANG X Y , et al. Tracing traffic through intermediate hosts that repacketize flows[A]. Proc of IEEE INFO-COM 2007[C]. Anchorage, USA, 2007. 634-642.
[38]	JIA W J , TSO F P , LING Z , et al. Blind detection of spread spectrum flow watermarks[A]. Proc of the IEEE INFOCOM 2009[C]. Rio de Janeiro,Brazil, 2009. 2195-2203.
[39]	RTAI T . Real time application interface(RTAI)[EB/OL]. , http://www.rtai.org, 2012. 08 23
[40]	张璐，罗军舟，杨明 . 基于正交流量特征的多维流水印技术[A]. 2010年全国通信安全学术会议论文集[C]. 昆明，中国， 2010. 243-248. ZHANG L , LUO J Z , YANG M . Orthogonal flow characteristics based multi-dimensional flow watermarking technique[A]. Proc of the 2010 China Communication Security Symposium[C]. Kunming, China, 2010. 243-248.
[41]	KIYAVASH N , HOUMANSADR A , BORISOV N . Multi-flow attacks against network flow watermarking schemes[A]. Proc of the 17th conference on USENIX Security Symposium[C]. San Jose, USA, 2008. 307-320.
[42]	HOUMANSADR A , BORISOV N . SWIRL: a scalable watermark to detect correlated network flows[A]. Proc of the 18th Network and Dis-tributed System Security Symposium 2011[C]. San Diego, USA, 2011.
[43]	EVANS N S , DINGLEDINE R , GROTHOFF C . A practical conges-tion attack on Tor using long paths[A]. Proc of the 18th Conference on USENIX Security Symposium[C]. Montreal, Canada, 2009. 33-50.
[44]	LIN Z , HOPPER N . New attacks on timing-based network flow wa-termarks[A]. Proc of the 21th Conference on USENIX Security Symposium[C]. Bellevue, USA, 2012. 1-16.
[45]	张连成，王振兴，徐静 . 一种基于包序重排的流水印技术[J]. 软件学报， 2011,22(2):17-26. ZHANG L C , WANG Z X , XU J . Flow watermarking scheme based on packet reordering[J]. Journal of Software, 2011,22(2):17-26.
[46]	ANGRISANI L , CAPRIGLIONE D , FERRIGNO L , et al. Packet jitter measurement in communication networks: a sensitivity analysis[A]. Proc of the IEEE International Workshop on Measurement and Net-working 2011[C]. Anacapri, Italy, 2011. 146-151.
[47]	BREGNI S , BARUFFALDI A , PATTAVINA A . Active measurement and time-domain characterization of IP packet jitter[A]. Proc of the IEEE Latin-American Conference on Communications 2009[C]. Medellin, Columbia, 2009. 1-6.
[48]	ALLMAN M , PAXSON V . TCP congestion control[EB/OL]. , http://tools.ietf.org/html/rfc5681, 2009.
[49]	POSTEL J . Transmission control Protocol[EB/OL]. , http://www.ietf.org/rfc/rfc793.txt, 1981.
[50]	PENG P , NING P , REEVES D S . On the secrecy of timing-based active watermarking trace-back techniques[A]. Proc of the 2006 IEEE Symposium on Security and Privacy[C]. Oakland, USA, 2006. 334-349.
[51]	WANG X G , LUO J Z , YANG M . An efficient sequential watermark detection model for tracing network attack flows[A]. Proc of the 16th IEEE International Conference on Computer Supported Cooperative Work in Design[C]. Wuhan, China, 2012. 236-243.
[52]	LUO X P , ZHANG J J , PERDISCI R , et al. On the secrecy of spread-spectrum flow watermarks[A]. Proc of the European Sympo-sium on Research in Computer Security 2010[C]. Athens, Greece, 2010. 232-248.
[53]	LUO X P , ZHOU P , ZHANG J J , et al. Exposing invisible tim-ing-based traffic watermarks with BACKLIT[A]. Proc of the 27th Annual Computer Security Applications Conference[C]. Orlando, USA, 2011. 197-206.
