Journal Home > Volume 27 , Issue 2

An effective method to detect stepping-stone intrusion (SSI) is to estimate the length of a connection chain. This type of detection method is referred to as a network-based detection approach. Existing network-based SSI detection methods are either ineffective in the context of the Internet because of the presence of outliers in the packet round-trip times (RTTs) or inefficient, as many packets must be captured and processed. Because of the high fluctuation caused by the intermediate routers on the Internet, it is unavoidable that the RTTs of the captured packets contain outlier values. In this paper, we first propose an efficient algorithm to eliminate most of the possible RTT outliers of the packets captured in the Internet environment. We then develop an efficient SSI detection algorithm by mining network traffic using an improved version of k-Means clustering. Our proposed detection algorithm for SSI is accurate, effective, and efficient in the context of the Internet. Well-designed network experiments are conducted in the Internet environment to verify the effectiveness, correctness, and efficiency of our proposed algorithms. Our experiments show that the effective rate of our proposed SSI detection algorithm is higher than 85.7% in the context of the Internet.


menu
Abstract
Full text
Outline
About this article

Effective Algorithms to Detect Stepping-Stone Intrusion by Removing Outliers of Packet RTTs

Show Author's information Lixin Wang( )Jianhua YangMichael WorkmanPengjun Wan
TSYS School of Computer Science, Columbus State University, Columbus, GA 31907, USA
Department of Computer Science, Illinois Institute of Technology, Chicago, IL 60616, USA

Abstract

An effective method to detect stepping-stone intrusion (SSI) is to estimate the length of a connection chain. This type of detection method is referred to as a network-based detection approach. Existing network-based SSI detection methods are either ineffective in the context of the Internet because of the presence of outliers in the packet round-trip times (RTTs) or inefficient, as many packets must be captured and processed. Because of the high fluctuation caused by the intermediate routers on the Internet, it is unavoidable that the RTTs of the captured packets contain outlier values. In this paper, we first propose an efficient algorithm to eliminate most of the possible RTT outliers of the packets captured in the Internet environment. We then develop an efficient SSI detection algorithm by mining network traffic using an improved version of k-Means clustering. Our proposed detection algorithm for SSI is accurate, effective, and efficient in the context of the Internet. Well-designed network experiments are conducted in the Internet environment to verify the effectiveness, correctness, and efficiency of our proposed algorithms. Our experiments show that the effective rate of our proposed SSI detection algorithm is higher than 85.7% in the context of the Internet.

Keywords: network security, intrusion detection, stepping-stone intrusion, round-trip time, k-Means clustering, connection chain

References(32)

