Sleepy watermark tracing: an active network-based intrusion response framework

Network-based intrusion has become a serious threat to today's highly networked information systems, yet the overwhelming majority of current network security mechanisms are " passive" in response to network-based attacks. In particular, tracing and detection of the source of network-based intrusion has been left largely untouched in existing intrusion detection mechanisms. The fact that intruders can log in through a series of hosts before attacking the final target makes it extremely difficult to trace the real source of network (---) based instrusions. In this paper, we apply active networking principles to address the problem of tracing net-work-based intrusion with such chained connections, and propose a novel intrusion response framework: Sleepy Watermark Tracing (SWT). SWT is "sleepy" in that it does not introduce overhead when no intrusion is detected. Yet it is "active" in that when an intrusion is detected, the target will inject a watermark into the backward connection of the intrusion, and wake up and collaborate with intermediate routers along the intrusion path. By integrating a sleepy intrusion response scheme. A watermark correlation technique and an active tracing protocol, SWT provides a highly efficient and accurate source tracing on interactive intrusions through chained telnet of rlongin. Our prototype shows that SWT can trace back to the farthest trustworthy security gateway to the origin of intrusion, within one keystroke. With its unique active tracing, SWT can even trace when intrusion connections are idle by the intruder.