A SURVEY OF RESEARCH IN STEPPING-STONE DETECTION

Stepping-stone is a method that directs network connections from an attacker to a victim through one or more intermediate compromised systems or devices. The objective of this scheme is to hide the attacker’s identity (provide anonymity) and make traceback either difficult or impossible. Evasion techniques that are used to hide this process include encryption, introduction of dummy packets (chaff) into the stream, introducing delay into the timing of the packet stream, using multiple compromised hosts in long connection chains (many hops), and intermixing command and control traffic with multimedia traffic to mask traffic characteristics. This paper provides a survey that focuses on characteristic based, interactive stepping-stone detection and analysis techniques. An overview of the field of research is presented with critique of some of the methods used. We also provide some interesting topics for additional research.

[1]  Douglas S. Reeves,et al.  Strategic deployment of network monitors for attack attribution , 2007, 2007 Fourth International Conference on Broadband Communications, Networks and Systems (BROADNETS '07).

[2]  Issa Traoré,et al.  Detecting Connection-Chains: A Data Mining Approach , 2010, Int. J. Netw. Secur..

[3]  Lang Tong,et al.  Detecting Encrypted Interactive Stepping-Stone Connections , 2006, 2006 IEEE International Conference on Acoustics Speech and Signal Processing Proceedings.

[4]  Shou-Hsuan Stephen Huang,et al.  Stepping-Stone Detection Via Request-Response Traffic Analysis , 2007, ATC.

[5]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[6]  Peng Ning,et al.  Tracing Traffic through Intermediate Hosts that Repacketize Flows , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[7]  Madhu Venkateshaiah Evading Existing Stepping Stone Detection Methods Using Buffering , 2006 .

[8]  Jon Postel,et al.  Telnet Protocol Specification , 1980, RFC.

[9]  Thomas E. Daniels,et al.  Monitor placement for stepping stone analysis , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[10]  R. Broadhurst,et al.  Social Engineering and Crime Prevention in Cyberspace , 2008 .

[11]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[12]  Xinyuan Wang The loop fallacy and serialization in tracing intrusion connections through stepping stones , 2004, SAC '04.

[13]  Shou-Hsuan Stephen Huang,et al.  A real-time algorithm to detect long connection chains of interactive terminal sessions , 2004, InfoSecu '04.

[14]  Douglas S. Reeves,et al.  Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework , 2001, SEC.

[15]  W. Timothy Strayer,et al.  Architecture for multi-stage network attack traceback , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[16]  Tatu Ylönen,et al.  The Secure Shell (SSH) Protocol Architecture , 2006, RFC.

[17]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[18]  Lang Tong,et al.  Detecting Encrypted Stepping-Stone Connections , 2007, IEEE Transactions on Signal Processing.

[19]  Yong Guan,et al.  Detection of stepping stone attack under delay and chaff perturbations , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[20]  Shou-Hsuan Stephen Huang,et al.  Neural networks-based detection of stepping-stone intrusion , 2010, Expert Syst. Appl..

[21]  Nasir D. Memon,et al.  Efficient Detection of Delay-Constrained Relay Nodes , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[22]  T. He,et al.  A Signal Processing Perspective to Stepping-stone Detection , 2006, 2006 40th Annual Conference on Information Sciences and Systems.

[23]  Shou-Hsuan Stephen Huang,et al.  A clustering-partitioning algorithm to find TCP packet round-trip time for intrusion detection , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[24]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[25]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[26]  Alden W. Jackson,et al.  Efficient Multi-Dimensional Flow Correlation , 2007 .

[27]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[28]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[29]  Wassim El-Hajj,et al.  Implementation of an ICMP-based covert channel for file and message transfer , 2008, 2008 15th IEEE International Conference on Electronics, Circuits and Systems.

[30]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[31]  P. Venkitasubramaniam,et al.  Packet Scheduling Against Stepping-Stone Attacks with Chaff , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[32]  Peng Ning,et al.  Active timing-based correlation of perturbed traffic flows with chaff packets , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[33]  Xinyuan Wang The loop fallacy and deterministic serialisation in tracing intrusion connections through stepping stones , 2006, Int. J. Secur. Networks.

[34]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[35]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[36]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[37]  I. Traore,et al.  A Survey of Connection-Chains Detection Techniques , 2007, 2007 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing.

[38]  W. Timothy Strayer,et al.  Detecting Botnets with Tight Command and Control , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[39]  Peng Ning,et al.  Robust network-based attack attribution through probabilistic watermarking of packet flows , 2005 .

[40]  Shou-Hsuan Stephen Huang,et al.  Improved Thumbprint and Its Application for Intrusion Detection , 2005, ICCNMC.

[41]  Kwong H. Yung Detecting Long Connection Chains of Interactive Terminal Sessions , 2002, RAID.

[42]  Lang Tong,et al.  Detecting Information Flows: Improving Chaff Tolerance by Joint Detection , 2007, 2007 41st Annual Conference on Information Sciences and Systems.

[43]  Shou-Hsuan Stephen Huang,et al.  Mining TCP/IP packets to detect stepping-stone intrusion , 2007, Comput. Secur..

[44]  Anazida Zainal,et al.  Solving time gap problems through the optimization of detecting stepping stone algorithm , 2004, The Fourth International Conference onComputer and Information Technology, 2004. CIT '04..

[45]  Shou-Hsuan Stephen Huang,et al.  Performance of Neural Networks in Stepping-Stone Intrusion Detection , 2008, 2008 IEEE International Conference on Networking, Sensing and Control.

[46]  Yong Guan,et al.  A testbed for evaluation and analysis of stepping stone attack attribution techniques , 2006, 2nd International Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, 2006. TRIDENTCOM 2006..

[47]  Shou-Hsuan Stephen Huang,et al.  Matching TCP packets and its application to the detection of long connection chains on the Internet , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[48]  Jaideep D. Padhye Stepping-stone Network Attack Kit (SNEAK) For Evading Timing-based Detection Methods Under The Cloak Of Constant Rate Multimedia Streams , 2008 .