Detecting stepping-stones under the influence of packet jittering

Hackers often use a chain of intermediate stepping-stone hosts to hide their identity before launching an attack. This type of stepping-stone attack can be detected by applying timing-based correlation algorithms on the connections in and out of a host. However, hackers can add chaff packets or jitter the original packets to decrease the detection rate of these correlation algorithms. This paper proposes a novel method to detect intrusions under the influence of packet jittering. Our study shows how the distribution of the inter-arrival time gaps of a jittered connection differs from connections without jittering. We study the impact of the jittering probability model on the detection rate as well as parameters of the model upon the detection rate. Our study suggests a way to detect stepping-stones and complements the existing correlation-based stepping-stone detection algorithms to form a much more robust solution.

[1]  Paul Barford,et al.  Characteristics of network traffic flow anomalies , 2001, IMW '01.

[2]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[3]  Shou-Hsuan Stephen Huang,et al.  Stepping-stone detection algorithm based on order preserving mapping , 2007, 2007 International Conference on Parallel and Distributed Systems.

[4]  Chita R. Das,et al.  Characterizing Network Traffic in a Cluster-based, Multi-tier Data Center , 2007, 27th International Conference on Distributed Computing Systems (ICDCS '07).

[5]  Atul Jain Cyber crime : issues and threats , 2005 .

[6]  Ioannis Antoniou,et al.  On the log-normal distribution of network traffic , 2002 .

[7]  Allen B. Downey,et al.  Lognormal and Pareto distributions in the Internet , 2005, Comput. Commun..

[8]  Lang Tong,et al.  Detecting Encrypted Interactive Stepping-Stone Connections , 2006, 2006 IEEE International Conference on Acoustics Speech and Signal Processing Proceedings.

[9]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[10]  Shou-Hsuan Stephen Huang,et al.  Detect multi-hop stepping-stone pairs with clock skew , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[11]  Shou-Hsuan Stephen Huang,et al.  A real-time algorithm to detect long connection chains of interactive terminal sessions , 2004, InfoSecu '04.

[12]  B. Chandrasekaran Survey of Network Traffic Models , 2006 .

[13]  Solomon Kullback,et al.  Bernoulli Distribution , 1935, The SAGE Encyclopedia of Research Design.

[14]  Shou-Hsuan Stephen Huang,et al.  An Algorithm to Detect Stepping-Stones in the Presence of Chaff Packets , 2008, 2008 14th IEEE International Conference on Parallel and Distributed Systems.

[15]  P. Venkitasubramaniam,et al.  Packet Scheduling Against Stepping-Stone Attacks with Chaff , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[16]  A. Adas,et al.  Traffic models in broadband networks , 1997, IEEE Commun. Mag..

[17]  Sukumar Nandi,et al.  Statistical analysis of network traffic inter-arrival , 2010, 2010 The 12th International Conference on Advanced Communication Technology (ICACT).

[18]  T. He,et al.  A Signal Processing Perspective to Stepping-stone Detection , 2006, 2006 40th Annual Conference on Information Sciences and Systems.

[19]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[20]  Lang Tong,et al.  Detecting Encrypted Stepping-Stone Connections , 2007, IEEE Transactions on Signal Processing.

[21]  Yong Guan,et al.  Detection of stepping stone attack under delay and chaff perturbations , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[22]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[23]  Kwong H. Yung Detecting Long Connection Chains of Interactive Terminal Sessions , 2002, RAID.

[24]  Andreas Christmann,et al.  Support vector machines , 2008, Data Mining and Knowledge Discovery Handbook.

[25]  Shou-Hsuan Stephen Huang,et al.  Detecting Chaff Perturbation on Stepping-Stone Connection , 2011, 2011 IEEE 17th International Conference on Parallel and Distributed Systems.

[26]  I. J. Myung,et al.  Tutorial on maximum likelihood estimation , 2003 .