Survey on network flow watermarking: model, interferences, applications, technologies and security

Abstract

Compared with passive flow correlation technologies based on flow characteristics, network flow watermarking, a kind of active flow correlation technology, is characterised by high accuracy, low false positive rate and short observation time. The basic framework and main elements of flow watermarking are formally described. The robustness and invisibility focused by flow watermarking as well as typical application scenarios (such as stepping-stone traceback, anonymous abuser correlation) of flow watermarking are expounded. The intra-flow and inter-flow interferences (such as repacketisation, packet reorder, delay normalisation, flow mixing, flow splitting and flow merging) faced by flow watermarking are briefly introduced. Analysis and comparison on different watermark carriers (packet payload, traffic rate, packet timing, packet number, packet length, packet order and hybrid carrier) based typical flow watermarking technologies, including flow fingerprinting technologies, are conducted, then, a review on security threats faced by flow watermarking, including multi-flow attack, mean-square autocorrelation attack, Kolmogorov–Smirnov test, BACKLIT detection and replication attack, and main countermeasures for increasing invisibility of flow watermarking is carried out. Current research hotspots and future development trends of flow watermarking are summarised and prospected from the aspects of architecture design, invisibility enhancement, adaptive capability improvement, performance evaluation, deployment and application.