An efficient sequential watermark detection model for tracing network attack flows

Watermarking schemes for tracing network attack flows have been proposed to detect stepping-stone intrusion and fight against the abuse of anonymity. However, most existing network flow watermark detection techniques focus on fixed sample size of network data, thus resulting in not only unguaranteed rates of detection errors but also low efficiency of watermark detection. We herein propose an efficient sequential watermark detection (ESWD) model for tracing network attack flows. Based on the ESWD model, a statistical analysis of sequential detectors, with no assumptions or limitations concerning the distribution of the timing of packets, proves their effectiveness despite traffic timing perturbations. The experiments using a large number of synthetically-generated SSH traffic flows demonstrate that there is a significant advantage in using the ESWD model over the existing fixed sample size (FSS) detector, where the optimal sequential watermark detector (OSWD) based on the ESWD model results in almost 28% savings in the average number of packets compared to the FSS watermark detector. Furthermore, the nonparametric sequential sign watermark detector (SSWD) can also reduce the average packet number, given the required probability of detection errors.