论文信息 - Monitoring Network Traffic to Detect Stepping-Stone Intrusion

Monitoring Network Traffic to Detect Stepping-Stone Intrusion

Most network intruders tend to use stepping-stones to attack or to invade other hosts to reduce the risks of being discovered. There have been many approaches that were proposed to detect stepping-stone since 1995. One of those approaches proposed by A. Blum detects stepping-stone by checking if the difference between the number of the send packets of an incoming connection and the one of an outgoing connection is bounded. One weakness of this method is in resisting intruders' evasion, such as chaff perturbation. In this paper, we propose a method based on random walk theory to detect stepping-stone intrusion. Our theoretical analysis shows that the proposed method is more effective than Blum's approach in terms of resisting intruders' chaff perturbation.

Jianhua Yang | Byong Lee | Stephen S. H. Huang

[1] Shou-Hsuan Stephen Huang,et al. Matching TCP packets and its application to the detection of long connection chains on the Internet , 2005, 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers).

[2] Dawn Xiaodong Song,et al. Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[3] Kwong H. Yung. Detecting Long Connection Chains of Interactive Terminal Sessions , 2002, RAID.

[4] Yin Zhang,et al. Detecting Stepping Stones , 2000, USENIX Security Symposium.

[5] Vern Paxson,et al. Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[6] J. Griffiths. The Theory of Stochastic Processes , 1967 .

[7] Hiroaki Etoh,et al. Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[8] Stuart Staniford-Chen,et al. Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.