Abstract
Locating the real source of the Internet attacks has long been an important but difficult problem to be addressed. In the real world attackers can easily hide their identities and evade punishment by relaying their attacks through a series of compromised systems or devices, called stepping stones. Currently, researchers mainly use similar features from the network traffic, such as packet timestamps and frequencies, to detect stepping stones. However, these features can be easily destroyed by attackers using evasive techniques. In addition, it is also difficult to implement an appropriate threshold of similarity which can help justify the stepping stones. In order to counter these problems, in this paper, we introduce the consistent causality probability to detect the stepping stones. We formulate the ranges of abnormal causality probabilities according to the different network conditions, and on the basis of it, we further implement two self-adaptive methods to capture stepping stones. To evaluate our proposed detection methods, we adopt theoretic analysis and empirical studies, which have demonstrated accuracy of the abnormal causality probability. Moreover, we compare of our proposed methods with previous works. The result show that our methods in this paper significantly outperform previous works in the accuracy of detection malicious stepping stones, even when evasive techniques are adopted by attackers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Staniford-Chen, S., Heberlein, L.: Holding intruders accountable on the internet. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 39–49 (1995)
Coskun, B., Memon, N.: Online sketching of network flows for real-time stepping-stone detection. In: Annual Computer Security Applications Conference, ACSAC 2009, pp. 473–483 (2009)
Zhang, L., Persaud, A., Johnson, A., Guan, Y.: Stepping-stone attack attribution in non-cooperative ip networks. In: The 25th IEEE International Performance Computing and Conference (2006)
Zhang, Y., Paxson, V.: Detecting stepping stones. In: Proceedings of the 9th Conference on USENIX Security Symposium, Berkeley, CA, USA, vol. 9, p. 13 (2000)
Yoda, K., Etoh, H.: Finding a connection chain for tracing intruders. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 191–205. Springer, Heidelberg (2000)
Wang, X., Reeves, D.S., Wu, S.F.: Inter-packet delay based correlation for tracing encrypted connections through stepping stones. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 244–263. Springer, Heidelberg (2002)
Donoho, D.L., Flesia, A.G., Shankar, U., Paxson, V., Coit, J., Staniford, S.: Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 17–35. Springer, Heidelberg (2002)
Blum, A., Song, D., Venkataraman, S.: Detection of interactive stepping stones: Algorithms and confidence bounds. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 258–277. Springer, Heidelberg (2004)
He, T., Tong, L.: A signal processing perspective to stepping-stone detection. In: 40th Annual Conference on Information Sciences and Systems 2006, pp. 687–692 (2006)
He, T., Member, S., Tong, L.: Detecting encrypted stepping-stone connections. IEEE Trans. on Signal Processing 55, 1612–1623 (2007)
Wang, X., Reeves, D.S.: Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS 2003, New York, USA, pp. 20–29 (2003)
Padhye, J.D., Wright, M.: Stepping-stone network attack kit (sneak) for evading timing-based detection methods under the cloak of constant rate multimedia streams. Master’s thesis, Faculty of the Graduate School, The University of Texas at Arlington (2008)
Li, P., Zhou, W., Wang, Y.: Getting the real-time precise round-trip time for stepping stone detection. In: 2010 4th International Conference on Network and System Security (NSS), pp. 377–382 (2010)
Wikipedia: Queueing theory. Technical report, Wikipedia (2013)
Wikipedia: Jackson network. Technical report, Wikipedia (2013)
Li, P.: Detect Stepping Stones in Internet Environments. PhD thesis, School of Information Technology, Deakin University (2011)
WAND Network Research Group, Wits: Auckland ix trace file. Technical report, WAND (2008)
Tae, H., Kim, H.L., Seo, Y.M., Choe, G., Min, S.L., Kim, C.S.: Caller identification system in the internet environment. In: Proceedings of 4th USENIX Security Symposium, pp. 69–78 (1993)
Snapp, S.R., Brentano, J., Dias, G.V., Goan, T.L., Heberlein, L.T., Lin Ho, C., Levitt, K.N., Mukherjee, B., Smaha, S.E., Grance, T., Teal, D.M., Mansur, D.: Dids (distributed intrusion detection system) - motivation, architecture, and an early prototype. In: Proceedings of the 14th National Computer Security Conference, pp. 167–176 (1991)
Peng, P., Ning, P., Reeves, D.: On the secrecy of timing-based active watermarking trace-back techniques. In: 2006 IEEE Symposium on Security and Privacy, pp. 334–349 (2006)
Peng, P., Ning, P., Reeves, D.S., Wang, X.: Active timing-based correlation of perturbed traffic flows with chaff packets. In: Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW 2005), Washington, DC, USA, vol. 2, pp. 107–113 (2005)
Wang, X., Wang, X., Reeves, D.S., Reeves, D.S., Wu, S.F., Wu, S.F., Yuill, J., Yuill, J.: Sleepy watermark tracing: An active network-based intrusion response framework. In: Proc. of the 16th International Information Security Conference, pp. 369–384 (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this paper
Cite this paper
Wen, S., Li, P., Wu, D., Xiang, Y., Zhou, W. (2013). Detecting Stepping Stones by Abnormal Causality Probability. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds) Cyberspace Safety and Security. CSS 2013. Lecture Notes in Computer Science, vol 8300. Springer, Cham. https://doi.org/10.1007/978-3-319-03584-0_23
Download citation
DOI: https://doi.org/10.1007/978-3-319-03584-0_23
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-03583-3
Online ISBN: 978-3-319-03584-0
eBook Packages: Computer ScienceComputer Science (R0)