The synchronization of periodic routing messages
IEEE/ACM Transactions on Networking (TON)
Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
Holding intruders accountable on the Internet
SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Sleepy watermark tracing: an active network-based intrusion response framework
Sec '01 Proceedings of the 16th international conference on Information security: Trusted information: the new decade challenge
Hordes: a multicast based protocol for anonymity
Journal of Computer Security
Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones
ESORICS '02 Proceedings of the 7th European Symposium on Research in Computer Security
Providing Process Origin Information to Aid in Network Traceback
ATEC '02 Proceedings of the General Track of the annual conference on USENIX Annual Technical Conference
Internet intrusions: global characteristics and prevalence
SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Performance debugging for distributed systems of black boxes
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Proceedings of the 10th ACM conference on Computer and communications security
The loop fallacy and serialization in tracing intrusion connections through stepping stones
Proceedings of the 2004 ACM symposium on Applied computing
The session token protocol for forensics and traceback
ACM Transactions on Information and System Security (TISSEC)
HMM profiles for network traffic classification
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
Payload attribution via hierarchical bloom filters
Proceedings of the 11th ACM conference on Computer and communications security
The OSU Flow-tools Package and CISCO NetFlow Logs
LISA '00 Proceedings of the 14th USENIX conference on System administration
A real-time algorithm to detect long connection chains of interactive terminal sessions
InfoSecu '04 Proceedings of the 3rd international conference on Information security
Providing process origin information to aid in computer forensic investigations
Journal of Computer Security
Tracking anonymous peer-to-peer VoIP calls on the internet
Proceedings of the 12th ACM conference on Computer and communications security
Secure coprocessor-based intrusion detection
EW 10 Proceedings of the 10th workshop on ACM SIGOPS European workshop
Mitigating denial of service attacks: a tutorial
Journal of Computer Security
Semi-automated discovery of application session structure
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Using visual motifs to classify encrypted traffic
Proceedings of the 3rd international workshop on Visualization for computer security
A privacy-preserving interdomain audit framework
Proceedings of the 5th ACM workshop on Privacy in electronic society
An effective defense against email spam laundering
Proceedings of the 13th ACM conference on Computer and communications security
Journal of Parallel and Distributed Computing - Special issue: Security in grid and distributed systems
BINDER: an extrusion-based break-in detector for personal computers
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
On Inferring Application Protocol Behaviors in Encrypted Network Traffic
The Journal of Machine Learning Research
Revealing botnet membership using DNSBL counter-intelligence
SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
Timing analysis of keystrokes and timing attacks on SSH
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Collapsar: a VM-based architecture for network attack detention center
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Timing analysis of keystrokes and timing attacks on SSH
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
International Journal of Security and Networks
SRUTI'07 Proceedings of the 3rd USENIX workshop on Steps to reducing unwanted traffic on the internet
Language identification of encrypted VoIP traffic: Alejandra y Roberto or Alice and Bob?
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
What's going on?: learning communication rules in edge networks
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Online Tracing Scanning Worm with Sliding Window
Information Security and Cryptology
Detecting Stepping-Stone Intrusion and Resisting Evasion through TCP/IP Packets Cross-Matching
ATC '08 Proceedings of the 5th international conference on Autonomic and Trusted Computing
A First Step towards Live Botmaster Traceback
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Thwarting E-mail Spam Laundering
ACM Transactions on Information and System Security (TISSEC)
Multi-flow attacks against network flow watermarking schemes
SS'08 Proceedings of the 17th conference on Security symposium
Efficient on-demand operations in dynamic distributed infrastructures
LADIS '08 Proceedings of the 2nd Workshop on Large-Scale Distributed Systems and Middleware
De-anonymizing the internet using unreliable IDs
Proceedings of the ACM SIGCOMM 2009 conference on Data communication
Neural networks-based detection of stepping-stone intrusion
Expert Systems with Applications: An International Journal
Detecting long connection Chains of interactive terminal sessions
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Network-based real-time connection traceback system (NRCTS) with packet marking technology
ICCSA'03 Proceedings of the 2003 international conference on Computational science and its applications: PartII
The NIDS cluster: scalable, stateful network intrusion detection on commodity hardware
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
A performance analysis of authentication using covert timing channels
