Abstract
Most network intruders launch their attacks through stepping-stones to reduce the risks of being discovered. To uncover such intrusions, one prevalent, challenging, and critical way is to detect a long interactive connection chain. TCP packet round-trip time (RTT) can be used to estimate the length of a connection chain. In this paper, we propose a Standard Deviation-Based Clustering (SDC) Algorithm to find RTTs. SDC takes advantage of the fact that the distribution of RTTs is concentrated on a small range to find RTTs. It outperforms other approaches in terms of packet matching-rate and matching-accuracy. We derive an upper-bound of the probability of making an incorrect selection of RTT through SDC. This paper includes some experimental results to compare SDC with other algorithms and discusses its restrictions as well.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Zhang, Y., Paxson, V.: Detecting Stepping-Stones. In: Proceedings of the 9th USENIX Security Symposium, Denver, CO, pp. 67–81 (August 2000)
Yoda, K., Etoh, H.: Finding Connection Chain for Tracing Intruders. In: Proc. 6th European Symposium on Research in Computer Security. LNCS, vol. 1985, Toulouse, France, pp. 31–42 (September 2000)
Yung, K.H.: Detecting Long Connection Chains of Interactive Terminal Sessions. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 1–16. Springer, Heidelberg (2002)
Yang, J., Huang, S.-H.S.: Matching TCP Packets and Its Application to the Detection of Long Connection Chains. In: Proceedings of 19th IEEE International Conference on Advanced Information Networking and Applications (AINA 2005), Taipei, Taiwan, pp. 1005–1010 (March 2005)
Ylonen, T.: SSH Protocol Architecture. Draft –IETF document (June 2004), http://www.ietf.org/internet-drafts/draft-ietf-secsh-architecture-16.txt
Ylonen, T.: SSH Transport Layer Protocol. Draft –IETF document (June 2004), http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-18.txt
Kao, E.: An Introduction to Stochastic Processes. Duxbury Press, New York (1996)
Feller, W.: An Introduction to Probability Theory and Its Applications, vol. I. John Wiley & Sons, Inc., New York (1968)
Johnson, N.I., Kotz, S.: Continuous univariate distributions-1, pp. 166–197. John Wiley & Sons, Inc., New York (1970)
Ylonen, T.: SSH—Secure Login Connections Over the Internet. In: 6th USENIX Security Symposium, San Jose, CA, USA, pp. 37–42 (1996)
Detecting Pairs of Jittered Interactive Streams by Exploiting Maxi-mum Tolerable Delay. In: Donoho, D.L. (ed.) Proceedings of International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland, pp. 45–59 (September 2002)
Blum, A., Song, D., Venkataraman, S.: Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 20–35. Springer, Heidelberg (2004)
Wang, X., Reeves, D.S.: Robust Correlation of Encrypted Attack Traffic Through Stepping-Stones by Manipulation of Interpacket Delays. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), Washington DC (October 2003)
Staniford-Chen, S., Todd Heberlein, L.: Holding Intruders Accountable on the Internet. In: Proc. IEEE Symposium on Security and Privacy, Oakland, CA, pp. 39–49 (August 1995)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yang, J., Lee, B., Zhang, Y. (2006). Finding TCP Packet Round-Trip Time for Intrusion Detection: Algorithm and Analysis. In: Pointcheval, D., Mu, Y., Chen, K. (eds) Cryptology and Network Security. CANS 2006. Lecture Notes in Computer Science, vol 4301. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11935070_21
Download citation
DOI: https://doi.org/10.1007/11935070_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-49462-1
Online ISBN: 978-3-540-49463-8
eBook Packages: Computer ScienceComputer Science (R0)