Finding a Connection Chain for Tracing Intruders
ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones
ESORICS '02 Proceedings of the 7th European Symposium on Research in Computer Security
Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework
IFIP/Sec '01 Proceedings of the IFIP TC11 Sixteenth Annual Working Conference on Information Security: Trusted Information: The New Decade Challenge
Holding intruders accountable on the Internet
SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Proceedings of the 10th ACM conference on Computer and communications security
Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets
ICDCSW '05 Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05) - Volume 02
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Detecting long connection Chains of interactive terminal sessions
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Hi-index | 0.00 |
One of the key problems of detecting stepping stones is the construction of connections' correlations. We focus on the use of detecting windows and propose two methods for constructing correlations of perturbed connections. Within the attacker's perturbation range, the first method uses packet-based window and the average value of the packets in the detecting window is set to increase periodically. The method can construct correlations in attacking connection chains by analyzing the increase of the average value of the inter-packet delay between the two connection chains. The second method uses time-based windows. It divides time into segments, forms segments into groups and uses pairs of groups to take the watermarks. These methods can reduce the complexity of correlation computations and improve the efficiency of detecting. The second method can even work under packets loss and disorder.