The loop fallacy and deterministic serialisation in tracing intrusion connections through stepping stones

In order to conceal their identity and origin, network based intruders seldom attack directly from their own hosts, but rather stage their attacks through intermediate 'stepping stones'. To identify attackers behind stepping stones, it is necessary to be able to trace and correlate attack traffic through the stepping stones and construct the correct intrusion connection chain. A complete solution to the stepping stones tracing problem consists of two complementary parts. Firstly, the set of correlated connections that belongs to the same intrusion connection chain has to be identified; secondly, those correlated connections need to be serialised in order to construct the accurate and complete intrusion connection chain. Existing approaches to the tracing problem of intrusion connections through stepping stones have focused on identifying the set of correlated connections that belong to the same connection chain and have overlooked the serialisation of those correlated connections. In this paper, we use set theoretic approach to analyse the theoretical limits of the correlation-only approach, demonstrate the gap between the perfect stepping stone correlation solution and the perfect solution to the stepping stones tracing problem, and we show what it takes to fill the gap. Firstly, we identify the serialisation problem and the loop fallacy in tracing connections through stepping stones. We formally demonstrate that even the perfect correlation solution, which gives us all and only those connections that belong to the same connection chain, does not guarantee to be able to serialise the correlated connections deterministically. Secondly, we show that the complete set of correlated connections, even with loops, could be serialised deterministically without synchronised clock.We present an efficient intrusion path construction method based on adjacent correlated connection pairs. Finally, we show that the incomplete set of correlated connections due to limited observing area of stepping stones only provides enough information to construct a partial-order of subsequences of the connection chain in general, and we present an efficient way to determine when the incomplete set of correlated connections could be serialised deterministically.

[1]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[2]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[3]  Kwong H. Yung Detecting Long Connection Chains of Interactive Terminal Sessions , 2002, RAID.

[4]  Hiroaki Etoh,et al.  Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.

[5]  Dawn Xiaodong Song,et al.  Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[6]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[7]  Michael T. Goodrich,et al.  Efficient packet marking for large-scale IP traceback , 2002, CCS '02.

[8]  Douglas S. Reeves,et al.  Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework , 2001, SEC.

[9]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[10]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[11]  Jun Li,et al.  Large-scale IP traceback in high-speed Internet: practical techniques and theoretical foundation , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[12]  Xinyuan Wang The loop fallacy and serialization in tracing intrusion connections through stepping stones , 2004, SAC '04.

[13]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[14]  Douglas S. Reeves,et al.  Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones , 2002, ESORICS.

[15]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[16]  Sang Lyul Min,et al.  Caller Identification System in the Internet Environment , 1993 .

[17]  Biswanath Mukherjee,et al.  DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype , 1997 .

[18]  Mosheh Maḥover Set theory, logic, and their limitations , 1996 .

[19]  C. Stoll The Cuckoo's Egg : Tracking a Spy Through the Maze of Computer Espionage , 1990 .