Skip to main content

Detecting Stepping Stones by Abnormal Causality Probability

  • Conference paper
Cyberspace Safety and Security (CSS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8300))

Included in the following conference series:

  • 2534 Accesses

Abstract

Locating the real source of the Internet attacks has long been an important but difficult problem to be addressed. In the real world attackers can easily hide their identities and evade punishment by relaying their attacks through a series of compromised systems or devices, called stepping stones. Currently, researchers mainly use similar features from the network traffic, such as packet timestamps and frequencies, to detect stepping stones. However, these features can be easily destroyed by attackers using evasive techniques. In addition, it is also difficult to implement an appropriate threshold of similarity which can help justify the stepping stones. In order to counter these problems, in this paper, we introduce the consistent causality probability to detect the stepping stones. We formulate the ranges of abnormal causality probabilities according to the different network conditions, and on the basis of it, we further implement two self-adaptive methods to capture stepping stones. To evaluate our proposed detection methods, we adopt theoretic analysis and empirical studies, which have demonstrated accuracy of the abnormal causality probability. Moreover, we compare of our proposed methods with previous works. The result show that our methods in this paper significantly outperform previous works in the accuracy of detection malicious stepping stones, even when evasive techniques are adopted by attackers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Staniford-Chen, S., Heberlein, L.: Holding intruders accountable on the internet. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 39–49 (1995)

    Google Scholar 

  2. Coskun, B., Memon, N.: Online sketching of network flows for real-time stepping-stone detection. In: Annual Computer Security Applications Conference, ACSAC 2009, pp. 473–483 (2009)

    Google Scholar 

  3. Zhang, L., Persaud, A., Johnson, A., Guan, Y.: Stepping-stone attack attribution in non-cooperative ip networks. In: The 25th IEEE International Performance Computing and Conference (2006)

    Google Scholar 

  4. Zhang, Y., Paxson, V.: Detecting stepping stones. In: Proceedings of the 9th Conference on USENIX Security Symposium, Berkeley, CA, USA, vol. 9, p. 13 (2000)

    Google Scholar 

  5. Yoda, K., Etoh, H.: Finding a connection chain for tracing intruders. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 191–205. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  6. Wang, X., Reeves, D.S., Wu, S.F.: Inter-packet delay based correlation for tracing encrypted connections through stepping stones. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 244–263. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  7. Donoho, D.L., Flesia, A.G., Shankar, U., Paxson, V., Coit, J., Staniford, S.: Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 17–35. Springer, Heidelberg (2002)

    Google Scholar 

  8. Blum, A., Song, D., Venkataraman, S.: Detection of interactive stepping stones: Algorithms and confidence bounds. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 258–277. Springer, Heidelberg (2004)

    Google Scholar 

  9. He, T., Tong, L.: A signal processing perspective to stepping-stone detection. In: 40th Annual Conference on Information Sciences and Systems 2006, pp. 687–692 (2006)

    Google Scholar 

  10. He, T., Member, S., Tong, L.: Detecting encrypted stepping-stone connections. IEEE Trans. on Signal Processing 55, 1612–1623 (2007)

    Article  MathSciNet  Google Scholar 

  11. Wang, X., Reeves, D.S.: Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, New York, USA, pp. 20–29 (2003)

    Google Scholar 

  12. Padhye, J.D., Wright, M.: Stepping-stone network attack kit (sneak) for evading timing-based detection methods under the cloak of constant rate multimedia streams. Master’s thesis, Faculty of the Graduate School, The University of Texas at Arlington (2008)

    Google Scholar 

  13. Li, P., Zhou, W., Wang, Y.: Getting the real-time precise round-trip time for stepping stone detection. In: 2010 4th International Conference on Network and System Security (NSS), pp. 377–382 (2010)

    Google Scholar 

  14. Wikipedia: Queueing theory. Technical report, Wikipedia (2013)

    Google Scholar 

  15. Wikipedia: Jackson network. Technical report, Wikipedia (2013)

    Google Scholar 

  16. Li, P.: Detect Stepping Stones in Internet Environments. PhD thesis, School of Information Technology, Deakin University (2011)

    Google Scholar 

  17. WAND Network Research Group, Wits: Auckland ix trace file. Technical report, WAND (2008)

    Google Scholar 

  18. Tae, H., Kim, H.L., Seo, Y.M., Choe, G., Min, S.L., Kim, C.S.: Caller identification system in the internet environment. In: Proceedings of 4th USENIX Security Symposium, pp. 69–78 (1993)

    Google Scholar 

  19. Snapp, S.R., Brentano, J., Dias, G.V., Goan, T.L., Heberlein, L.T., Lin Ho, C., Levitt, K.N., Mukherjee, B., Smaha, S.E., Grance, T., Teal, D.M., Mansur, D.: Dids (distributed intrusion detection system) - motivation, architecture, and an early prototype. In: Proceedings of the 14th National Computer Security Conference, pp. 167–176 (1991)

    Google Scholar 

  20. Peng, P., Ning, P., Reeves, D.: On the secrecy of timing-based active watermarking trace-back techniques. In: 2006 IEEE Symposium on Security and Privacy, pp. 334–349 (2006)

    Google Scholar 

  21. Peng, P., Ning, P., Reeves, D.S., Wang, X.: Active timing-based correlation of perturbed traffic flows with chaff packets. In: Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW 2005), Washington, DC, USA, vol. 2, pp. 107–113 (2005)

    Google Scholar 

  22. Wang, X., Wang, X., Reeves, D.S., Reeves, D.S., Wu, S.F., Wu, S.F., Yuill, J., Yuill, J.: Sleepy watermark tracing: An active network-based intrusion response framework. In: Proc. of the 16th International Information Security Conference, pp. 369–384 (2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer International Publishing Switzerland

About this paper

Cite this paper

Wen, S., Li, P., Wu, D., Xiang, Y., Zhou, W. (2013). Detecting Stepping Stones by Abnormal Causality Probability. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds) Cyberspace Safety and Security. CSS 2013. Lecture Notes in Computer Science, vol 8300. Springer, Cham. https://doi.org/10.1007/978-3-319-03584-0_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-03584-0_23

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-03583-3

  • Online ISBN: 978-3-319-03584-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics