Using Dynamic Programming Techniques to Detect Multi-hop Stepping-Stone Pairs in a Connection Chain

Stepping-stone attack in network intrusion detection are attackers who use a sequence of intermediate (or so called stepping-stone) hosts to initiate attacks in order to hide their origins. We investigate a number of dynamic programming based pattern recognition approaches and our novel algorithm for detecting correlation and similarity of two connections not only into and out of a single stepping stone host(consecutive streams), but also across multiple stepping-stone hosts. The goal of this paper is to find out which technique can be better adopted for detection applications. To evaluate their accuracy and efficiency, we conduct extensive experiments. We also evaluate how chaff packets and time skew may affect these methods. We compare the results from five methods with their false positive and false negative rates. We demonstrate that our proposed approach named OSSM returns very good performance even under a variety of complex circumstances.

[1]  Stan Salvador,et al.  FastDTW: Toward Accurate Dynamic Time Warping in Linear Time and Space , 2004 .

[2]  Pierre-François Marteau,et al.  Time Warp Edit Distance with Stiffness Adjustment for Time Series Matching , 2007, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[3]  Kwong H. Yung Detecting Long Connection Chains of Interactive Terminal Sessions , 2002, RAID.

[4]  R. Manmatha,et al.  Word image matching using dynamic time warping , 2003, 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003. Proceedings..

[5]  Philip S. Yu,et al.  Indexing weighted-sequences in large databases , 2003, Proceedings 19th International Conference on Data Engineering (Cat. No.03CH37405).

[6]  B. Zavidovique,et al.  Pattern Recognition Through Dynamic Programming , 1985, Optics & Photonics.

[7]  S. Chiba,et al.  Dynamic programming algorithm optimization for spoken word recognition , 1978 .

[8]  Simone Schäfer Path similarity skeleton graph matching for 3D objects , 2011 .

[9]  Shou-Hsuan Stephen Huang,et al.  Matching TCP packets and its application to the detection of long connection chains on the Internet , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[10]  Qiang Wang,et al.  An elastic partial shape matching technique , 2007, Pattern Recognit..

[11]  Eamonn J. Keogh,et al.  Exact indexing of dynamic time warping , 2002, Knowledge and Information Systems.

[12]  Eamonn J. Keogh,et al.  Scaling up dynamic time warping for datamining applications , 2000, KDD '00.

[13]  Toni Giorgino,et al.  Matching incomplete time series with dynamic time warping: an algorithm and an application to post-stroke rehabilitation , 2009, Artif. Intell. Medicine.

[14]  Shou-Hsuan Stephen Huang,et al.  An Algorithm to Detect Stepping-Stones in the Presence of Chaff Packets , 2008, 2008 14th IEEE International Conference on Parallel and Distributed Systems.

[15]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[16]  Shou-Hsuan Stephen Huang,et al.  A real-time algorithm to detect long connection chains of interactive terminal sessions , 2004, InfoSecu '04.

[17]  Donald J. Berndt,et al.  Using Dynamic Time Warping to Find Patterns in Time Series , 1994, KDD Workshop.

[18]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[19]  Lang Tong,et al.  Detecting Encrypted Stepping-Stone Connections , 2007, IEEE Transactions on Signal Processing.

[20]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[21]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[22]  Shou-Hsuan Stephen Huang,et al.  Stepping-stone detection algorithm based on order preserving mapping , 2007, 2007 International Conference on Parallel and Distributed Systems.

[23]  T. He,et al.  A Signal Processing Perspective to Stepping-stone Detection , 2006, 2006 40th Annual Conference on Information Sciences and Systems.

[24]  Eamonn J. Keogh,et al.  Iterative Deepening Dynamic Time Warping for Time Series , 2002, SDM.

[25]  Pierre-François Marteau Time Warp Edit Distance , 2008, ArXiv.

[26]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[27]  Sanghyun Park,et al.  A multi-dimensional indexing approach for timestamped event sequence matching , 2007, Inf. Sci..

[28]  Shou-Hsuan Stephen Huang,et al.  Detecting Stepping-Stone Connection Using Association Rule Mining , 2009, 2009 International Conference on Availability, Reliability and Security.

[29]  Dimitrios Gunopulos,et al.  Finding Similar Time Series , 1997, PKDD.

[30]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.