Mining TCP/IP packets to detect stepping-stone intrusion

An effective approach of detecting stepping-stone intrusion is to estimate the number of hosts compromised through estimating the length of a connection chain. This can be done by studying the changes in TCP packet round-trip time. In this paper, we propose a new algorithm by using data mining method to find the round-trip time from the timestamps of TCP send and echo packets. Previous algorithms produce either good packet matches on very few packets, or poor matches on many packets. This method gives us better round-trip time and more matched packets than other algorithms proposed in the past. It can estimate the length of a connection more accurate than other methods and has largely decreased false positive error and false negative error in detecting stepping-stone intrusion comparing with existing methods.

[1]  Shou-Hsuan Stephen Huang,et al.  A real-time algorithm to detect long connection chains of interactive terminal sessions , 2004, InfoSecu '04.

[2]  Abraham Kandel,et al.  Introduction to Pattern Recognition: Statistical, Structural, Neural and Fuzzy Logic Approaches , 1999 .

[3]  Boris Mirkin,et al.  Mathematical Classification and Clustering , 1996 .

[4]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[5]  Martin P. Clark,et al.  Data Networks, IP and the Internet: Protocols, Design and Operation , 2003 .

[6]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[7]  E. P. Kao,et al.  An Introduction to Stochastic Processes , 1996 .

[8]  Dimitri P. Bertsekas,et al.  Data Networks , 1986 .

[9]  Tatu Ylonen,et al.  SSH Transport Layer Protocol , 1996 .

[10]  Anil K. Jain,et al.  Algorithms for Clustering Data , 1988 .

[11]  G. T. Gangemi,et al.  Computer Security Basics , 2006 .

[12]  Kwong H. Yung Detecting Long Connection Chains of Interactive Terminal Sessions , 2002, RAID.

[13]  David L. Mills,et al.  On the long-range dependence of packet round-trip delays in Internet , 1998, ICC '98. 1998 IEEE International Conference on Communications. Conference Record. Affiliated with SUPERCOMM'98 (Cat. No.98CH36220).

[14]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[15]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[16]  Shou-Hsuan Stephen Huang,et al.  Matching TCP packets and its application to the detection of long connection chains on the Internet , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[17]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.