xinyuan research!
http://footfall.csc.ncsu.edu/
I have been working on the tracing problem of network-based attacks. The goal of this research is to develop effective techniques and systems toward a network security infrastructure that supports both real-time and post-attack tracing of the source of network based attacks, despite using stepping-stones and various other anonymity gaining techniques to disguise the origin of the attacks. In particular, I have been investigating how to apply principles of information hiding and active networking to build highly effective and accurate tracing systems. Some examples of my research include:
· Real-time Tracing of Unencrypted Connections through Stepping Stones. I have developed a novel intrusion response framework: Sleepy Watermark Tracing (SWT) that is able to trace through the intrusion connection chains at real-time - within a single keystroke by the intruder. Through its unique active tracing, SWT can trace through the connection chain even when the intruder is silent (for details see IFIP/Sec'01 paper).
· Real-time Correlation for Tracing Encrypted Connections through Stepping Stones. I have developed a correlation scheme based on the inter-packet timing characteristics that can effectively correlate both encrypted and unencrypted interactive connections through stepping stone (for details, see ESORICS'02 paper).
· Robust Correlation of Encrypted Connections against Active Countermeasures by Adversary. I have been investigating how to build robust correlation of encrypted connections against various active countermeasures by adversary in concealing intrusion connections. In particular, I have developed an effective watermarking based correlation framework that is robust against active random timing perturbation by adversary. The idea is to embed a unique watermark into the encrypted flow by slightly adjusting inter-packet timing. If the embedded watermark is unique enough and robust enough against random timing perturbation, the watermarked flow could be uniquely identified and thus effectively correlated. In theory, my framework could achieve arbitrarily close to 100% correlation true positive rate and arbitrarily close to 0% correlation false positive rate at the same time, against arbitrarily large (but bounded) iid random timing perturbation of arbitrary distribution, with arbitrarily small averaged timing adjustment, as long as there is enough packets. Our experiments also show that our active watermarking based correlation approach has significant advantage over existing passive timing based correlation approach in the presence of active timing perturbation (for details, see CCS'03 paper). This work has resulted over half million dollars research grant from the US Department of Interior ARDA and has been the basis for the FootFall project (for details please see http://footfall.csc.ncsu.edu).
I have been working on the tracing problem of network-based attacks. The goal of this research is to develop effective techniques and systems toward a network security infrastructure that supports both real-time and post-attack tracing of the source of network based attacks, despite using stepping-stones and various other anonymity gaining techniques to disguise the origin of the attacks. In particular, I have been investigating how to apply principles of information hiding and active networking to build highly effective and accurate tracing systems. Some examples of my research include:
· Real-time Tracing of Unencrypted Connections through Stepping Stones. I have developed a novel intrusion response framework: Sleepy Watermark Tracing (SWT) that is able to trace through the intrusion connection chains at real-time - within a single keystroke by the intruder. Through its unique active tracing, SWT can trace through the connection chain even when the intruder is silent (for details see IFIP/Sec'01 paper).
· Real-time Correlation for Tracing Encrypted Connections through Stepping Stones. I have developed a correlation scheme based on the inter-packet timing characteristics that can effectively correlate both encrypted and unencrypted interactive connections through stepping stone (for details, see ESORICS'02 paper).
· Robust Correlation of Encrypted Connections against Active Countermeasures by Adversary. I have been investigating how to build robust correlation of encrypted connections against various active countermeasures by adversary in concealing intrusion connections. In particular, I have developed an effective watermarking based correlation framework that is robust against active random timing perturbation by adversary. The idea is to embed a unique watermark into the encrypted flow by slightly adjusting inter-packet timing. If the embedded watermark is unique enough and robust enough against random timing perturbation, the watermarked flow could be uniquely identified and thus effectively correlated. In theory, my framework could achieve arbitrarily close to 100% correlation true positive rate and arbitrarily close to 0% correlation false positive rate at the same time, against arbitrarily large (but bounded) iid random timing perturbation of arbitrary distribution, with arbitrarily small averaged timing adjustment, as long as there is enough packets. Our experiments also show that our active watermarking based correlation approach has significant advantage over existing passive timing based correlation approach in the presence of active timing perturbation (for details, see CCS'03 paper). This work has resulted over half million dollars research grant from the US Department of Interior ARDA and has been the basis for the FootFall project (for details please see http://footfall.csc.ncsu.edu).
posted by home at 1:11 PM
0 comments
