Home Tsinghua Science and Technology Article
PDF (1.3 MB)
Cite
EndNote(RIS) BibTeX
Collect
Submit Manuscript
Open Access

Effective Algorithms to Detect Stepping-Stone Intrusion by Removing Outliers of Packet RTTs

TSYS School of Computer Science, Columbus State University, Columbus, GA 31907, USA
Department of Computer Science, Illinois Institute of Technology, Chicago, IL 60616, USA
Show Author Information

Abstract

An effective method to detect stepping-stone intrusion (SSI) is to estimate the length of a connection chain. This type of detection method is referred to as a network-based detection approach. Existing network-based SSI detection methods are either ineffective in the context of the Internet because of the presence of outliers in the packet round-trip times (RTTs) or inefficient, as many packets must be captured and processed. Because of the high fluctuation caused by the intermediate routers on the Internet, it is unavoidable that the RTTs of the captured packets contain outlier values. In this paper, we first propose an efficient algorithm to eliminate most of the possible RTT outliers of the packets captured in the Internet environment. We then develop an efficient SSI detection algorithm by mining network traffic using an improved version of k-Means clustering. Our proposed detection algorithm for SSI is accurate, effective, and efficient in the context of the Internet. Well-designed network experiments are conducted in the Internet environment to verify the effectiveness, correctness, and efficiency of our proposed algorithms. Our experiments show that the effective rate of our proposed SSI detection algorithm is higher than 85.7% in the context of the Internet.

Keywords

network securityintrusion detectionstepping-stone intrusionround-trip timek-Means clusteringconnection chain

