DROPWAT: an Invisible Network Flow Watermark for Data Exfiltration Traceback Academic Article uri icon


  • Network flow watermarking techniques have been proposed during the last ten years as an approach to trace network flows for intrusion detection purposes. These techniques aim to impress a hidden signature on a traffic flow. A central property of network flow watermarking is invisibility, i.e., the ability to go unidentified by an unauthorized third party. Although widely sought after, the development of an invisible watermark is a challenging task that has not yet been accomplished. In this paper, we take a step forward in addressing the invisibility problem with DropWat, an active network flow watermarking technique developed for tracing Internet flows directed to the staging server that is the final destination in a data exfiltration attack, even in the presence of several intermediate stepping stones or with an anonymous network. DropWat is a timing-based technique that indirectly modifies interpacket delays by exploiting the network's reaction to packet loss. We empirically demonstrate that the watermark embedded by means of DropWat is invisible to a third party observing the watermarked traffic. We also validate DropWat and analyze its performance in a controlled experimental framework with a series of experiments on the Internet, using Web proxy servers as stepping stones executed on several instances in Amazon Web Services; the experiments are also conducted using the TOR anonymous network in place of the stepping stones. Our results show that the detection algorithm is able to identify an embedded watermark, achieving over 95% accuracy while being invisible.

publication date

  • January 1, 2017