Detect multi-hop stepping-stone pairs with clock skew

Author

Kuo, Ying-Wei ; Huang, Shou-Hsuan Stephen ; Hill, Christopher

Author_Institution

Dept. of Comput. Sci., Univ. of Houston, Houston, TX, USA

fYear

2010

fDate

23-25 Aug. 2010

Firstpage

74

Lastpage

79

Abstract

Stepping-stone attacks in network intrusion detection are attackers who use a sequence of stepping-stone hosts to initiate attacks in order to hide their origins. The goal of this paper is to find algorithms to correctly detect the attacks and have the ability to tolerate the clock skew or/and chaff while exhibiting low time complexity. We propose three novel algorithms for detecting correlation and similarity of two connections not only into and out of a single stepping stone host (consecutive streams), but also across multiple stepping-stone hosts. To evaluate the accuracy and efficiency, we conduct extensive experiments. We also evaluate how chaff packets and clock skew may affect these methods. We present a comparison of the algorithms in terms of false rates of detection, and identify one of the approaches that can efficiently achieve good performance under a variety of circumstances.

Keywords

clocks; computational complexity; security of data; chaff packets; clock skew; correlation detection; multihop stepping stone pair detection; network intrusion detection; stepping stone host; time complexity; Algorithm design and analysis; Clocks; Complexity theory; Correlation; Delay; Internet; Synchronization; chaff; clock skew; connection chain; intrusion detection; network security; pattern recognition; stepping-stone attack;

fLanguage

English

Publisher

ieee

Conference_Titel

Information Assurance and Security (IAS), 2010 Sixth International Conference on

Conference_Location

Atlanta, GA

Print_ISBN

978-1-4244-7407-3

Type

conf

DOI

10.1109/ISIAS.2010.5604044

Filename

5604044