Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage
The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage
Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaws - by the Man Who Did It
Finding a Connection Chain for Tracing Intruders
ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Holding intruders accountable on the Internet
SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
A Wavelet Tour of Signal Processing, Third Edition: The Sparse Way
A Wavelet Tour of Signal Processing, Third Edition: The Sparse Way
Proceedings of the 10th ACM conference on Computer and communications security
The loop fallacy and serialization in tracing intrusion connections through stepping stones
Proceedings of the 2004 ACM symposium on Applied computing
The session token protocol for forensics and traceback
ACM Transactions on Information and System Security (TISSEC)
Providing process origin information to aid in computer forensic investigations
Journal of Computer Security
Tracking anonymous peer-to-peer VoIP calls on the internet
Proceedings of the 12th ACM conference on Computer and communications security
International Journal of Security and Networks
SRUTI'07 Proceedings of the 3rd USENIX workshop on Steps to reducing unwanted traffic on the internet
Detecting Stepping-Stone Intrusion and Resisting Evasion through TCP/IP Packets Cross-Matching
ATC '08 Proceedings of the 5th international conference on Autonomic and Trusted Computing
A First Step towards Live Botmaster Traceback
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Multi-flow attacks against network flow watermarking schemes
SS'08 Proceedings of the 17th conference on Security symposium
De-anonymizing the internet using unreliable IDs
Proceedings of the ACM SIGCOMM 2009 conference on Data communication
Neural networks-based detection of stepping-stone intrusion
Expert Systems with Applications: An International Journal
Timing-based localization of in-band wormhole tunnels in MANETs
Proceedings of the third ACM conference on Wireless network security
A performance analysis of authentication using covert timing channels
NETWORKING'08 Proceedings of the 7th international IFIP-TC6 networking conference on AdHoc and sensor networks, wireless networks, next generation internet
Distributed detection of multi-hop information flows with fusion capacity constraints
IEEE Transactions on Signal Processing
Evading stepping-stone detection under the cloak of streaming media with SNEAK
Computer Networks: The International Journal of Computer and Telecommunications Networking
On the secrecy of spread-spectrum flow watermarks
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Packet scheduling against stepping-stone attacks with chaff
MILCOM'06 Proceedings of the 2006 IEEE conference on Military communications
An efficient TCP/IP packet matching algorithm to detect stepping-stone intrusion
2009 Information Security Curriculum Development Conference
An interval centroid based spread spectrum watermarking scheme for multi-flow traceback
Journal of Network and Computer Applications
Resistance analysis to intruders' evasion of detecting intrusion
ISC'06 Proceedings of the 9th international conference on Information Security
Resistance analysis to intruders’ evasion of a novel algorithm to detect stepping-stone
ATC'06 Proceedings of the Third international conference on Autonomic and Trusted Computing
Constructing correlations in attack connection chains using active perturbation
AAIM'05 Proceedings of the First international conference on Algorithmic Applications in Management
Constructing correlations of perturbed connections under packets loss and disorder
ICCNMC'05 Proceedings of the Third international conference on Networking and Mobile Computing
Interval-based flow watermarking for tracing interactive traffic
Computer Networks: The International Journal of Computer and Telecommunications Networking
Rate-Based watermark traceback: a new approach
ISPEC'10 Proceedings of the 6th international conference on Information Security Practice and Experience
Probabilistic proof of an algorithm to compute TCP packet round-trip time for intrusion detection
ACNS'06 Proceedings of the 4th international conference on Applied Cryptography and Network Security
Finding TCP packet round-trip time for intrusion detection: algorithm and analysis
CANS'06 Proceedings of the 5th international conference on Cryptology and Network Security
Unsupervised and nonparametric detection of information flows
Signal Processing
New attacks on timing-based network flow watermarks
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Stepping-stone detection via request-response traffic analysis
ATC'07 Proceedings of the 4th international conference on Autonomic and Trusted Computing
Collaboration-Preserving authenticated encryption for operational transformation systems
ISC'12 Proceedings of the 15th international conference on Information Security
| Hi-index | 0.00 |
Computer attackers frequently relay their attacks through a compromised host at an innocent site, thereby obscuring the true origin of the attack. There is a growing literature on ways to detect that an interactive connection into a site and another outbound from the site give evidence of such a "stepping stone." This has been done based on monitoring the access link connecting the site to the Internet (Eg. [7, 11, 8]). The earliest work was based on connection content comparisons but more recent work has relied on timing information in order to compare encrypted connections. Past work on this problem has not yet attempted to cope with the ways in which intruders might attempt to modify their traffic to defeat stepping stone detection. In this paper we give the first consideration to constraining such intruder evasion. We present some unexpected results that show there are theoretical limits on the ability of attackers to disguise their traffic in this way for sufficiently long connections. We consider evasions that consist of local jittering of packet arrival times (without addition and subtraction of packets), and also the addition of superfluous packets which will be removed later in the connection chain (chaff). To counter such evasion, we assume that the intruder has a "maximum delay tolerance." By using wavelets and similar multiscale methods, we show that we can separate the short-term behavior of the streams - where the jittering or chaff indeed masks the correlation - from the long-term behavior of the streams - where the correlation remains. It therefore appears, at least in principle, that there is an effective countermeasure to this particular evasion tactic, at least for sufficiently long-lived interactive connections.