Constructing correlations of perturbed connections under packets loss and disorder

Authors:
Qiang Li;Qinyuan Feng;Kun Liu;Jiubin Ju
Affiliations:
Department of Computer Science, JiLin University, ChangChun, JiLin, China;Department of Computer Science, JiLin University, ChangChun, JiLin, China;Department of Computer Science, JiLin University, ChangChun, JiLin, China;Department of Computer Science, JiLin University, ChangChun, JiLin, China
Venue:
ICCNMC'05 Proceedings of the Third international conference on Networking and Mobile Computing
Year:
2005

Citing 9
Cited 0

Finding a Connection Chain for Tracing Intruders

ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones

ESORICS '02 Proceedings of the 7th European Symposium on Research in Computer Security
Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework

IFIP/Sec '01 Proceedings of the IFIP TC11 Sixteenth Annual Working Conference on Information Security: Trusted Information: The New Decade Challenge
Holding intruders accountable on the Internet

SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays

Proceedings of the 10th ACM conference on Computer and communications security
Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets

ICDCSW '05 Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05) - Volume 02
Detecting stepping stones

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Detecting long connection Chains of interactive terminal sessions

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Multiscale stepping-stone detection: detecting pairs of jittered interactive streams by exploiting maximum tolerable delay

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection

Quantified Score

Hi-index	0.00

Visualization

Abstract

One of the key problems of detecting stepping stones is the construction of connections' correlations. We focus on the use of detecting windows and propose two methods for constructing correlations of perturbed connections. Within the attacker's perturbation range, the first method uses packet-based window and the average value of the packets in the detecting window is set to increase periodically. The method can construct correlations in attacking connection chains by analyzing the increase of the average value of the inter-packet delay between the two connection chains. The second method uses time-based windows. It divides time into segments, forms segments into groups and uses pairs of groups to take the watermarks. These methods can reduce the complexity of correlation computations and improve the efficiency of detecting. The second method can even work under packets loss and disorder.