NETWORKING'08 Proceedings of the 7th international IFIP-TC6 networking conference on AdHoc and sensor networks, wireless networks, next generation internet
Distributed detection of multi-hop information flows with fusion capacity constraints
IEEE Transactions on Signal Processing
Evading stepping-stone detection under the cloak of streaming media with SNEAK
Computer Networks: The International Journal of Computer and Telecommunications Networking
Differentially-private network trace analysis
Proceedings of the ACM SIGCOMM 2010 conference
On the secrecy of spread-spectrum flow watermarks
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Packet scheduling against stepping-stone attacks with chaff
MILCOM'06 Proceedings of the 2006 IEEE conference on Military communications
An efficient TCP/IP packet matching algorithm to detect stepping-stone intrusion
2009 Information Security Curriculum Development Conference
Privacy-preserving network forensics
Communications of the ACM
Challenges in experimenting with botnet detection systems
CSET'11 Proceedings of the 4th conference on Cyber security experimentation and test
"Mix-in-Place" anonymous networking using secure function evaluation
Proceedings of the 27th Annual Computer Security Applications Conference
Exposing invisible timing-based traffic watermarks with BACKLIT
Proceedings of the 27th Annual Computer Security Applications Conference
An interval centroid based spread spectrum watermarking scheme for multi-flow traceback
Journal of Network and Computer Applications
Resistance analysis to intruders' evasion of detecting intrusion
ISC'06 Proceedings of the 9th international conference on Information Security
Scope of forensics in grid computing – vision and perspectives
ISPA'06 Proceedings of the 2006 international conference on Frontiers of High Performance Computing and Networking
An effective method for analyzing intrusion situation through IP-Based classification
ICCSA'05 Proceedings of the 2005 international conference on Computational Science and Its Applications - Volume Part II
PDCAT'04 Proceedings of the 5th international conference on Parallel and Distributed Computing: applications and Technologies
Resistance analysis to intruders’ evasion of a novel algorithm to detect stepping-stone
ATC'06 Proceedings of the Third international conference on Autonomic and Trusted Computing
Constructing correlations in attack connection chains using active perturbation
AAIM'05 Proceedings of the First international conference on Algorithmic Applications in Management
Intrusion detection: introduction to intrusion detection and security information management
Foundations of Security Analysis and Design III
Improved thumbprint and its application for intrusion detection
ICCNMC'05 Proceedings of the Third international conference on Networking and Mobile Computing
Constructing correlations of perturbed connections under packets loss and disorder
ICCNMC'05 Proceedings of the Third international conference on Networking and Mobile Computing
Interval-based flow watermarking for tracing interactive traffic
Computer Networks: The International Journal of Computer and Telecommunications Networking
Rate-Based watermark traceback: a new approach
ISPEC'10 Proceedings of the 6th international conference on Information Security Practice and Experience
Probabilistic proof of an algorithm to compute TCP packet round-trip time for intrusion detection
ACNS'06 Proceedings of the 4th international conference on Applied Cryptography and Network Security
Language modeling and encryption on packet switched networks
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Finding TCP packet round-trip time for intrusion detection: algorithm and analysis
CANS'06 Proceedings of the 5th international conference on Cryptology and Network Security
New attacks on timing-based network flow watermarks
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Stepping-stone detection via request-response traffic analysis
ATC'07 Proceedings of the 4th international conference on Autonomic and Trusted Computing
New opportunities for load balancing in network-wide intrusion detection systems
Proceedings of the 8th international conference on Emerging networking experiments and technologies
BotMosaic: Collaborative network watermark for the detection of IRC-based botnets
Journal of Systems and Software
SIMPLE-fying middlebox policy enforcement using SDN
Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
A novel sequential watermark detection model for efficient traceback of secret network attack flows
Journal of Network and Computer Applications
Hi-index | 0.02 |
One widely-used technique by which network attackers attain anonymity and complicate their apprehension is by employing stepping stones: they launch attacks not from their own computer but from intermediary hosts that they previously compromised. We develop an efficient algorithm for detecting stepping stones by monitoring a site's Internet access link. The algorithm is based on the distinctive characteristics (packet size, timing) of interactive traffic, and not on connection contents, and hence can be used to find stepping stones even when the traffic is encrypted. We evaluate the algorithm on large Internet access traces and find that it performs quite well. However, the success of the algorithm is tempered by the discovery that large sites have many users who routinely traverse stepping stones for a variety of legitimate reasons. Hence, stepping-stone detection also requires a significant policy component for separating allowable stepping-stone pairs from surreptitious access.