[54]	PENG P , NING P , REEVE D S , et al. Active timing-based correlation of perturbed traffic flows with chaff packets[A]. Proc of the 25th In-ternational Conference on Distributed Computing Systems Work-shops[C]. Columbus, USA, 2005. 107-113.
[55]	WANG X G , YANG M , LUO J Z . A novel sequential watermark de-tection model for efficient traceback of secret network attack flows[J]. Journal of Network and Computer Applications, 2013,36(6):1660-1670.
[56]	ZHANG L C , WANG Z X , WANG Q L , et al. MSAC and multi-flow attacks resistant spread spectrum watermarks for network flows[A]. Proc of the 2nd IEEE International Conference on Information and Financial Engineering[C]. Chongqing, China, 2010. 438-441.
[57]	HOUMANSADR A , KIYAVASH N , BORISOV N . Multi-flow attack resistant watermarks for network flows[A]. Proc of the 2009 IEEE In-ternational Conference on Acoustics, Speech and Signal Processing[C]. Taipei, China, 2009. 1497-1500.
[58]	GONG X , RODRIGUES M , KIYAVASH N . Invisible flow water-marks for channels with dependent substitution, deletion, and bursty insertion errors[EB/OL]. , http://arxiv.org/pdf/1302.5734v1.pdf, 2013.

方法	隐蔽性	水印容量	时空开销	提取难度	NW/BW	顽健性	实用性
DSSS-W^[21]	★★★☆☆☆	★★☆☆☆☆	★★☆☆☆☆	★★☆☆☆☆	BW	★★☆☆☆☆	★★★☆☆☆
WBIPD^[30]	★★★☆☆☆	★★★☆☆☆	★★★★☆☆	★★★☆☆☆	BW	★★★☆☆☆	★★★★★☆
Ref.^[31]	★★★★★★	★★★☆☆☆	★★★☆☆☆	★★★★☆☆	BW	★★★★☆☆	★★★★☆☆
RAINBOW^[19]	★★★★★☆	★★★★★★	★★★★★★	★☆☆☆☆☆	NW	★★☆☆☆☆	★☆☆☆☆☆
ICBW^[34]	★★★★☆☆	★★★★☆☆	★★★☆☆☆	★★★★☆☆	BW	★★★★★☆	★★★★★☆
DICBW^[35]	★★★★★☆	★★★☆☆☆	★★★★☆☆	★★★★★☆	BW	★★★★★★	★★★★☆☆
ICBSSW^[36]	★★★★★☆	★★☆☆☆☆	★★★★★☆	★★★★☆☆	BW	★★★★★★	★★★★☆☆
IBW^[37]	★★☆☆☆☆	★★★☆☆☆	★★★★★☆	★★★☆☆☆	BW	★★★☆☆☆	★★★☆☆☆
SWIRL^[42]	★★☆☆☆☆	★★★☆☆☆	★★★★★★	★★★★★☆	BW	★★★★☆☆	★★☆☆☆☆
PROFW^[45]	★★★☆☆☆	★★☆☆☆☆	★★★★☆☆	★★★☆☆☆	BW	★★☆☆☆☆	★☆☆☆☆☆

安全问题分类	攻击名称	影响的ANFW	防范措施
	分组延迟	ALL	N/A
I型安全问题	分组变换	ALL	参见文献[54]
	ESWD探测^[51]
	FQZQ探测^[22]	基于分组间隔特征	N/A
II型安全问题	SWDM探测^[55]
	MSAC攻击^[38]	基于DSSS-W^[21]方法及其改进	参见文献[56]
	LZPL探测^[52]		N/A
	MFA攻击^[41]	ICBW^[34]＆IBW^[37]＆Multiple Offsets/Positions^[41]	参见文献[57,58]
	BACKLIT攻击^[53]	DSSS-W^[21]	N/A
	LH攻击^[44]	RAINBOW^[19]＆SWIRL^[42]	参见文献[44]
注：ALL：基于分组间隔特征、流速率和流时隙分割的ANFW；N/A：防范措施目前暂不存在。