Stepping-stone attacks in network intrusion detection are attackers who use a sequence of stepping-stone hosts to initiate attacks in order to hide their origins. The goal of this paper is to find algorithms to correctly detect the attacks and have the ability to tolerate the clock skew or/and chaff while exhibiting low time complexity. We propose three novel algorithms for detecting correlation and similarity of two connections not only into and out of a single stepping stone host (consecutive streams), but also across multiple stepping-stone hosts. To evaluate the accuracy and efficiency, we conduct extensive experiments. We also evaluate how chaff packets and clock skew may affect these methods. We present a comparison of the algorithms in terms of false rates of detection, and identify one of the approaches that can efficiently achieve good performance under a variety of circumstances.