Finding a Connection Chain for Tracing Intruders
ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Holding intruders accountable on the Internet
SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
A real-time algorithm to detect long connection chains of interactive terminal sessions
InfoSecu '04 Proceedings of the 3rd international conference on Information security
Matching TCP Packets and Its Application to the Detection of Long Connection Chains on the Internet
AINA '05 Proceedings of the 19th International Conference on Advanced Information Networking and Applications - Volume 1
A Clustering-Partitioning Algorithm to Find TCP Packet Round-Trip Time for Intrusion Detection
AINA '06 Proceedings of the 20th International Conference on Advanced Information Networking and Applications - Volume 01
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Detecting long connection Chains of interactive terminal sessions
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Finding TCP packet round-trip time for intrusion detection: algorithm and analysis
CANS'06 Proceedings of the 5th international conference on Cryptology and Network Security
Hi-index | 0.00 |
Estimating the length of a downstream TCP/IP interactive session to detect stepping-stone has been a hot topic in computer network security. The key idea of computing the length of a connection chain is to match TCP/IP send and echo packets. The SDC algorithm was proposed for this intention. Unfortunately SDC is not efficient in terms of time complexity. In this paper, the reason that causes SDC inefficient is analyzed, and a new algorithm SWAM using sliding window is proposed. The efficiency analysis shows that SWAM could reduce computation up to 99.99%. Two ways have been proposed to determine the size of a sliding window. One exploits matching result convergence feature, another way takes advantage of the features of TCP/IP protocol. The intention of the second way is to reduce the computation further because the first way still incurs some computations.