An Algorithm to Detect Stepping-Stones in the Presence of Chaff Packets

A major concern for network intrusion detection systems is the ability of an intruder to evade the detection by routing through a chain of the intermediate hosts to attack a target machine and maintain the anonymity. Such an intermediate host is called a stepping-stone. The intruders have developed some evasion techniques such as injecting chaff packets. A number of algorithms have been proposed to detect stepping-stones, but some of them failed to detect correctly when the network traffic is somehow corrupted or with the chaff packets. We discuss the viability of solving those issues by improving a previous methodology. The algorithm is based on finding as many matched pairs of incoming and outgoing packets on the same host as possible and then decide whether it is a stepping-stone connection by the mismatched rate. We examine a number of tradeoffs in choosing the threshold values by simulating network traffic. Our experiments report a very good performance with very low false detection rates when using carefully selected parameter values.