A quick-response real-time stepping stone detection scheme

Stepping stone attacks are often used by network intruders to hide their identities. To detect and block stepping stone attacks, a stepping stone detection scheme should be able to correctly identify a stepping-stone in a very short time and in real-time. However, the majority of past research has failed to indicate how long or how many packets it takes for the monitor to detect a stepping stone. In this paper, we propose a novel quick-response real-time stepping stones detection scheme which is based on packet delay properties. Our experiments show that it can identify a stepping stone within 20 seconds which includes false positives and false negatives of less than 3%

Stepping-stone detection technique for recognizing legitimate and attack connections

A stepping-stone connection has always been assumed as an intrusion since the first research on stepping-stone connections twenty years ago. However, not all stepping-stone connections are malicious.This paper proposes an enhanced stepping-stone detection (SSD) technique which is capable to identify legitimate connections from stepping-stone connections.Stepping-stone connections are identified from raw network traffics using timing-based SSD approach.Then, they go through an anomaly detection technique to differentiate between legitimate and attack connections.This technique has a promising solution to accurately detecting intrusions from stepping-stone connections.It will prevent incorrect responses that punish legitimate users

The Flow Fingerprinting Game

Linking two network flows that have the same source is essential in intrusion detection or in tracing anonymous connections. To improve the performance of this process, the flow can be modified (fingerprinted) to make it more distinguishable. However, an adversary located in the middle can modify the flow to impair the correlation by delaying the packets or introducing dummy traffic. We introduce a game-theoretic framework for this problem, that is used to derive the Nash Equilibrium. As obtaining the optimal adversary delays distribution is intractable, some approximations are done. We study the concrete example where these delays follow a truncated Gaussian distribution. We also compare the optimal strategies with other fingerprinting schemes. The results are useful for understanding the limits of flow correlation based on packet timings under an active attacker.Comment: Workshop on Information Forensics and Securit

Approach for solving active perturbation attack problem in stepping stone detection.

Batu loncatan merupakan salah satu daripada teknik menyembunyikan jejak yang digunakan oleh penceroboh untuk menyembunyikan jejaknya. Untuk lebih daripada satu dekad, para penyelidik menumpukan usaha mereka untuk mempertingkatkan pendekatan Pengesanan Batu Loncatan (PBL) untuk mengidentifikasi secara tepatnya hos yang dipergunakan untuk melakukan serangan batu loncatan. Tambahan pula, Serangan Penembusan Aktif (SPA) seperti lengah, jatuhan paket dan chaf mengancam pendekatan PBL. Hari ini, di antara pelbagai jenis SPA, chaf, lengah dan jatuhan paket adalah sangat penting. Stepping stone is one of the hidden tracking techniques used by an intruder to hide its tracks. For more than a decade, researchers have focused themselves in enhancing the Stepping Stone Detection (SSD) approaches in order to identify accurately a compromised host using stepping stones to attack. In addition, Active Perturbation Attacks (APA) such as delays, dropped packets and chaffs threaten the SSD approaches. Today, among the types of APAs, chaffs, delays and packet drops are very significant

Backdoor attack detection based on stepping stone detection approach

Network intruders usually use a series of hosts (stepping stones) to conceal the tracks of their intrusion in the network. This type of intrusion can be detected through an approach called Stepping Stone Detection (SSD). In the past years, SSD was confined to the detection of only this type of intrusion. In this dissertation, we consider the use of SSD concepts in the field of backdoor attack detection. The application of SSD in this field results in many advantages. First, the use of SSD makes the backdoor attack detection and the scan process time faster. Second, this technique detects all types of backdoor attack, both known and unknown, even if the backdoor attack is encrypted. Third, this technique reduces the large storage resources used by traditional antivirus tools in detecting backdoor attacks. This study contributes to the field by extending the application of SSD-based techniques, which are usually used in SSD-based environments only, into backdoor attack detection environments. Through an experiment, the accuracy of SSD-based backdoor attack detection is shown as very high