Abstract
To elude detection and capture, hackers chain many computers together to attack the victim computer from a distance. This report proposes a new strategy for detecting suspicious remote sessions, used as part of a long connection chain. Interactive terminal sessions behave differently on long chains than on direct connections. The time gap between a client request and the server delayed acknowledgment estimates the round-trip time to the nearest server. Under the same conditions, the time gap between a client request and the server reply echo provides information on how many hops downstream the final victim is located. By monitoring an outgoing connection for these two time gaps, echo-delay comparison can identify a suspicious session in isolation. Experiments confirm that echo-delay comparison applies to a range of situations and performs especially well in detecting outgoing connections with more than two hops downstream.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Stefan Axelsson. “Intrusion Detection Systems: A Survey and Taxonomy.” Technical Report 99-15, Department of Computer Engineering, Chalmers University, March 2000.
Robert K. Cunningham, et al. “Detecting and Deploying Novel Computer Attacks with Macroscope.” Proceeding of the 2000 IEEE Workshop on Information Assurance and Security. US Military Academy, West Point, NY, 6–7 June, 2001.
Harold S. Javitz and Alfonso Valdes. “The NIDES Statistical Component: Description and Justification.” Technical report, Computer Science Laboratory, SRI International. Menlo Park, California, March 1993.
Richard P. Lippmann, et al. “Evaluating Intrusion Detection Systems: The 1998 ARPA Off-Line Intrusion Detection Evaluation.” Proceedings of DARPA Information Survivability Conference and Exposition. DISCEX’ 00, Jan 25-27, Hilton Head, SC, 2000. http://www.ll.mit.edu/IST/ideval/index.html
Peter G. Neumann and Phillip A. Porras. “Experience with EMERALD to Date.” 1st USENIX Workshop on Intrusion Detection and Network Monitoring, pages 73–80. Santa Clara, California, USA, April 1999.
Thomas H. Ptacek and Timothy H. Newsham. “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection.” Secure Networks, Inc., January 1998. http://www.aciri.org/vern/PtacekNewsham-Evasion-98.ps
Martin Roesch. “Snort: Lightweight intrusion detection for networks.” 13th Systems Administration Conference (LISA’99), pages 229–238. USENIX Associations, 1999.
Stuart Staniford-Chen and L. Todd Heberlein. “Holding Intruders Accountable on the Internet.” Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 39–49. Oakland, CA, May 1995.
W. Richard Stevens. TCP/IP Illustrated Volume 1: The Protocols. Addison-Wesley: Reading, Massachusetts, 1994.
Yin Zhang and Vern Paxson. “Detecting stepping stones.” Proceedings of 9th USENIX Security Symposium. August 2000.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yung, K.H. (2002). Detecting Long Connection Chains of Interactive Terminal Sessions. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_1
Download citation
DOI: https://doi.org/10.1007/3-540-36084-0_1
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00020-4
Online ISBN: 978-3-540-36084-1
eBook Packages: Springer Book Archive