Robust Detection of Stepping-Stone Attacks

Abstract : The detection of encrypted stepping-stone attack is considered. Besides encryption and padding, the attacker is capable of inserting chaff packets and perturbing packet timing and transmission order. Based on the assumption that packet arrivals form renewal processes, and a pair of such renewal processes is also renewal, a nonparametric detector is proposed to detect attacking traffic by testing the correlation between interarrival times in the incoming process and the outgoing process. The detector requires no knowledge of the interarrival distributions, and it is shown to have exponentially decaying detection error probabilities for all distributions. The error exponents are characterized using the Vapnik-Chervonenkis Theory. An efficient algorithm is proposed based on the detector structure to detect renewal processes with linearly correlated interarrival times. It is shown that the proposed algorithm is robust against an amount of chaff arbitrarily close to the amount of chaff needed to mimic independent processes.

[1]  Lang Tong,et al.  Detecting Encrypted Stepping-Stone Connections , 2007, IEEE Transactions on Signal Processing.

[2]  H. Block Multivariate Exponential Distribution , 2006 .

[3]  Yong Guan,et al.  Detection of stepping stone attack under delay and chaff perturbations , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[4]  Lang Tong,et al.  Nonparametric change detection and estimation in large-scale sensor networks , 2006, IEEE Transactions on Signal Processing.

[5]  Peng Ning,et al.  Active timing-based correlation of perturbed traffic flows with chaff packets , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[6]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[7]  Lang Tong,et al.  On A-distance and Relative A-distance , 2004 .

[8]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[9]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[10]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[11]  Douglas S. Reeves,et al.  Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework , 2001, SEC.

[12]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[13]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[14]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[15]  Richard M. Dudley,et al.  Some special vapnik-chervonenkis classes , 1981, Discret. Math..

[16]  Vladimir Vapnik,et al.  Chervonenkis: On the uniform convergence of relative frequencies of events to their probabilities , 1971 .