Abstract
An effective approach for stepping-stone intrusion detection (SSID) is to estimate the length of a connection chain, which is referred to as the network-based detection approach. In this paper, we propose an effective network-based approach for SSID using packet crossover. Existing network-based approaches for SSID are either not effective, or not efficient as they require a large number of TCP packets to be captured and processed. Some other existing network-based approaches for SSID do not work effectively when the fluctuation of the packets’ RTTs is large and requires the length of a connection chain to be pre-determined, and thus these existing detection methods have very limited performance. Our proposed algorithm for SSID using packet crossover can effectively determine the length of a downstream connection chain without any pre-assumption about the length of a connection chain as well as not requiring a large number of TCP packets being captured and processed, and thus our proposed SSID algorithm is more efficient. Since the number of packet crossovers can be easily calculated, our proposed detection method is easy to use and implement. The effectiveness, correctness and efficiency of our proposed algorithm for SSID are verified through well-designed network experiments.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Wang, L., Yang, J., Xu, X., Wan, P.-J.: Mining network traffic with the k-means clustering algorithm for stepping-stone intrusion detection. Wirel. Commun. Mob. Comput. 2021 (2021). Article ID 6632671
Blum, A., Song, D., Venkataraman, S.: Detection of interactive stepping stones: algorithms and confidence bounds. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 258–277. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30143-1_14
Bishop, M.: UNIX security: threats and solutions. In: Invited Talk Given at the 1995 System Administration, Networking, and Security Conference, Washington, DC (1995)
Bhattacherjee, D.: Stepping-stone detection for tracing attack sources in software-defined networks. Degree Project in Electrical Engineering, Stockholm, Sweden (2016)
Donoho, D., Flesia, A., Shankar, U., Paxson, V., Coit, J., Staniford, S.: Multiscale stepping-stone detection: detecting pairs of jittered interactive streams by exploiting maximum tolerable delay. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 17–35. Springer, Berlin, Heidelberg (2002). https://doi.org/10.1007/3-540-36084-0_2
Liu, J., et al.: Adaptive intrusion detection via GA-GOGMM-based pattern learning with fuzzy rough set-based attribute selection. Expert Syst. Appl. 139, 112845 (2020)
Yang, J., Huang, S.-H.S.: A real-time algorithm to detect long connection chains of interactive terminal sessions. In: Proceedings of 3rd ACM International Conference on Information Security (Infosecu 2004), Shanghai, China, pp. 198–203 (2004)
Yang, J., Huang, S.-H. S.: Matching TCP packets and its application to the detection of long connection chains. In: Proceedings of 19th IEEE International Conference on Advanced Information Networking and Applications (AINA 2005), Taipei, Taiwan, China, pp. 1005–1010 (2005)
Yang, J., Huang, S.S.-H.: Mining TCP/IP packets to detect stepping-stone intrusion. J. Comput. Secur. 26, 479–484 (2007)
Yang, J., Wang, L., Lesh, A., Lockerbie, B.: Manipulating network traffic to evade stepping-stone intrusion detection. Internet Things 3, 34–45 (2018)
Yung, K.H.: Detecting long connecting chains of interactive terminal sessions. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 1–16. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36084-0_1
Phaal, P., Panchen, S., McKee, N.: InMon corporation’s sFlow: a method for monitoring traffic in switched and routed networks. RFC 3176, IETF (2001)
Staniford-Chen, S., Heberlein, L.T.: Holding intruders accountable on the internet. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, pp. 39–49 (1995)
Paxson, V., Floyd, S.: Wide-area traffic: the failure of poisson modeling. IEEE/ACM Trans. Netw. 3(3), 226–244 (1995)
Wang, L., Yang, J.: A research survey in stepping-stone intrusion detection. EURASIP J. Wirel. Commun. Netw. 2018(1), 1–15 (2018). https://doi.org/10.1186/s13638-018-1303-2
Wang, X., Reeves, D.: Robust correlation of encrypted attack traffic through stepping-stones by flow watermarking. IEEE Trans. Dependable Secure Comput. 8(3), 434–449 (2011)
Chen, Y., Wang, S.: A novel network flow watermark embedding model for efficient detection of stepping-stone intrusion based on entropy. In: Proceedings of the International Conference on e-Learning, e-Business, Enterprise Information Systems, and e-Government (EEE), WorldComp 2016 (2016)
Zhang, Y., Paxson, V.: Detecting stepping-stones. In: Proceedings of the 9th USENIX Security Symposium, Denver, CO, pp. 67–81 (2000)
Huang, S.-H.S., Zhang, H., Phay, M.: Detecting stepping-stone intruders by identifying crossover packets in SSH connections. In: 2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA). IEEE (2016)
Acknowledgment
This work of Drs. Lixin Wang and Jianhua Yang is supported by the National Security Agency NCAE-C Research Grant (H98230-20-1-0293) with Columbus State University, Georgia, USA.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 Springer Nature Switzerland AG
About this paper
Cite this paper
Wang, L., Yang, J., Lee, A. (2023). An Effective Approach for Stepping-Stone Intrusion Detection Using Packet Crossover. In: You, I., Youn, TY. (eds) Information Security Applications. WISA 2022. Lecture Notes in Computer Science, vol 13720. Springer, Cham. https://doi.org/10.1007/978-3-031-25659-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-25659-2_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25658-5
Online ISBN: 978-3-031-25659-2
eBook Packages: Computer ScienceComputer Science (R0)