Title :
Detecting Chaff Perturbation on Stepping-Stone Connection
Author :
Huang, Shou-Hsuan Stephen ; Kuo, Ying-Wei
Author_Institution :
Dept. of Comput. Sci., Univ. of Houston, Houston, TX, USA
Abstract :
Cyber criminals often use a sequence of intermediate "stepping-stone" hosts to attack a target machine in order to maintain anonymity. This type of attack of using a connection chain is called stepping-stone attack. Most existing algorithms to detect such attack is to use timing-based correlation on the connections. However, these timing-based approaches are vulnerable if the intruders add chaff packets to evade the detection. The stepping-stone detection rate decreases as the chaff rate increases. We developed a novel anomaly detection algorithm to detect the presence of chaff in a connection by monitoring the packet inter-arrival times. Our study shows the probability distribution of the inter-arrival time of a chaffed connection differs from that of one without chaff. Our experiments show the detection rate as a function of the chaff rate under a variety of complex circumstances. The new algorithm complements the existing correlation-based stepping-stone detection algorithms in providing a more robust solution to stepping-stone detection.
Keywords :
security of data; statistical distributions; anomaly detection algorithm; chaff packet; chaff perturbation detection; connection chain; cyber criminals; packet inter-arrival time; probability distribution; stepping-stone attack; stepping-stone detection; stepping-stone host; timing-based correlation; Classification algorithms; Correlation; Data models; Detection algorithms; Feature extraction; Mathematical model; Testing; Stepping-stone intrusion detection; chaff evasion technique; distributed computing; network security; packet inter-arrival time model;
Conference_Titel :
Parallel and Distributed Systems (ICPADS), 2011 IEEE 17th International Conference on
Conference_Location :
Tainan
Print_ISBN :
978-1-4577-1875-5
DOI :
10.1109/ICPADS.2011.51
