Efficient detection of delay-constrained relay nodes

Baris Coskun, Nasir Memon

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Relay nodes are a potential threat to networks since they are used in many malicious situations like stepping stone attacks, botnet communication, peer-to-peer streaming etc. Quick and accurate detection of relay nodes in a network can significantly improve security policy enforcement. There has been significant work done and novel solutions proposed for the problem of identifying relay flows active within a node in the network. However, these solutions require quadratic number of comparisons in the number of flows. In this paper, a related problem of identifying relay nodes is investigated where a relay node is defined as a node in the network that has an active relay flow. The problem is formulated as a variance estimation problem and a statistical approach is proposed for the solution. The proposed solution requires linear time and space in the number of flows and therefore can be employed in large scale implementations. It can be used on its own to identify relay nodes or as a first step in a scalable relay flow detection solution that performs known quadratic time analysis techniques for relay flow detection only on nodes that have been detected as relay nodes. Experimental results show that the proposed scheme is able to detect relay nodes even in the presence of intentional inter-packet delays and chaff packets introduced by adversaries in order to defeat timing based detection algorithms.

Original languageEnglish (US)
Title of host publicationProceedings - 23rd Annual Computer Security Applications Conference, ACSAC 2007
Pages353-362
Number of pages10
DOIs
StatePublished - 2007
Event23rd Annual Computer Security Applications Conference, ACSAC 2007 - Miami Beach, FL, United States
Duration: Dec 10 2007Dec 14 2007

Other

Other23rd Annual Computer Security Applications Conference, ACSAC 2007
CountryUnited States
CityMiami Beach, FL
Period12/10/0712/14/07

Fingerprint

Communication
Botnet

ASJC Scopus subject areas

  • Software
  • Engineering(all)

Cite this

Coskun, B., & Memon, N. (2007). Efficient detection of delay-constrained relay nodes. In Proceedings - 23rd Annual Computer Security Applications Conference, ACSAC 2007 (pp. 353-362). [04413002] https://doi.org/10.1109/ACSAC.2007.29

Efficient detection of delay-constrained relay nodes. / Coskun, Baris; Memon, Nasir.

Proceedings - 23rd Annual Computer Security Applications Conference, ACSAC 2007. 2007. p. 353-362 04413002.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Coskun, B & Memon, N 2007, Efficient detection of delay-constrained relay nodes. in Proceedings - 23rd Annual Computer Security Applications Conference, ACSAC 2007., 04413002, pp. 353-362, 23rd Annual Computer Security Applications Conference, ACSAC 2007, Miami Beach, FL, United States, 12/10/07. https://doi.org/10.1109/ACSAC.2007.29
Coskun B, Memon N. Efficient detection of delay-constrained relay nodes. In Proceedings - 23rd Annual Computer Security Applications Conference, ACSAC 2007. 2007. p. 353-362. 04413002 https://doi.org/10.1109/ACSAC.2007.29
Coskun, Baris ; Memon, Nasir. / Efficient detection of delay-constrained relay nodes. Proceedings - 23rd Annual Computer Security Applications Conference, ACSAC 2007. 2007. pp. 353-362
@inproceedings{d7aaabc4389041e39499c74ab391f1b3,
title = "Efficient detection of delay-constrained relay nodes",
abstract = "Relay nodes are a potential threat to networks since they are used in many malicious situations like stepping stone attacks, botnet communication, peer-to-peer streaming etc. Quick and accurate detection of relay nodes in a network can significantly improve security policy enforcement. There has been significant work done and novel solutions proposed for the problem of identifying relay flows active within a node in the network. However, these solutions require quadratic number of comparisons in the number of flows. In this paper, a related problem of identifying relay nodes is investigated where a relay node is defined as a node in the network that has an active relay flow. The problem is formulated as a variance estimation problem and a statistical approach is proposed for the solution. The proposed solution requires linear time and space in the number of flows and therefore can be employed in large scale implementations. It can be used on its own to identify relay nodes or as a first step in a scalable relay flow detection solution that performs known quadratic time analysis techniques for relay flow detection only on nodes that have been detected as relay nodes. Experimental results show that the proposed scheme is able to detect relay nodes even in the presence of intentional inter-packet delays and chaff packets introduced by adversaries in order to defeat timing based detection algorithms.",
author = "Baris Coskun and Nasir Memon",
year = "2007",
doi = "10.1109/ACSAC.2007.29",
language = "English (US)",
isbn = "0769530605",
pages = "353--362",
booktitle = "Proceedings - 23rd Annual Computer Security Applications Conference, ACSAC 2007",

}

TY - GEN

T1 - Efficient detection of delay-constrained relay nodes

AU - Coskun, Baris

AU - Memon, Nasir

PY - 2007

Y1 - 2007

N2 - Relay nodes are a potential threat to networks since they are used in many malicious situations like stepping stone attacks, botnet communication, peer-to-peer streaming etc. Quick and accurate detection of relay nodes in a network can significantly improve security policy enforcement. There has been significant work done and novel solutions proposed for the problem of identifying relay flows active within a node in the network. However, these solutions require quadratic number of comparisons in the number of flows. In this paper, a related problem of identifying relay nodes is investigated where a relay node is defined as a node in the network that has an active relay flow. The problem is formulated as a variance estimation problem and a statistical approach is proposed for the solution. The proposed solution requires linear time and space in the number of flows and therefore can be employed in large scale implementations. It can be used on its own to identify relay nodes or as a first step in a scalable relay flow detection solution that performs known quadratic time analysis techniques for relay flow detection only on nodes that have been detected as relay nodes. Experimental results show that the proposed scheme is able to detect relay nodes even in the presence of intentional inter-packet delays and chaff packets introduced by adversaries in order to defeat timing based detection algorithms.

AB - Relay nodes are a potential threat to networks since they are used in many malicious situations like stepping stone attacks, botnet communication, peer-to-peer streaming etc. Quick and accurate detection of relay nodes in a network can significantly improve security policy enforcement. There has been significant work done and novel solutions proposed for the problem of identifying relay flows active within a node in the network. However, these solutions require quadratic number of comparisons in the number of flows. In this paper, a related problem of identifying relay nodes is investigated where a relay node is defined as a node in the network that has an active relay flow. The problem is formulated as a variance estimation problem and a statistical approach is proposed for the solution. The proposed solution requires linear time and space in the number of flows and therefore can be employed in large scale implementations. It can be used on its own to identify relay nodes or as a first step in a scalable relay flow detection solution that performs known quadratic time analysis techniques for relay flow detection only on nodes that have been detected as relay nodes. Experimental results show that the proposed scheme is able to detect relay nodes even in the presence of intentional inter-packet delays and chaff packets introduced by adversaries in order to defeat timing based detection algorithms.

UR - http://www.scopus.com/inward/record.url?scp=48649102224&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=48649102224&partnerID=8YFLogxK

U2 - 10.1109/ACSAC.2007.29

DO - 10.1109/ACSAC.2007.29

M3 - Conference contribution

AN - SCOPUS:48649102224

SN - 0769530605

SN - 9780769530604

SP - 353

EP - 362

BT - Proceedings - 23rd Annual Computer Security Applications Conference, ACSAC 2007

ER -