Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Efficient packet marking for large-scale IP traceback
Proceedings of the 9th ACM conference on Computer and communications security
Finding a Connection Chain for Tracing Intruders
ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework
IFIP/Sec '01 Proceedings of the IFIP TC11 Sixteenth Annual Working Conference on Information Security: Trusted Information: The New Decade Challenge
Holding intruders accountable on the Internet
SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Proceedings of the 10th ACM conference on Computer and communications security
The loop fallacy and serialization in tracing intrusion connections through stepping stones
Proceedings of the 2004 ACM symposium on Applied computing
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Hi-index | 0.00 |
In this paper, we develop an algorithm that may be used as a steppingstone detection tool. Our approach is based on analyzing correlations between the cumulative number of packets sent in outgoing connections and that of the incoming connections. We present a study of our method's effectiveness with actual connections as well as simulations of time-jittering (introduction of inter-packet delay) and chaff (introduction of superfluous packets). Experimental results suggest that our algorithm works well in the following scenarios: (1) distinguishing connection chains that go through the same stepping stone host and carry traffic of users who perform similar operations at the same time; and (2) distinguishing a single connection chain from unrelated incoming and outgoing connections even in the presence of chaff. The result suggests that timejittering will not diminish our method's usefulness.