Neural networks-based detection of stepping-stone intrusion

When network intruders launch attacks to a victim host, they try to avoid revealing their identities by indirectly connecting to the victim through a sequence of intermediary hosts, called stepping-stones. One effective stepping-stone detection mechanism is to detect such a long connection chain by estimating the number of stepping-stones. Artificial neural networks provide the potential to identify and classify network activities. In this paper, we propose an approach that utilizes the analytical strengths of neural networks to detect stepping-stone intrusion. Two schemes are developed for neural network investigation. One uses eight packet variables and the other clusters a sequence of consecutive packet round-trip times. The experimental results show that using neural networks as the detection tool works well to predict the number of stepping-stones for incoming packets by both proposed schemes through monitoring a connection chain with a few packets. In addition, various transfer functions and learning rules are studied and it is observed that using Sigmoid transfer function and Delta learning rule generally provides better prediction.

[1]  Shou-Hsuan Stephen Huang,et al.  Detecting Stepping-Stone with Chaff Perturbations , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[2]  Shou-Hsuan Stephen Huang,et al.  A real-time algorithm to detect long connection chains of interactive terminal sessions , 2004, InfoSecu '04.

[3]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[4]  Shou-Hsuan Stephen Huang,et al.  Performance of Neural Networks in Stepping-Stone Intrusion Detection , 2008, 2008 IEEE International Conference on Networking, Sensing and Control.

[5]  Shou-Hsuan Stephen Huang,et al.  Stepping-Stone Intrusion Detection Using Neural Networks Approach , 2008 .

[6]  Kwong H. Yung Detecting Long Connection Chains of Interactive Terminal Sessions , 2002, RAID.

[7]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[8]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.

[9]  David L. Mills,et al.  On the long-range dependence of packet round-trip delays in Internet , 1998, ICC '98. 1998 IEEE International Conference on Communications. Conference Record. Affiliated with SUPERCOMM'98 (Cat. No.98CH36220).

[10]  James Cannady,et al.  Artificial Neural Networks for Misuse Detection , 1998 .

[11]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[12]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[13]  Peter Norvig,et al.  Artificial Intelligence: A Modern Approach , 1995 .

[14]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[15]  Shou-Hsuan Stephen Huang,et al.  Matching TCP packets and its application to the detection of long connection chains on the Internet , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[16]  Hervé Debar,et al.  A neural network component for an intrusion detection system , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[17]  Peter Norvig,et al.  Artificial intelligence - a modern approach, 2nd Edition , 2003, Prentice Hall series in artificial intelligence.