Matching TCP/IP Packets to Detect Stepping-Stone Intrusion
نویسندگان
چکیده
We propose a “Step-Function” method to detect network attackers from using a long connection chain to hide their identities when they launch attacks. The objective of the method is to estimate the length of a connection chain based on the changes in packet round trip times. The key point to compute the round trip time of a connection chain is to match a Send and its corresponding Echo packet. We propose a conservative and a greedy matching algorithm to match TCP/IP packets in real-time. The first algorithm matches fewer packets but the quality of the matching is high. The second one matches more packets with some uncertainty on the correctness. The two algorithms give us almost identical results in determining the length of a long connection chain.
منابع مشابه
Detecting Stepping-Stone Intrusion and Resisting Evasion through TCP/IP Packets Cross-Matching
In this paper, we propose a cross-matching algorithm that can detect stepping-stone intrusion. The theoretical analysis of this algorithm shows that it can completely resist intruder’s time-jittering evasion. The results of the experiments and the simulation show that this algorithm can also resist intruders’ chaff-perturbation with chaff-rate up to 80%. Compared with A. Blum’s approach, which ...
متن کاملAnalysis of Intrusion Detection System Using Trusted Clients
Traditionally firewall has been used to stop the intrusion attempts by an attacker. But firewalls have static configurations that block attacks based on source and destination ports and IP addresses. These are not sufficient to provide security from all the attacks. Therefore, we need IDS type systems which could analyze the payload of the packet to detect these attacks. Proposed IDS is in two ...
متن کاملProbabilistic analysis of an algorithm to compute TCP packet round-trip time for intrusion detection
Estimating the length of a connection chain is challenging and critical in detecting stepping-stone intrusion. In this paper, we propose a novel method, called standard deviation-based clustering approach (SDBA), to estimate the length of an interactive connection chain by computing round-trip time (RTT). SDBA takes advantage of RTTs distribution and inter-arrival distribution of ‘‘send’’ packe...
متن کاملEvading stepping-stone detection under the cloak of streaming media with SNEAK
Network-based intrusions have become a serious threat to the users of the Internet. To help cover their tracks, attackers launch attacks from a series of previously compromised systems called stepping stones. Timing correlations on incoming and outgoing packets can lead to detection of the stepping stone and can be used to trace the attacker through each link. Prior work has sought to counter t...
متن کاملTracing Network Attacks to Their Sources
As the Internet becomes increasingly important as a business infrastructure, the number of attacks on it, especially denial-of-service attacks such as TCP SYN flooding,1 Teardrop,2 and Land,2 grows. Because of the weak security in TCP/IP, we must take responsibility for protecting our own sites against network attacks. Although access-control technologies, such as firewalls, are commonly used t...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2006