The loop fallacy and deterministic serialisation in tracing intrusion connections through stepping stones

In order to conceal their identity and origin, network based intruders seldom attack directly from their own hosts, but rather stage their attacks through intermediate ‘stepping stones’. To identify attackers behind stepping stones, it is necessary to be able to trace and correlate attack traffic through the stepping stones and construct the correct intrusion connection chain. A complete solution to the stepping stones tracing problem consists of two complementary parts. Firstly, the set of correlated connections that belongs to the same intrusion connection chain has to be identified; secondly, those correlated connections need to be serialised in order to construct the accurate and complete intrusion connection chain. Existing approaches to the tracing problem of intrusion connections through stepping stones have focused on identifying the set of correlated connections that belong to the same connection chain and have overlooked the serialisation of those correlated connections. In this paper, we use set theoretic approach to analyse the theoretical limits of the correlation-only approach, demonstrate the gap between the perfect stepping stone correlation solution and the perfect solution to the stepping stones tracing problem, and we show what it takes to fill the gap. Firstly, we identify the serialisation problem and the loop fallacy in tracing connections through stepping stones. We formally demonstrate that even the perfect correlation solution, which gives us all and only those connections that belong to the same connection chain, does not guarantee to be able to serialise the correlated connections deterministically. Secondly, we show that the complete set of correlated connections, even with loops, could be serialised deterministically without synchronised clock. We present an efficient intrusion path construction method based on adjacent correlated connection pairs. Finally, we show that the incomplete set of correlated connections due to limited observing area of stepping stones only provides enough information to construct a partial-order of subsequences of the connection chain in general, and we present an efficient way to determine when the incomplete set of correlated connections could be serialised deterministically.