Detecting Network Intruders by Examining Packet Crossovers in Connections



Journal Title

Journal ISSN

Volume Title



Routing packet traffic through a chain of hosts is a common technique for hackers to attack a victim machine without exposing themselves. Generally, a long connection chain formed is an indication of the presence of an intruder. Previous work has mostly focused on detecting stepping-stone hosts. Few researchers have addressed the issue of long connection chains (especially downstream detection). A challenging issue in this area is to detect users connecting to a server using a long connection chain with only the information at the end of the chain. This thesis presents a solution to the problem of detecting upstream long connection chains. We first observe that the longer a connection chain is, the more packet crossovers are generated. Thus we reduce the problem of detecting long chains to that of detecting unusually large number of packet crossovers along the chain between requests and responses at server side. However, the approach requires the packet information along the whole chain. Since we cannot directly measure the number of crossovers on intermediate nodes, we are forced to study the consequences of large number of crossovers. A detection algorithm has been designed based on the distribution of packet gaps. We validated our algorithm using test data generated on the Internet. The result shows a high detection rate of long connection chains from short ones without too many false positives.



Intrusion detection, Stepping-stone