Stepping-stone detection algorithm based on order preserving mapping

Intruders often do not attack victim hosts directly from their own hosts so as not to reveal their identity. Instead, intruders perform their attacks through a sequence of intermediary hosts before attacking the target. This type of attack is known as a "stepping-stone attack". Stepping-stone detection is to determine if a host machine is being used as a stepping-stone by attackers. In this paper, we propose an algorithm for stepping-stone detection using a pervious mapping-based detection method. The technique reduces the detection problem to finding a mapping between two streams of packets. If our algorithm cannot find the mapping, then no such mapping exists. But if there is a mapping, then the proposed algorithm is guaranteed to find one and the solution will always be the one with minimum indexed. We provide the proof of the correctness of the algorithms. Furthermore, the algorithm has a low time complexity. The paper also discusses the effect of chaff packets on the ability to detect stepping-stones.

[1]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[2]  Kwong H. Yung Detecting Long Connection Chains of Interactive Terminal Sessions , 2002, RAID.

[3]  T. He,et al.  A Signal Processing Perspective to Stepping-stone Detection , 2006, 2006 40th Annual Conference on Information Sciences and Systems.

[4]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[5]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[6]  Shou-Hsuan Stephen Huang,et al.  Detecting Stepping-Stone with Chaff Perturbations , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[7]  Shou-Hsuan Stephen Huang,et al.  A real-time algorithm to detect long connection chains of interactive terminal sessions , 2004, InfoSecu '04.

[8]  Shou-Hsuan Stephen Huang,et al.  Matching TCP packets and its application to the detection of long connection chains on the Internet , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[9]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[10]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[11]  Lang Tong,et al.  Detecting Encrypted Stepping-Stone Connections , 2007, IEEE Transactions on Signal Processing.

[12]  Yong Guan,et al.  Detection of stepping stone attack under delay and chaff perturbations , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[13]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[14]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.