Stepping-stone detection algorithm based on order preserving mapping

Intruders often do not attack victim hosts directly from their own hosts so as not to reveal their identity. Instead, intruders perform their attacks through a sequence of intermediary hosts before attacking the target. This type of attack is known as a "stepping-stone attack". Stepping-stone detection is to determine if a host machine is being used as a stepping-stone by attackers. In this paper, we propose an algorithm for stepping-stone detection using a pervious mapping-based detection method. The technique reduces the detection problem to finding a mapping between two streams of packets. If our algorithm cannot find the mapping, then no such mapping exists. But if there is a mapping, then the proposed algorithm is guaranteed to find one and the solution will always be the one with minimum indexed. We provide the proof of the correctness of the algorithms. Furthermore, the algorithm has a low time complexity. The paper also discusses the effect of chaff packets on the ability to detect stepping-stones.