Finding TCP packet round-trip time for intrusion detection: algorithm and analysis

Authors:
Jianhua Yang;Byong Lee;Yongzhong Zhang
Affiliations:
Department of Mathematics and Computer Science, Bennett College, Greensboro, NC;Department of Mathematics and Computer Science, Bennett College, Greensboro, NC;College of Management, the University of Shanghai for Science and Technology, Shanghai, China
Venue:
CANS'06 Proceedings of the 5th international conference on Cryptology and Network Security
Year:
2006

Citing 8
Cited 1

Finding a Connection Chain for Tracing Intruders

ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Holding intruders accountable on the Internet

SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays

Proceedings of the 10th ACM conference on Computer and communications security
Matching TCP Packets and Its Application to the Detection of Long Connection Chains on the Internet

AINA '05 Proceedings of the 19th International Conference on Advanced Information Networking and Applications - Volume 1
Detecting stepping stones

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
SSH: secure login connections over the internet

SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
Detecting long connection Chains of interactive terminal sessions

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Multiscale stepping-stone detection: detecting pairs of jittered interactive streams by exploiting maximum tolerable delay

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection

An efficient TCP/IP packet matching algorithm to detect stepping-stone intrusion

2009 Information Security Curriculum Development Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

Most network intruders launch their attacks through stepping-stones to reduce the risks of being discovered. To uncover such intrusions, one prevalent, challenging, and critical way is to detect a long interactive connection chain. TCP packet round-trip time (RTT) can be used to estimate the length of a connection chain. In this paper, we propose a Standard Deviation-Based Clustering (SDC) Algorithm to find RTTs. SDC takes advantage of the fact that the distribution of RTTs is concentrated on a small range to find RTTs. It outperforms other approaches in terms of packet matching-rate and matching-accuracy. We derive an upper-bound of the probability of making an incorrect selection of RTT through SDC. This paper includes some experimental results to compare SDC with other algorithms and discusses its restrictions as well.