An efficient TCP/IP packet matching algorithm to detect stepping-stone intrusion

Authors:
Jianhua Yang;Edward Bosworth
Affiliations:
Columbus State University, Columbus, GA;Columbus State University, Columbus, GA
Venue:
2009 Information Security Curriculum Development Conference
Year:
2009

Citing 9
Cited 0

Finding a Connection Chain for Tracing Intruders

ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Holding intruders accountable on the Internet

SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
A real-time algorithm to detect long connection chains of interactive terminal sessions

InfoSecu '04 Proceedings of the 3rd international conference on Information security
Matching TCP Packets and Its Application to the Detection of Long Connection Chains on the Internet

AINA '05 Proceedings of the 19th International Conference on Advanced Information Networking and Applications - Volume 1
A Clustering-Partitioning Algorithm to Find TCP Packet Round-Trip Time for Intrusion Detection

AINA '06 Proceedings of the 20th International Conference on Advanced Information Networking and Applications - Volume 01
Detecting stepping stones

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Detecting long connection Chains of interactive terminal sessions

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Multiscale stepping-stone detection: detecting pairs of jittered interactive streams by exploiting maximum tolerable delay

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Finding TCP packet round-trip time for intrusion detection: algorithm and analysis

CANS'06 Proceedings of the 5th international conference on Cryptology and Network Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Estimating the length of a downstream TCP/IP interactive session to detect stepping-stone has been a hot topic in computer network security. The key idea of computing the length of a connection chain is to match TCP/IP send and echo packets. The SDC algorithm was proposed for this intention. Unfortunately SDC is not efficient in terms of time complexity. In this paper, the reason that causes SDC inefficient is analyzed, and a new algorithm SWAM using sliding window is proposed. The efficiency analysis shows that SWAM could reduce computation up to 99.99%. Two ways have been proposed to determine the size of a sliding window. One exploits matching result convergence feature, another way takes advantage of the features of TCP/IP protocol. The intention of the second way is to reduce the computation further because the first way still incurs some computations.