论文信息 - Detecting Stepping-Stone with Chaff Perturbations

Detecting Stepping-Stone with Chaff Perturbations

Attackers on the Internet like to indirectly launch network intrusions by using stepping-stones. In this paper, we propose a novel approach to decrease the packet bound by performing a transformation of packet difference of two streams of a host in order to distinguish stepping-stone connections. The adjustment is critical in the case of chaff perturbation by the intruder. Previous work requires the assumption that the total chaff packets be limited by a given number. We replaced the assumption by using a given chaff rate. It is found that after transformation, the bound range is much smaller for attacking connection, resulting in smaller probability of false negative detection.

Shou-Hsuan Stephen Huang | Han-Ching Wu

[1] Lang Tong,et al. Detecting Encrypted Stepping-Stone Connections , 2007, IEEE Transactions on Signal Processing.

[2] Feller William,et al. An Introduction To Probability Theory And Its Applications , 1950 .

[3] Yin Zhang,et al. Detecting Stepping Stones , 2000, USENIX Security Symposium.

[4] Douglas S. Reeves,et al. Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[5] Vern Paxson,et al. Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay , 2002, RAID.

[6] Shou-Hsuan Stephen Huang,et al. Stepping-Stone Detection Via Request-Response Traffic Analysis , 2007, ATC.

[7] Stuart Staniford-Chen,et al. Holding intruders accountable on the Internet , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[8] Dawn Xiaodong Song,et al. Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds , 2004, RAID.

[9] Hiroaki Etoh,et al. Finding a Connection Chain for Tracing Intruders , 2000, ESORICS.