Correlating TCP/IP Interactive Sessions with Correlation Coefficient to Detect Stepping-Stone Intrusion

Most network intruders launch their attacks through stepping-stones to reduce the risks of being discovered. To uncover such intrusions, one prevalent, challenging, and critical way is to compare an incoming connection with outgoing connections to determine if a computer is used as a stepping-stone. In this paper, we present a way by using signal processing technology-correlation coefficient, such as Spearman Rank, Kendall Tau Rank, and Pearson Product-Moment, to correlate two sessions to identify stepping-stone intrusions. The contribution of this paper is that we are the first one to apply correlation coefficient to stepping-stone intrusion detection, and more importantly, it is not necessary to monitor a session for a long time to conclude a stepping-stone intrusion. The experiment results showed that a step-ping-stone intrusion can be detected while an intruder input the username and password. Further work needs to be done to test if this approach could resist intruders' evasion.

[1]  W. Timothy Strayer,et al.  Efficient Multi-Dimensional Flow Correlation , 2007, 32nd IEEE Conference on Local Computer Networks (LCN 2007).

[2]  Shou-Hsuan Stephen Huang,et al.  Matching TCP packets and its application to the detection of long connection chains on the Internet , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[3]  Kwong H. Yung Detecting Long Connection Chains of Interactive Terminal Sessions , 2002, RAID.

[4]  Shou-Hsuan Stephen Huang,et al.  Matching TCP/IP Packets to Detect Stepping-Stone Intrusion , 2006 .

[5]  Shou-Hsuan Stephen Huang,et al.  Mining TCP/IP packets to detect stepping-stone intrusion , 2007, Comput. Secur..

[6]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[7]  Jianhua Yang,et al.  Monitoring Network Traffic to Detect Stepping-Stone Intrusion , 2008, 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008).

[8]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[9]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[10]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[11]  W. Timothy Strayer,et al.  Architecture for multi-stage network attack traceback , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[12]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[13]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[14]  Shou-Hsuan Stephen Huang,et al.  A clustering-partitioning algorithm to find TCP packet round-trip time for intrusion detection , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).