DSSS-Based Flow Marking Technique for Invisible Traceback * Wei Yu † , Xinwen Fu ‡ , Steve Graham ‡ , Dong Xuan § , and Wei Zhao ♭ † Texas A&M University, College Station, TX 77843 weiyu@cs.tamu.edu ‡ Dakota State University, Madison, SD 57042 {xinwen.fu,Steve.Graham}@dsu.edu § The Ohio-State University, Columbus, OH 43210 xuan@cse.ohio-state.edu ♭ Rensselaer Polytechnic Institute, Troy, NY 12180 zhaow3@rpi.edu Abstract Law enforcement agencies need the ability to conduct electronic surveillance to combat crime, terrorism, or other malicious activities exploiting the Internet. However, the proliferation of anonymous communication systems on the Internet has posed significant challenges to providing such traceback capability. In this paper, we develop a new class of flow marking technique for invisible traceback based on Direct Sequence Spread Spectrum (DSSS), utilizing a Pseudo-Noise (PN) code. By interfering with a sender’s traffic and marginally varying its rate, an investigator can embed a secret spread spectrum signal into the sender’s traffic. The embedded signal is carried along with the traffic from the sender to the receiver, so the investigator can recognize the corresponding communication relation- ship, tracing the messages despite the use of anonymous networks. The secret PN code makes it difficult for oth- ers to detect the presence of such embedded signals, so the traceback, while available to investigators is, effectively in- visible. We demonstrate a practical flow marking system which requires no training, and can achieve both high de- tection and low false positive rates. Using a combination of analytical modeling, simulations, and experiments on Tor (a popular Internet anonymous communication system), we demonstrate the effectiveness of the DSSS-based flow mark- * This work was partially sponsored by South Dakota Governor Indi- vidual Research Seed Grant Program, and the Project of The South Dakota Electronic Health Record Assessment (SDEHRA) from South Dakota De- partment of Health. Any opinions, findings, conclusions, and/or recom- mendations expressed in this material, either expressed or implied, are those of the authors and do not necessarily reflect the views of the sponsors listed above. The authors would like to acknowledge Ms. Larisa Archer for her dedicated help to improve the paper and Dr. Tom Halverson for his support of this project. ing technique. 1 Introduction In order to conduct lawful surveillance, law enforcement agencies need the ability to trace Internet communications among those suspected of criminal or terrorist activities. Traditionally, the source and destination IP addresses in an IP header have allowed investigators to trace commu- nication sessions and determine corresponding participants, timing, frequency, and quantity. However, the proliferation of anonymous communication systems [1, 2, 3, 4] on the Internet has posed significant challenges to effectively trac- ing communications. For example, web file downloading can be disguised using anonymous communication systems such as Tor [4, 5], preventing detection of illegal use in cases, such as child pornography [5]. Terrorists or criminals might use anonymous communication systems to exchange information and develop plots, without being detected. To preserve the capacity of tracing Internet communica- tions despite anonymous channels, we must use traffic char- acteristics other than easily modified IP header information. For this purpose, we may use flow marking, introduced in [6]. To determine whether a sender is communicating with a receiver, an investigator, known as the interferer, can em- bed a series of marks (signals with a specific pattern) into the sender’s traffic by interfering with the sender’s outbound messages. Another investigator, known as the sniffer, eaves- drops on the receiver’s inbound traffic. If a similar pattern of embedded marks is found in the receiver’s traffic, the in- vestigators know that the sender is communicating with the receiver. By tracing the marks, investigators may construct the full communication path.