论文信息 - Detection of stepping stone attack under delay and chaff perturbations

Detection of stepping stone attack under delay and chaff perturbations

Network based attackers often relay attacks through intermediary hosts (i.e., stepping stones) to evade detection. In addition, attackers make detection more difficult by encrypting attack traffic and introducing delay and chaff perturbations into stepping stone connections. Several approaches have been proposed to detect stepping stone attacks. However, none of them performs effectively when delay and chaff perturbations exist simultaneously. In this paper, we propose and analyze algorithms which represent that attackers cannot always evade detection only by adding limited delay and independent chaff perturbations. We provide the upper bounds on the number of packets needed to confidently detect stepping stone connections from non-stepping stone connections with any given probability of false attribution. We compare our algorithms with previous ones and the experimental results show that our algorithms are more effective in detecting stepping stone attacks in some scenarios

Yong Guan | Linfeng Zhang | Anthony G. Persaud | Alan Johnson

[1] Douglas S. Reeves,et al. Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[2] Dawn Xiaodong Song,et al. Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[3] Douglas S. Reeves,et al. Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework , 2001, SEC.

[4] Douglas S. Reeves,et al. Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[5] Prepared by: BBN Technologies , 2003 .

[6] Hiroaki Etoh,et al. Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[7] Yin Zhang,et al. Detecting Stepping Stones , 2000, USENIX Security Symposium.

[8] Vern Paxson,et al. Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[9] Stuart Staniford-Chen,et al. Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[10] Yong Guan,et al. A testbed for evaluation and analysis of stepping stone attack attribution techniques , 2006, 2nd International Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, 2006. TRIDENTCOM 2006..