Packet Fluctuation Approach For Stepping-Stone Detection

To evade detection, network attackers usually launch intrusions through stepping-stones by building a long connection via intermediary hosts. In order to detect long connection chains, we first need to identify whether a host has been used as a stepping-stones. In this paper, we proposed the packet fluctuation approach to detect stepping-stones based on the range of a random walk model. Two algorithms (transformation and packet size) are proposed for this approach to distinguish the stepping-stone connections (ATTACK pairs) from the normal connections (NORMAL pairs). We also show the effectiveness of our algorithms in detecting the chaff perturbation. It is found that both algorithms are able to effectively identify the stepping-stone connections.

[1]  Lang Tong,et al.  Detecting Encrypted Stepping-Stone Connections , 2007, IEEE Transactions on Signal Processing.

[2]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[3]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[4]  Shou-Hsuan Stephen Huang,et al.  Detecting Stepping-Stone with Chaff Perturbations , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[5]  Shou-Hsuan Stephen Huang,et al.  A real-time algorithm to detect long connection chains of interactive terminal sessions , 2004, InfoSecu '04.

[6]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[7]  John White,et al.  Proceedings of the 3rd international conference on Information security , 2004 .

[8]  William Feller,et al.  An Introduction to Probability Theory and Its Applications , 1951 .

[9]  Kwong H. Yung Detecting Long Connection Chains of Interactive Terminal Sessions , 2002, RAID.

[10]  Shou-Hsuan Stephen Huang,et al.  Matching TCP packets and its application to the detection of long connection chains on the Internet , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[11]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[12]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[13]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[14]  Shou-Hsuan Stephen Huang,et al.  Stepping-Stone Detection Via Request-Response Traffic Analysis , 2007, ATC.