Detect Stepping-Stone Insider Attacks by Network Traffic Mining and Dynamic Programming

Stepping-stone is the most popular way used to attack other computers. Some insiders use stepping-stone to launch their attacks pretending to be outsiders. In this paper, we propose a novel algorithm to detect stepping-stone insider attacks through comparing outgoing and incoming connections. We modify the existing packet matching algorithm by introducing sliding window to make the algorithm more efficient and practicable. The algorithm to compute the similarity between two time-pair sequences through finding the longest common sub sequence is proposed. The stepping-stone insider attacks detection algorithm is easy to be implemented and to use since there is no threshold needed. The experimental results showed the effectiveness of the algorithm to detect stepping-stone insider attacks.

[1]  Boleslaw K. Szymanski,et al.  Recursive data mining for masquerade detection and author identification , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[2]  Jude W. Shavlik,et al.  Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage , 2004, KDD.

[3]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[4]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[5]  R. Power CSI/FBI computer crime and security survey , 2001 .

[6]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[7]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[8]  Pierre-François Marteau,et al.  Time Warp Edit Distance with Stiffness Adjustment for Time Series Matching , 2007, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[9]  Marcus A. Maloof,et al.  elicit: A System for Detecting Insiders Who Violate Need-to-Know , 2007, RAID.

[10]  Geoffrey H. Kuenning,et al.  Detecting insider threats by monitoring system call activity , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[11]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[12]  Longin Jan Latecki,et al.  Path Similarity Skeleton Graph Matching , 2008, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[13]  T. Lane,et al.  Sequence Matching and Learning in Anomaly Detection for Computer Security , 1997 .

[14]  Yehuda Vardi,et al.  A Hybrid High-Order Markov Chain Model for Computer Intrusion Detection , 2001 .

[15]  Malek Ben Salem,et al.  A Survey of Insider Attack Detection Research , 2008, Insider Attack and Cyber Security.

[16]  C.N. Manikopoulos,et al.  Windows NT one-class masquerade detection , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[17]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[18]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[19]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[20]  Qiang Wang,et al.  An elastic partial shape matching technique , 2007, Pattern Recognit..

[21]  Donald J. Berndt,et al.  Using Dynamic Time Warping to Find Patterns in Time Series , 1994, KDD Workshop.

[22]  Mizuki Oka,et al.  Eigen Co-occurrence Matrix Method for Masquerade Detection , 2004 .

[23]  William DuMouchel,et al.  Computer Intrusion Detection Based on Bayes Factors for Comparing Command Transition Probabilities , 1999 .

[24]  Shou-Hsuan Stephen Huang,et al.  Mining TCP/IP packets to detect stepping-stone intrusion , 2007, Comput. Secur..

[25]  Jianhua Yang,et al.  Monitoring Network Traffic to Detect Stepping-Stone Intrusion , 2008, 22nd International Conference on Advanced Information Networking and Applications - Workshops (aina workshops 2008).

[26]  Shou-Hsuan Stephen Huang,et al.  Probabilistic analysis of an algorithm to compute TCP packet round-trip time for intrusion detection , 2007, Comput. Secur..