Stepping-stone detection via request-response traffic analysis

Authors:
Shou-Husan Stephen Huang;Robert Lychev;Jianhua Yang
Affiliations:
Department of Computer Science, University of Houston, Houston, TX;Department of Computer Science, University of Massachusetts Amherst, Amherst, MA;Department of Mathematics & Computer Science, Bennett College, Greensboro, NC
Venue:
ATC'07 Proceedings of the 4th international conference on Autonomic and Trusted Computing
Year:
2007

Citing 9
Cited 0

Practical network support for IP traceback

Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Efficient packet marking for large-scale IP traceback

Proceedings of the 9th ACM conference on Computer and communications security
Finding a Connection Chain for Tracing Intruders

ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework

IFIP/Sec '01 Proceedings of the IFIP TC11 Sixteenth Annual Working Conference on Information Security: Trusted Information: The New Decade Challenge
Holding intruders accountable on the Internet

SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays

Proceedings of the 10th ACM conference on Computer and communications security
The loop fallacy and serialization in tracing intrusion connections through stepping stones

Proceedings of the 2004 ACM symposium on Applied computing
Detecting stepping stones

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Multiscale stepping-stone detection: detecting pairs of jittered interactive streams by exploiting maximum tolerable delay

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we develop an algorithm that may be used as a steppingstone detection tool. Our approach is based on analyzing correlations between the cumulative number of packets sent in outgoing connections and that of the incoming connections. We present a study of our method's effectiveness with actual connections as well as simulations of time-jittering (introduction of inter-packet delay) and chaff (introduction of superfluous packets). Experimental results suggest that our algorithm works well in the following scenarios: (1) distinguishing connection chains that go through the same stepping stone host and carry traffic of users who perform similar operations at the same time; and (2) distinguishing a single connection chain from unrelated incoming and outgoing connections even in the presence of chaff. The result suggests that timejittering will not diminish our method's usefulness.