AuthentIx: Detecting Anonymized Attacks via Automated Authenticity Profiling Conference Paper uri icon

abstract

  • In the modern era of cyber-security attackers are persistent in their attempts to hide and mask the origin of their attacks. In many cases, attacks are launched from spoofed or unknown Internet addresses, which makes investigation a challenging task. While protection from anonymized attacks is an important goal, detection of anonymized traffic is also important in its own right, because it allows defenders to take necessary preventative and defensive steps at an early stage, even before the attack itself has begun. In this paper we present AuthentIx, a system which measures the authenticity of the sources of Internet traffic. In order to measure the authenticity of traffic sources, our system uses passive and active profiling techniques, which are employed in both the network and the application protocols. We also show that performing certain cross-views between different communications layers can uncover inconsistencies and find clients which are suspicious. We present our system design and describe its implementation, and evaluate AuthentIx on traffic from authentic and non-authentic sources. Results show that our system can successfully detect anonymous and impersonated attackers, and furthermore, can be used as a general framework to cope with new anonymization and hiding techniques.

publication date

  • November 23, 2016