Detecting Intruders Using a Long Connection Chain to Connect to a Host

A common technique hackers use to break into a computer host is to route their traffic through a chain of stepping-stone hosts. There is no valid reason to use a long connection chain for remote login such as SSH connections. One way to protect a host of being attacked is to identify long connection chains connecting into the host. This paper proposes a novel method to identify long connection chains from short chains using a pre-computed short chain profile. Each new connection will be compared to the profile. Any connection that differs significantly from the profile will be considered as a suspicious long connection. Several methods are used to adjust with user's different typing speed. Validation results show that more than 80% long chains can be correctly detected for chains of length 4 or higher.

[1]  P. Venkitasubramaniam,et al.  Packet Scheduling Against Stepping-Stone Attacks with Chaff , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[2]  Kwong H. Yung Detecting Long Connection Chains of Interactive Terminal Sessions , 2002, RAID.

[3]  Shou-Hsuan Stephen Huang,et al.  Stepping-stone detection algorithm based on order preserving mapping , 2007, 2007 International Conference on Parallel and Distributed Systems.

[4]  Vern Paxson,et al.  Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[5]  Douglas S. Reeves,et al.  Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework , 2001, SEC.

[6]  T. He,et al.  A Signal Processing Perspective to Stepping-stone Detection , 2006, 2006 40th Annual Conference on Information Sciences and Systems.

[7]  Lang Tong,et al.  Detecting Encrypted Interactive Stepping-Stone Connections , 2006, 2006 IEEE International Conference on Acoustics Speech and Signal Processing Proceedings.

[8]  Shou-Hsuan Stephen Huang,et al.  A real-time algorithm to detect long connection chains of interactive terminal sessions , 2004, InfoSecu '04.

[9]  Ron Kohavi,et al.  A Study of Cross-Validation and Bootstrap for Accuracy Estimation and Model Selection , 1995, IJCAI.

[10]  Stuart Staniford-Chen,et al.  Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[11]  Lang Tong,et al.  Detecting Encrypted Stepping-Stone Connections , 2007, IEEE Transactions on Signal Processing.

[12]  Yong Guan,et al.  Detection of stepping stone attack under delay and chaff perturbations , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[13]  Yin Zhang,et al.  Detecting Stepping Stones , 2000, USENIX Security Symposium.

[14]  Shou-Hsuan Stephen Huang,et al.  An Algorithm to Detect Stepping-Stones in the Presence of Chaff Packets , 2008, 2008 14th IEEE International Conference on Parallel and Distributed Systems.