Abstract
In this paper, we develop an algorithm that may be used as a stepping-stone detection tool. Our approach is based on analyzing correlations between the cumulative number of packets sent in outgoing connections and that of the incoming connections. We present a study of our method’s effectiveness with actual connections as well as simulations of time-jittering (introduction of inter-packet delay) and chaff (introduction of superfluous packets). Experimental results suggest that our algorithm works well in the following scenarios: (1) distinguishing connection chains that go through the same stepping stone host and carry traffic of users who perform similar operations at the same time; and (2) distinguishing a single connection chain from unrelated incoming and outgoing connections even in the presence of chaff. The result suggests that time-jittering will not diminish our method’s usefulness.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Blum, A., Song, D., Venkataraman, S.: Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 258–277. Springer, Heidelberg (2004)
Brunk, H.D.: An Introduction to Mathematical Statistics, Ginn and Company (1960)
Donoho, D., Flesia, A.G., Shankar, U., Paxson, V., Coit, J., Staniford, S.: Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 45–59. Springer, Heidelberg (2002)
Duwairi, B., Chakrabarti, A., Manimaran, G.: An Efficient Probabilistic Packet Marking Scheme for IP Traceback. In: Mitrou, N.M., Kontovasilis, K., Rouskas, G.N., Iliadis, I., Merakos, L. (eds.) NETWORKING 2004. LNCS, vol. 3042, pp. 1263–1269. Springer, Heidelberg (2004)
Goodrich, M.T.: Efficient Packet Marking for Large-Scale IP Traceback. In: Proc. of ACM CCS 2002, Washington, DC, USA, pp. 117–126 (2002)
Jung, H.T., Kim, H.L., Seo, Y.M., Choe, G., Min, S.L., Kim, C.S., Koh, K.: Caller Identification System in the Internet Environment. In: Proc. of 4th USINEX Security Symposium, Santa Clara, CA, USA, pp. 69–78 (1993)
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical Network Support for IP Traceback. In: Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, Stockholm, Sweden, pp. 295–306 (2000)
Song, D., Perrig, A.: Advanced and Authenticated Marking Scheme for IP Traceback. In: Proc. of IEEE INFOCOM, Anchorage, AL, USA, pp. 878–886 (2001)
Snapp, S., et al.: DIDS, (Distributed Intrusion Detection System) – Motivation, Architecture and Early Prototype. In: Proc. of 14th National Computer Security Conference, Columbus, OH, USA, pp. 167–176 (1991)
Staniford-Chen, S., Heberlein, L.T.: Holding Intruders Accountable on the Internet. In: Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 39–49 (1995)
Wang, X., Reeves, D.S., Wu, S.F., Yuill, J.: Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework. In: Proc. of 16th International Conference on Information Security, Paris, France, pp. 369–384 (2001)
Wang, X., Reeves, D.S.: Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Manipulation of Inter-packet Delays. In: Proc. of the 10th ACM Conference on Computer and Communications Security, Washington, DC, USA, pp. 20–29 (2003)
Wang, X.: The Loop Fallacy and Serialization in Tracing Intrusion Connections through Stepping Stones. In: Proc. of the ACM Symposium on Applied Computing, Nicosia, Cyprus, pp. 404–411 (2004)
Xin, J., Zhang, L., Aswegan, B., Dickerson, J., Daniels, T., Guan, Y.: A Testbed for Evaluation and Analysis of Stepping Stone Attack Attribution Techniques. In: Proc. of the 2nd International IEEE/Create-Net Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, Barcelona, Spain (2006)
Yoda, K., Etoh, H.: Finding a Connection Chain for Tracing Intruders. In: Proceedings of 6th European Symposium on Research in Computer Security, Toulouse, France, pp. 191–205 (2000)
Zhang, Y., Paxson, V.: Detecting Stepping Stones. In: Proc. of the 9th USENIX Security Symposium, Denver, CO, USA, pp. 171–184 (2000)
Zhang, L., Persaud, A.G., Johnson, A., Guan, Y.: Detection of Stepping Stone Attack under Delay and Chaff Perturbations. In: Proc. of 25th IEEE International Performance Computing and Communications Conference, Phoenix, AZ, USA (2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Huang, SH.S., Lychev, R., Yang, J. (2007). Stepping-Stone Detection Via Request-Response Traffic Analysis. In: Xiao, B., Yang, L.T., Ma, J., Muller-Schloer, C., Hua, Y. (eds) Autonomic and Trusted Computing. ATC 2007. Lecture Notes in Computer Science, vol 4610. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73547-2_29
Download citation
DOI: https://doi.org/10.1007/978-3-540-73547-2_29
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73546-5
Online ISBN: 978-3-540-73547-2
eBook Packages: Computer ScienceComputer Science (R0)