References

[1]
A. Blum, D. Song, and S. Venkataraman, Detection of interactive stepping-stones: Algorithms and confidence bounds, in Proceedings of International Symposium on Recent Advance in Intrusion Detection (RAID), Sophia Antipolis, France, 2004, pp. 20-35.
Crossref
[2]
B. Mathew, UNIX security: Threats and solutions, in Proc. of Invited Talk Given at the 1995 System Administration, Networking, and Security Conference, Washington, DC, USA, 1995, pp. 6-36.
Crossref
[3]
Y. Chen and S. Wang, A novel network flow watermark embedding model for efficient detection of stepping-stone intrusion based on entropy, in Proceedings of the International Conference on e-Learning, e-Business, Enterprise Information Systems, and e-Government, Las Vegas, NV, USA, 2016.
[4]
Y. Zhang and V. Paxson, Detecting stepping-stones, in Proc. of the 9th USENIX Security Symposium, Denver, CO, USA, 2000, pp. 67-81.
[5]
D. Bhattacherjee, Stepping-stone detection for tracing attack sources in software-defined networks, in Degree Project in Electrical Engineering, Stockholm, Sweden, 2016.
[6]
D. Donoho, A. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay, in Proc. of the 5th International Symposium on Recent Advances in Intrusion Detection, Lecture Notes in Computer Science, Zurich, Switzerland, 2002.
Crossref
[7]
X. Wang and D. Reeves, Robust correlation of encrypted attack traffic through stepping-stones by flow watermarking, IEEE Transactions on Depend-able and Secure Computing, vol. 8, no. 3, pp. 434-449, 2011.
Crossref Google Scholar
[8]
S. Staniford-Chen, and L. T. Heberlein, Holding intruders accountable on the internet, in Proc. of IEEE Symposium on Security and Privacy, Oakland, CA, USA, 1995, pp. 39-49.
[9]
W. Ding, M. J. Hausknecht, S.-H. S. Huang, and Z. Riggle, Detecting stepping-stone intruders with long connection chains, in Proc. of the Fifth International Conference on Information Assurance and Security, Zurich, Switzerland, 2009.
Crossref
[10]
J. Yang, B. Lee, S. S.-H. Huang, Monitoring network traffic to detect stepping-stone intrusion, in Proc. of the 22nd IEEE International Conference on Advanced Information Networking and Applications (AINA 2008), Okinawa, Japan, 2008, pp. 56-61.
Crossref
[11]
S. S.-H Huang, H. Zhang, and M. Phay, Detecting stepping-stone intruders by identifying crossover packets in ssh connections, in Proc. of the 30th IEEE International Conference on Advanced Information Networking and Applications, Fukuoka, Japan, 2016, pp. 1043-1050.
Crossref
[12]
S. S.-H. Huang, R. Lychev, and J. Yang, Stepping-stone detection via request-response traffic analysis, in Proc. of the 4th IEEE International Conference on Automatic and Trusted Computing, Hong Kong, China, 2007, pp. 276-285.
Crossref
[13]
K. Yoda, H. Etoh, Finding connection chain for tracing intruders, in Proc. of the 6th European Symposium on Research in Computer Security, Toulouse, France, 2000, pp. 31-42.
Crossref
[14]
J. Yang, S.-H. S. Huang, and M. D. Wan, A clustering-partitioning algorithm to find TCP packet round-trip time for intrusion detection, in Proc. of the 20th International Conference on Advanced Information Networking and Applications-Volume 1 (AINA’06), Vienna, Austria, 2006, pp. 231-236.
Crossref
[15]
L. Wang and J. Yang, A research survey in stepping-stone intrusion detection, EURASIP Journal on Wireless Communications and Networking, vol. 276, pp. 1-15, 2018.
Crossref Google Scholar
[16]
K. H. Yung, Detecting long connecting chains of interactive terminal sessions, in Proc. of International Symposium on Recent Advance in Intrusion Detection (RAID), Zurich, Switzerland, 2002, pp. 1-16.
Crossref
[17]
J. Yang and S.-H. S. Huang, A real-time algorithm to detect long connection chains of interactive terminal sessions, in Proceedings of the 3rd ACM International Conference on Information Security (Infosecu’04), Shanghai, China, 2004, pp. 198-203.
Crossref
[18]
J. Yang and S.-H. S. Huang, Matching TCP packets and its application to the detection of long connection chains, in Proceedings of the 19th IEEE International Conference on Advanced Information Networking and Applications (AINA’05), Taipei, China, 2005, pp. 1005-1010.
[19]
J. Yang and S. S.-H. Huang, Mining TCP/IP packets to detect stepping-stone intrusion, Journal of Computers and Security, vol. 26, nos. 7&8, pp. 479-484, 2007.
Crossref Google Scholar
[20]
L. Wang, J. Yang, M. Mccormick, P.-J. Wan, and X. Xu, Detect stepping-stone intrusion by mining network traffic using k-means clustering, in Proc. of 2020 IEEE 39th International Performance Computing and Communications Conference (IPCCC), Austin, TX, USA, 2020, pp. 1-8, .
Crossref
[21]
M. H. Haghighat and J. Li, Intrusion detection system using voting-based neural network, Tsinghua Science and Technology, vol. 26, no. 4, pp. 484-495, 2021.
Crossref Google Scholar
[22]
W. Zhong, N. Yu, and C. Ai, Applying big data based deep learning system to intrusion detection, Big Data Mining and Analytics, vol. 3, no. 3, 181-195, 2020.
Crossref Google Scholar
[23]
A. Guezzaz, Y. Asimi, M. Azrour, and A. Asimi, Mathematical validation of proposed machine learning classifier for heterogeneous traffic and anomaly detection, Big Data Mining and Analytics, vol. 4, no. 1, 18-24, 2021.
Crossref Google Scholar
[24]
Z. Cai, Z. He, X. Guan, and Y. Li, Collective data-sanitization for preventing sensitive information inference attacks in social networks, IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 577-590, 2016.
Crossref Google Scholar
[25]
K. Xu, F. Wang, H. Wang, and B. Yang, Detecting fake news over online social media via domain reputations and content understanding, Tsinghua Science and Technology, vol. 25, no. 1, pp. 20-27, 2019.
Crossref Google Scholar
[26]
Z. Cai and X. Zheng, A private and efficient mechanism for data uploading in smart cyber-physical systems, IEEE Transactions on Network Science and Engineering, vol. 7, no. 2, pp. 766-775, 2018.
Crossref Google Scholar
[27]
X. Zheng and Z. Cai, Privacy-preserved data sharing towards multiple parties in industrial IoTs, IEEE Journal on Selected Areas in Communications, vol. 38, no. 5, pp. 968-979, 2020.
Crossref Google Scholar
[28]
Z. Cai and Z. He, Trading private range counting over big IoT data, in Proc. of the 39th IEEE International Conference on Distributed Computing Systems (ICDCS), IEEE, Dallas, TX, USA, 2019, pp. 144-153.
Crossref
[29]
S. Haas, Security monitoring and alert correlation for network intrusion detection. PhD dissertation, Staatsund Universitätsbibliothek Hamburg Carl von Ossietzky, Hamburg, Germany, 2020.
[30]
H. Clausen, S. G. Michael, and D. Aspinall, Evading stepping-stone detection with enough chaff, in Network and System Security, 2020, pp. 431-446.
Crossref
[31]
V. Paxson, S. Floyd, Wide-area traffic: The failure of Poisson modeling, IEEE/ACM Transactions on Networking, vol. 3, no. 3, pp. 226-244, 1995.
Crossref Google Scholar
[32]
T. Kanungo, D. M. Mount, N. S. Netanyahu, C. D. Piatko, R. Silverman, and A. Y. Wu, An efficient k-means clustering algorithm: Analysis and implementation, IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 24, no. 7, pp. 881-892, 2002.
Crossref Google Scholar
Tsinghua Science and Technology
Volume 27 Issue 2,
April 2022
Pages 432-442
DOI: 10.26599/TST.2021.9010041
Cite this article:
Wang L, Yang J, Workman M, et al. Effective Algorithms to Detect Stepping-Stone Intrusion by Removing Outliers of Packet RTTs. Tsinghua Science and Technology, 2022, 27(2): 432-442. https://doi.org/10.26599/TST.2021.9010041
Metrics & Citations  
Article History
Copyright
Rights and Permissions
Return