Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones

Wang, Xinyuan; Reeves, Douglas S.; Wu, S. Felix

doi:10.1007/3-540-45853-0_15

Xinyuan Wang⁶,
Douglas S. Reeves^6,7 &
S. Felix Wu⁸

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2502))

Included in the following conference series:

European Symposium on Research in Computer Security

694 Accesses
42 Citations

Abstract

Network based intrusions have become a serious threat to the users of the Internet. Intruders who wish to attack computers attached to the Internet frequently conceal their identity by staging their attacks through intermediate “stepping stones”. This makes tracing the source of the attack substantially more difficult, particularly if the attack traffic is encrypted. In this paper, we address the problem of tracing encrypted connections through stepping stones. The incoming and outgoing connections through a stepping stone must be correlated to accomplish this. We propose a novel correlation scheme based on inter-packet timing characteristics of both encrypted and unencrypted connections. We show that (after some filtering) inter-packet delays (IPDs) of both encrypted and unencrypted, interactive connections are preserved across many router hops and stepping stones. The effectiveness of this method for correlation purposes also requires that timing characteristics be distinctive enough to identify connections. We have found that normal interactive connections such as telnet, SSH and rlogin are almost always distinctive enough to provide correct correlation across stepping stones. The number of packets needed to correctly correlate two connections is also an important metric, and is shown to be quite modest for this method.

This work was supported by AFOSR contract F49620-99-1-0264 and by DARPA contract F30602-99-1-0540. The views and conclusions contained herein are those of the authors.

Download to read the full chapter text

Chapter PDF

Modeling Network Traffic via Identifying Encrypted Packets to Detect Stepping-Stone Intrusion Under the Framework of Heterogonous Packet Encryption

A research survey in stepping-stone intrusion detection

Article Open access 04 December 2018

Identify Encrypted Packets to Detect Stepping-Stone Intrusion

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

M. H. DeGroot. Probability and Statistics. Addison-Wesley, 1989.
Google Scholar
H. Jung, et al. Caller Identification System in the Internet Environment. In Proceedings of 4th USENIX Security Symposium, 1993.
Google Scholar
S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. IETF RFC 2401, September 1998.
Google Scholar
S. C. Lee and C. Shields. Tracing the Source of Network Attack: A Technical, Legal and Social Problem. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, June 2000.
Google Scholar
NLANR Trace Archive. http://pma.nlanr.net/Traces/long/.
OpenSSH. http://www.openssh.com.
D. Schnackenberg. Dynamic Cooperating Boundary Controllers. http://www.darpa.mil/ito/Summaries97/E2950.html, Boeing Defense and Space Group, March 1998.
S. Snapp, et all. DID S (Distributed Intrusion Detection System)-Motivation, Architecture and Early Prototype. In Proceedings of 14th National Computer Security Conference, 1991.
Google Scholar
S. Staniford-Chen, L. T. Heberlein. Holding Intruders Accountable on the Internet. In Proceedings of IEEE Symposium on Security and Privacy, 1995.
Google Scholar
W.R. Stevens. TCP/IP Illustrated, Volume 1: The Protocol. Addison-Wesley, 1994.
Google Scholar
X.Y. Wang, D.S. Reeves, S.F. Wu and J. Yuill. Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework. In Proceedings of 16th International Conference on Information Security (IFIP/Sec’01), June, 2001.
Google Scholar
K. Yoda and H. Etoh. Finding a Connection Chain for Tracing Intruders. In F. Guppens, Y. Deswarte, D. Gollmann and M. Waidner, editors, 6th European Symposium on Research in Computer Security-ESORICS 2000 LNCS-1895, Toulouse, France, October 2000.
Google Scholar
Y. Zhang and V. Paxson. Detecting Stepping Stones. In Proceedings of 9th USENIX Security Symposium, 2000.
Google Scholar

Download references

Author information

Authors and Affiliations

Department of Computer Science, USA
Xinyuan Wang & Douglas S. Reeves
Department of Electrical and Computer Engineering, North Carolina State University, USA
Douglas S. Reeves
Department of Computer Science, University of California at Davis, USA
S. Felix Wu

Authors

Xinyuan Wang
View author publications
You can also search for this author in PubMed Google Scholar
Douglas S. Reeves
View author publications
You can also search for this author in PubMed Google Scholar
S. Felix Wu
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Microsoft Research, 7 J J Thomson Avenue, Cambridge, CB3 0FB, UK
Dieter Gollmann
IBM Zurich Research Lab, Säumerstr. 4, 8803, Rüschlikon, Switzerland
Günther Karjoth & Michael Waidner &

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Wang, X., Reeves, D.S., Wu, S.F. (2002). Inter-Packet Delay Based Correlation for Tracing Encrypted Connections through Stepping Stones. In: Gollmann, D., Karjoth, G., Waidner, M. (eds) Computer Security — ESORICS 2002. ESORICS 2002. Lecture Notes in Computer Science, vol 2502. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45853-0_15

Download citation

DOI: https://doi.org/10.1007/3-540-45853-0_15
Published: 26 September 2002
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44345-2
Online ISBN: 978-3-540-45853-1
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics