Finding TCP Packet Round-Trip Time for Intrusion Detection: Algorithm and Analysis

Yang, Jianhua; Lee, Byong; Zhang, Yongzhong

doi:10.1007/11935070_21

Jianhua Yang¹⁹,
Byong Lee¹⁹ &
Yongzhong Zhang²⁰

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4301))

Included in the following conference series:

International Conference on Cryptology and Network Security

819 Accesses
1 Citations

Abstract

Most network intruders launch their attacks through stepping-stones to reduce the risks of being discovered. To uncover such intrusions, one prevalent, challenging, and critical way is to detect a long interactive connection chain. TCP packet round-trip time (RTT) can be used to estimate the length of a connection chain. In this paper, we propose a Standard Deviation-Based Clustering (SDC) Algorithm to find RTTs. SDC takes advantage of the fact that the distribution of RTTs is concentrated on a small range to find RTTs. It outperforms other approaches in terms of packet matching-rate and matching-accuracy. We derive an upper-bound of the probability of making an incorrect selection of RTT through SDC. This paper includes some experimental results to compare SDC with other algorithms and discusses its restrictions as well.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Zhang, Y., Paxson, V.: Detecting Stepping-Stones. In: Proceedings of the 9th USENIX Security Symposium, Denver, CO, pp. 67–81 (August 2000)
Google Scholar
Yoda, K., Etoh, H.: Finding Connection Chain for Tracing Intruders. In: Proc. 6th European Symposium on Research in Computer Security. LNCS, vol. 1985, Toulouse, France, pp. 31–42 (September 2000)
Google Scholar
Yung, K.H.: Detecting Long Connection Chains of Interactive Terminal Sessions. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 1–16. Springer, Heidelberg (2002)
Chapter Google Scholar
Yang, J., Huang, S.-H.S.: Matching TCP Packets and Its Application to the Detection of Long Connection Chains. In: Proceedings of 19th IEEE International Conference on Advanced Information Networking and Applications (AINA 2005), Taipei, Taiwan, pp. 1005–1010 (March 2005)
Google Scholar
Ylonen, T.: SSH Protocol Architecture. Draft –IETF document (June 2004), http://www.ietf.org/internet-drafts/draft-ietf-secsh-architecture-16.txt
Ylonen, T.: SSH Transport Layer Protocol. Draft –IETF document (June 2004), http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-18.txt
Kao, E.: An Introduction to Stochastic Processes. Duxbury Press, New York (1996)
Google Scholar
Feller, W.: An Introduction to Probability Theory and Its Applications, vol. I. John Wiley & Sons, Inc., New York (1968)
MATH Google Scholar
Johnson, N.I., Kotz, S.: Continuous univariate distributions-1, pp. 166–197. John Wiley & Sons, Inc., New York (1970)
Google Scholar
Ylonen, T.: SSH—Secure Login Connections Over the Internet. In: 6th USENIX Security Symposium, San Jose, CA, USA, pp. 37–42 (1996)
Google Scholar
Detecting Pairs of Jittered Interactive Streams by Exploiting Maxi-mum Tolerable Delay. In: Donoho, D.L. (ed.) Proceedings of International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland, pp. 45–59 (September 2002)
Google Scholar
Blum, A., Song, D., Venkataraman, S.: Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 20–35. Springer, Heidelberg (2004)
Chapter Google Scholar
Wang, X., Reeves, D.S.: Robust Correlation of Encrypted Attack Traffic Through Stepping-Stones by Manipulation of Interpacket Delays. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), Washington DC (October 2003)
Google Scholar
Staniford-Chen, S., Todd Heberlein, L.: Holding Intruders Accountable on the Internet. In: Proc. IEEE Symposium on Security and Privacy, Oakland, CA, pp. 39–49 (August 1995)
Google Scholar

Download references

Author information

Authors and Affiliations

Department of Mathematics and Computer Science, Bennett College, 900 E. Washington Street, Greensboro, NC, 27401, USA
Jianhua Yang & Byong Lee
College of Management, the University of Shanghai for Science and Technology, 516 Jungong Rd, Shanghai, 200093, China
Yongzhong Zhang

Authors

Jianhua Yang
View author publications
You can also search for this author in PubMed Google Scholar
Byong Lee
View author publications
You can also search for this author in PubMed Google Scholar
Yongzhong Zhang
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Ecole Normale Supérieure – LIENS/CNRS/INRIA,, France
David Pointcheval
Centre for Computer and Information Security Research School of Computer Science and Software Engineering, University of Wollongong, Australia
Yi Mu
Department of Computer Science and Engineering, Shanghai Jiao Tong University, 200240, Shanghai, China
Kefei Chen

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Yang, J., Lee, B., Zhang, Y. (2006). Finding TCP Packet Round-Trip Time for Intrusion Detection: Algorithm and Analysis. In: Pointcheval, D., Mu, Y., Chen, K. (eds) Cryptology and Network Security. CANS 2006. Lecture Notes in Computer Science, vol 4301. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11935070_21

Download citation

DOI: https://doi.org/10.1007/11935070_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-49462-1
Online ISBN: 978-3-540-49463-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics