Linking Correlated Network Flows through Packet Timing: a Game-Theoretic Approach
This work addresses flow correlation for network security and anonymity systems, but it is incremental as it builds on existing game-theoretic approaches to analyze specific attack scenarios.
The paper tackles the problem of correlating network flows for intrusion detection and anonymity tracing by introducing a game-theoretic framework to analyze Nash equilibria under two adversary models involving packet delays and chaff traffic, showing that optimal decoding is computationally infeasible and proposing a practical decoder that estimates and compensates attacks.
Deciding that two network flows are essentially the same is an important problem in intrusion detection or in tracing anonymous connections. A stepping stone or an anonymity network may try to prevent flow correlation by delaying the packets, introducing chaff traffic, or even splitting the flow in several subflows. We introduce a game-theoretic framework for this problem. The framework is used to derive the Nash equilibrium under two different adversary models: the first one, when the adversary is limited to delaying packets, and the second, when the adversary also adds dummy packets and removes packets from the flow. As the optimal decoder is not computationally feasible, we restrict the possible decoder to one that estimates and compensates the attack. Our analysis can be used for understanding the limits of flow correlation based on packet timings under an active attacker.