TCP/IP illustrated (vol. 1): the protocols
TCP/IP illustrated (vol. 1): the protocols
Experience with EMERALD to Date
Proceedings of the Workshop on Intrusion Detection and Network Monitoring
Holding intruders accountable on the Internet
SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
The loop fallacy and serialization in tracing intrusion connections through stepping stones
Proceedings of the 2004 ACM symposium on Applied computing
A real-time algorithm to detect long connection chains of interactive terminal sessions
InfoSecu '04 Proceedings of the 3rd international conference on Information security
International Journal of Security and Networks
Detecting Stepping-Stone Intrusion and Resisting Evasion through TCP/IP Packets Cross-Matching
ATC '08 Proceedings of the 5th international conference on Autonomic and Trusted Computing
Neural networks-based detection of stepping-stone intrusion
Expert Systems with Applications: An International Journal
An efficient TCP/IP packet matching algorithm to detect stepping-stone intrusion
2009 Information Security Curriculum Development Conference
Resistance analysis to intruders' evasion of detecting intrusion
ISC'06 Proceedings of the 9th international conference on Information Security
Resistance analysis to intruders’ evasion of a novel algorithm to detect stepping-stone
ATC'06 Proceedings of the Third international conference on Autonomic and Trusted Computing
Constructing correlations in attack connection chains using active perturbation
AAIM'05 Proceedings of the First international conference on Algorithmic Applications in Management
Constructing correlations of perturbed connections under packets loss and disorder
ICCNMC'05 Proceedings of the Third international conference on Networking and Mobile Computing
Probabilistic proof of an algorithm to compute TCP packet round-trip time for intrusion detection
ACNS'06 Proceedings of the 4th international conference on Applied Cryptography and Network Security
Finding TCP packet round-trip time for intrusion detection: algorithm and analysis
CANS'06 Proceedings of the 5th international conference on Cryptology and Network Security
| Hi-index | 0.00 |
To elude detection and capture, hackers chain many computers together to attack the victim computer from a distance. This report proposes a new strategy for detecting suspicious remote sessions, used as part of a long connection chain. Interactive terminal sessions behave differently on long chains than on direct connections. The time gap between a client request and the server delayed acknowledgment estimates the round-trip time to the nearest server. Under the same conditions, the time gap between a client request and the server reply echo provides information on how many hops downstream the final victim is located. By monitoring an outgoing connection for these two time gaps, echo-delay comparison can identify a suspicious session in isolation. Experiments confirm that echo-delay comparison applies to a range of situations and performs especially well in detecting outgoing connections with more than two hops downstream.