Scalable Wavelet-Based Active Network Stepping Stone Detection

Author

Joseph I. Gilbert

Date of Award

3-22-2012

Document Type

Thesis

Degree Name

Master of Science

Department

Department of Electrical and Computer Engineering

First Advisor

David J. Robinson, PhD.

Abstract

Network intrusions leverage vulnerable hosts as stepping stones to penetrate deeper into a network and mask malicious actions from detection. This research focuses on a novel active watermark technique using Discrete Wavelet Transformations to mark and detect interactive network sessions. This technique is scalable, nearly invisible and resilient to multi-flow attacks. The watermark is simulated using extracted timestamps from the CAIDA 2009 dataset and replicated in a live environment. The simulation results demonstrate that the technique accurately detects the presence of a watermark at a 5% False Positive and False Negative rate for both the extracted timestamps as well as the empirical tcplib distribution. The watermark extraction accuracy is approximately 92%. The live experiment is implemented using the Amazon Elastic Compute Cloud. The client system sends marked and unmarked packets from California to Virginia using stepping stones in Tokyo, Ireland and Oregon. Five trials are conducted using simultaneous watermarked and unmarked samples. The live results are similar to the simulation and provide evidence demonstrating the effectiveness in a live environment to identify stepping stones.

AFIT Designator

AFIT-GE-ENG-12-17

DTIC Accession Number

ADA560009

Recommended Citation

Gilbert, Joseph I., "Scalable Wavelet-Based Active Network Stepping Stone Detection" (2012). Theses and Dissertations. 1110.
https://scholar.afit.edu/etd/1110