Detecting Stepping-Stone Intruders by Identifying Crossover Packets in SSH Connections

Routing packet traffic through a chain of hosts is a common technique for hackers to attack a victim server without exposing themselves. Generally, the use of a long connection chain to log in to a computer system is an indication of the presence of an intruder. This paper presents a new solution to the problem of detecting such long connection chains at the server side. Our hypothesis is that a long connection chain will cause Request and Response packets to cross each other along the chain. So even though we cannot directly observe the packet crossovers from the server side, we can observe some of their side effects. Thus, our detection algorithm is based on detecting this side effect of packet crossovers. We validated the algorithm using test data generated on the Internet. The results show a high detection rate of long connection chains of length three hops with a reasonable false positive rate.

[1]  Shou-Hsuan Stephen Huang,et al.  Matching TCP packets and its application to the detection of long connection chains on the Internet , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[2]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[3]  Wanlei Zhou,et al.  Getting the Real-Time Precise Round-Trip Time for Stepping Stone Detection , 2010, 2010 Fourth International Conference on Network and System Security.

[4]  Shou-Hsuan Stephen Huang,et al.  Detecting Stepping-Stone Intruders with Long Connection Chains , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[5]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[6]  Shou-Hsuan Stephen Huang,et al.  A clustering-partitioning algorithm to find TCP packet round-trip time for intrusion detection , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[7]  Tatu Ylönen,et al.  The Secure Shell (SSH) Connection Protocol , 2006, RFC.

[8]  Peter G. Neumann,et al.  Experience with EMERALD to Date , 1999, Workshop on Intrusion Detection and Network Monitoring.

[9]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[10]  Kwong H. Yung Detecting Long Connection Chains of Interactive Terminal Sessions , 2002, RAID.

[11]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[12]  Shou-Hsuan Stephen Huang,et al.  A real-time algorithm to detect long connection chains of interactive terminal sessions , 2004, InfoSecu '04.

[13]  Douglas S. Reeves,et al.  Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework , 2001, SEC.