iLOC: An Invisible LOCalization Attacks to Internet Threat Monitoring Systems

1

• iLOC An Invisible LOCalization Attacks to
  Internet Threat Monitoring Systems

2
iLOC An Invisible LOCalization Attacks to
Internet Threat Monitoring Systems

• Widespread attackers attempt to evade the
  distributed monitoring/detection systems
• We design Invisible Localization (iLOC) attacks
  which can locate the monitors accurately and
  invisibly. Then the widespread attacks can evade
  these located monitors.
• Effectiveness of iLOC attacks
• We implement iLOC and make experiments.
• Defense against iLOC attacks
• We propose some primary countermeasures.

3
iLOC Attacks

• Attackers objectives
• Accuracy Be able to accurately recognize whether
  the reports from data center has its purposely
  injected attack mark.
• Invisibility Hide its attack mark and make the
  attack traffic behave like the background scan
  traffic as noise.
• Requirements on the attack mark
• Should be easily and accurately recognized by
  attacker.
• Should be hard to be detected by the
  monitoring/detection systems.
• Code-based iLOC attack
• Code is only known and be detectable by the
  attacker

4
iLOC Attack Workflow (1)
The attacker wants to know whether network A is
being monitored

• The attacker selects a code (Pseude-noise code)
  as the attack mark.
• Encodes the attack traffic (port scan traffic)
  according to the PN code.
• Send attack traffic (attack mark hidden in) to
  IP addresses of
• network A.

5
iLOC Attack Workflow (2)
IF A has monitors, they will sends port scan
traffic report (including the attack traffic) to
the data center.

• The attacker queries the data center for port
  scan traffic report.
• Recognizes the attack mark (PN-code) from the
  report.

6
Why PN-code based iLOC Is Effective?

• The PN-code is random and balanced. It makes
  the attack traffic appear as noise and blend in
  with background traffic in both time and
  frequency domains.
• PN-code has a sharp auto-correlation peak (1 bit
  wide) and has very low cross-correlation with
  other signal, which makes it feasible for the
  attacker to accurately recognize attack traffic
  (encoded by the PN-code) from the traffic report
  data even under the interference of background
  traffic.
• The PN-code has a low cross-correlation value
  among different PN-code instances. This feature
  makes it feasible for the attacker to conduct
  parallel localization of multiple target networks
  on the same port.

7
Correlation Degree
The correlation degree between vector X and Y is
The correlation degree between PN-code Ci and
traffic encoded by Ci
The correlation degree between PN-code Ci and
traffic encoded by Ci
8
Countermeasures against iLOC Attacks

• While detection of iLOC attacks is difficult,
  proactively countermeasures can be used.
• Publish less information to all user including
  the attacker
• Limit the information access rate to slow the
  attacker
• Enforce authentication to access the information
  to exclude some attackers
• Randomize the sensor space to mislead the
  attacker
• Perturb the information to confuse the attackers
  detection.
• While these methods can increase the security of
  motion sensors, they also decrease the
  functionality of motion sensor networks.
• Can we figure out other countermeasure, such as
  detection of PN-code? future topic