Mining Network Traffic with the k -Means Clustering Algorithm for Stepping-Stone Intrusion Detection

Intruders on the Internet usually launch network attacks through compromised hosts, called stepping stones, in order to reduce the chance of being detected. With stepping-stone intrusions, an attacker uses tools such as SSH to log in several compromised hosts remotely and create an interactive connection chain and then sends attacking packets to a target system. An effective method to detect such an intrusion is to estimate the length of a connection chain. In this paper, we develop an efficient algorithm to detect stepping-stone intrusion by mining network traffic using the k-means clustering. Existing approaches for connection-chainbased stepping-stone intrusion detection either are not effective or require a large number of TCP packets to be captured and processed and, thus, are not efficient. Our proposed detection algorithm can accurately determine the length of a connection chain without requiring a large number of TCP packets being captured and processed, so it is more efficient. Our proposed detection algorithm is also easier to implement than all existing approaches for stepping-stone intrusion detection. The effectiveness, correctness, and efficiency of our proposed detection algorithm are verified through well-designed network experiments.

[1]  Jinping Liu,et al.  Adaptive intrusion detection via GA-GOGMM-based pattern learning with fuzzy rough set-based attribute selection , 2020, Expert Syst. Appl..

[2]  David Aspinall,et al.  Evading Stepping-Stone Detection with Enough Chaff , 2020, NSS.

[3]  Shou-Hsuan Stephen Huang,et al.  Mining TCP/IP packets to detect stepping-stone intrusion , 2007, Comput. Secur..

[4]  Shou-Hsuan Stephen Huang,et al.  Detecting Stepping-Stone Intruders by Identifying Crossover Packets in SSH Connections , 2016, 2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA).

[5]  Zhipeng Cai,et al.  A Private and Efficient Mechanism for Data Uploading in Smart Cyber-Physical Systems , 2020, IEEE Transactions on Network Science and Engineering.

[6]  Jianhua Yang,et al.  Sniffing and Chaffing Network Traffic in Stepping-Stone Intrusion Detection , 2018, 2018 32nd International Conference on Advanced Information Networking and Applications Workshops (WAINA).

[7]  Shou-Hsuan Stephen Huang,et al.  Matching TCP packets and its application to the detection of long connection chains on the Internet , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[8]  Matt Bishop,et al.  UNIX Security: Threats and Solutions , 1996 .

[9]  Pankaj K. Agarwal,et al.  Exact and Approximation Algortihms for Clustering , 1997 .

[10]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[11]  Kwong H. Yung Detecting Long Connection Chains of Interactive Terminal Sessions , 2002, RAID.

[12]  Debopam Bhattacherjee Stepping Stone Detection for Tracing Attack Sources in Software-Defined Networks , 2016 .

[13]  Douglas S. Reeves,et al.  Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Flow Watermarking , 2011, IEEE Transactions on Dependable and Secure Computing.

[14]  Zhipeng Cai,et al.  Privacy-Preserved Data Sharing Towards Multiple Parties in Industrial IoTs , 2020, IEEE Journal on Selected Areas in Communications.

[15]  Lixin Wang,et al.  Manipulating network traffic to evade stepping-stone intrusion detection , 2018, Internet Things.

[16]  Jianhua Yang,et al.  A research survey in stepping-stone intrusion detection , 2018, EURASIP J. Wirel. Commun. Netw..

[17]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[18]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[19]  Shou-Hsuan Stephen Huang,et al.  A clustering-partitioning algorithm to find TCP packet round-trip time for intrusion detection , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[20]  Xiaohua Xu,et al.  Detect Stepping-stone Intrusion by Mining Network Traffic using k-Means Clustering , 2020, 2020 IEEE 39th International Performance Computing and Communications Conference (IPCCC).

[21]  V. Paxson,et al.  Wide-area traffic: the failure of Poisson modeling , 1994, SIGCOMM.

[22]  Yonghong Chen,et al.  A Novel Network Flow Watermark Embedding Model for Efficient Detection of Stepping-stone Intrusion Based on Entropy , 2016 .

[23]  David L. Mills,et al.  On the long-range dependence of packet round-trip delays in Internet , 1998, ICC '98. 1998 IEEE International Conference on Communications. Conference Record. Affiliated with SUPERCOMM'98 (Cat. No.98CH36220).

[24]  Shou-Hsuan Stephen Huang,et al.  Stepping-Stone Detection Via Request-Response Traffic Analysis , 2007, ATC.

[25]  Jianhua Yang,et al.  Monitoring Network Traffic to Detect Stepping-Stone Intrusion , 2008, 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008).

[26]  Zhipeng Cai,et al.  Trading Private Range Counting over Big IoT Data , 2019, 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS).

[27]  D.M. Mount,et al.  An Efficient k-Means Clustering Algorithm: Analysis and Implementation , 2002, IEEE Trans. Pattern Anal. Mach. Intell..

[28]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[29]  Shou-Hsuan Stephen Huang,et al.  A real-time algorithm to detect long connection chains of interactive terminal sessions , 2004, InfoSecu '04.

[30]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[31]  Lang Tong,et al.  Detecting Encrypted Stepping-Stone Connections , 2007, IEEE Transactions on Signal Processing.

[32]  Greg Hamerly,et al.  Accelerating Lloyd’s Algorithm for k -Means Clustering , 2015 .

[33]  Shou-Hsuan Stephen Huang,et al.  Detecting Stepping-Stone Intruders with Long Connection Chains , 2009, 2009 Fifth International Conference on Information Assurance and Security.