[1]
A. Blum, D. Song, and S. Venkataraman, Detection of interactive stepping-stones: Algorithms and confidence bounds, in Proceedings of International Symposium on Recent Advance in Intrusion Detection (RAID), Sophia Antipolis, France, 2004, pp. 20-35.
DOI
[2]
B. Mathew, UNIX security: Threats and solutions, in Proc. of Invited Talk Given at the 1995 System Administration, Networking, and Security Conference, Washington, DC, USA, 1995, pp. 6-36.
DOI
[3]
Y. Chen and S. Wang, A novel network flow watermark embedding model for efficient detection of stepping-stone intrusion based on entropy, in Proceedings of the International Conference on e-Learning, e-Business, Enterprise Information Systems, and e-Government, Las Vegas, NV, USA, 2016.
[4]
Y. Zhang and V. Paxson, Detecting stepping-stones, in Proc. of the 9th USENIX Security Symposium, Denver, CO, USA, 2000, pp. 67-81.
[5]
D. Bhattacherjee, Stepping-stone detection for tracing attack sources in software-defined networks, in Degree Project in Electrical Engineering, Stockholm, Sweden, 2016.
[6]
D. Donoho, A. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay, in Proc. of the 5th International Symposium on Recent Advances in Intrusion Detection, Lecture Notes in Computer Science, Zurich, Switzerland, 2002.
DOI
[7]
X. Wang and D. Reeves, Robust correlation of encrypted attack traffic through stepping-stones by flow watermarking, IEEE Transactions on Depend-able and Secure Computing, vol. 8, no. 3, pp. 434-449, 2011.
[8]
S. Staniford-Chen, and L. T. Heberlein, Holding intruders accountable on the internet, in Proc. of IEEE Symposium on Security and Privacy, Oakland, CA, USA, 1995, pp. 39-49.
[9]
W. Ding, M. J. Hausknecht, S.-H. S. Huang, and Z. Riggle, Detecting stepping-stone intruders with long connection chains, in Proc. of the Fifth International Conference on Information Assurance and Security, Zurich, Switzerland, 2009.
DOI
[10]
J. Yang, B. Lee, S. S.-H. Huang, Monitoring network traffic to detect stepping-stone intrusion, in Proc. of the 22nd IEEE International Conference on Advanced Information Networking and Applications (AINA 2008), Okinawa, Japan, 2008, pp. 56-61.
DOI
[11]
S. S.-H Huang, H. Zhang, and M. Phay, Detecting stepping-stone intruders by identifying crossover packets in ssh connections, in Proc. of the 30th IEEE International Conference on Advanced Information Networking and Applications, Fukuoka, Japan, 2016, pp. 1043-1050.
DOI
[12]
S. S.-H. Huang, R. Lychev, and J. Yang, Stepping-stone detection via request-response traffic analysis, in Proc. of the 4th IEEE International Conference on Automatic and Trusted Computing, Hong Kong, China, 2007, pp. 276-285.
DOI
[13]
K. Yoda, H. Etoh, Finding connection chain for tracing intruders, in Proc. of the 6th European Symposium on Research in Computer Security, Toulouse, France, 2000, pp. 31-42.
DOI
[14]
J. Yang, S.-H. S. Huang, and M. D. Wan, A clustering-partitioning algorithm to find TCP packet round-trip time for intrusion detection, in Proc. of the 20th International Conference on Advanced Information Networking and Applications-Volume 1 (AINA’06), Vienna, Austria, 2006, pp. 231-236.
DOI
[15]
L. Wang and J. Yang, A research survey in stepping-stone intrusion detection, EURASIP Journal on Wireless Communications and Networking, vol. 276, pp. 1-15, 2018.
[16]
K. H. Yung, Detecting long connecting chains of interactive terminal sessions, in Proc. of International Symposium on Recent Advance in Intrusion Detection (RAID), Zurich, Switzerland, 2002, pp. 1-16.
DOI
[17]
J. Yang and S.-H. S. Huang, A real-time algorithm to detect long connection chains of interactive terminal sessions, in Proceedings of the 3rd ACM International Conference on Information Security (Infosecu’04), Shanghai, China, 2004, pp. 198-203.
DOI
[18]
J. Yang and S.-H. S. Huang, Matching TCP packets and its application to the detection of long connection chains, in Proceedings of the 19th IEEE International Conference on Advanced Information Networking and Applications (AINA’05), Taipei, China, 2005, pp. 1005-1010.
[19]
J. Yang and S. S.-H. Huang, Mining TCP/IP packets to detect stepping-stone intrusion, Journal of Computers and Security, vol. 26, nos. 7&8, pp. 479-484, 2007.
[20]
L. Wang, J. Yang, M. Mccormick, P.-J. Wan, and X. Xu, Detect stepping-stone intrusion by mining network traffic using k-means clustering, in Proc. of 2020 IEEE 39th International Performance Computing and Communications Conference (IPCCC), Austin, TX, USA, 2020, pp. 1-8, .
DOI
[21]
M. H. Haghighat and J. Li, Intrusion detection system using voting-based neural network, Tsinghua Science and Technology, vol. 26, no. 4, pp. 484-495, 2021.
[22]
W. Zhong, N. Yu, and C. Ai, Applying big data based deep learning system to intrusion detection, Big Data Mining and Analytics, vol. 3, no. 3, 181-195, 2020.
[23]
A. Guezzaz, Y. Asimi, M. Azrour, and A. Asimi, Mathematical validation of proposed machine learning classifier for heterogeneous traffic and anomaly detection, Big Data Mining and Analytics, vol. 4, no. 1, 18-24, 2021.
[24]
Z. Cai, Z. He, X. Guan, and Y. Li, Collective data-sanitization for preventing sensitive information inference attacks in social networks, IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 577-590, 2016.
[25]
K. Xu, F. Wang, H. Wang, and B. Yang, Detecting fake news over online social media via domain reputations and content understanding, Tsinghua Science and Technology, vol. 25, no. 1, pp. 20-27, 2019.
[26]
Z. Cai and X. Zheng, A private and efficient mechanism for data uploading in smart cyber-physical systems, IEEE Transactions on Network Science and Engineering, vol. 7, no. 2, pp. 766-775, 2018.
[27]
X. Zheng and Z. Cai, Privacy-preserved data sharing towards multiple parties in industrial IoTs, IEEE Journal on Selected Areas in Communications, vol. 38, no. 5, pp. 968-979, 2020.
[28]
Z. Cai and Z. He, Trading private range counting over big IoT data, in Proc. of the 39th IEEE International Conference on Distributed Computing Systems (ICDCS), IEEE, Dallas, TX, USA, 2019, pp. 144-153.
DOI
[29]
S. Haas, Security monitoring and alert correlation for network intrusion detection. PhD dissertation, Staatsund Universitätsbibliothek Hamburg Carl von Ossietzky, Hamburg, Germany, 2020.
[30]
H. Clausen, S. G. Michael, and D. Aspinall, Evading stepping-stone detection with enough chaff, in Network and System Security, 2020, pp. 431-446.
DOI
[31]
V. Paxson, S. Floyd, Wide-area traffic: The failure of Poisson modeling, IEEE/ACM Transactions on Networking, vol. 3, no. 3, pp. 226-244, 1995.
[32]
T. Kanungo, D. M. Mount, N. S. Netanyahu, C. D. Piatko, R. Silverman, and A. Y. Wu, An efficient k-means clustering algorithm: Analysis and implementation, IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 24, no. 7, pp. 881-892, 2002.
Publication history
Copyright
Acknowledgements
Rights and permissions

Publication history

Received: 22 April 2021
Revised: 08 May 2021
Accepted: 16 May 2021
Published: 29 September 2021
Issue date: April 2022

Copyright

© The author(s) 2022

Acknowledgements

This work was supported by the the National Centers of Academic Excellence in Cybersecurity (NCAE-C) Grant (No. H98230-20-1-0293) at the National Security Agency with Columbus State University, Georgia, USA.

Rights and permissions

The articles published in this open access journal are distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/).

Return