Detecting Network Intruders Connected Through Long Stepping-stone Chains



Journal Title

Journal ISSN

Volume Title



A common technique hackers use to avoid being detected is to route their network connections through a chain of stepping-stone hosts. There is no valid reason to use a long connection chain for remote login such as SSH connection. In this dissertation, we focus on protecting hosts from being attacked via stepping-stone connection chains. Our objective is to detect intruders at a stepping-stone host in the middle of the connection chain and at the target host at the end of the chain. Along with the developing of correlation-based stepping-stone detection algorithms, hackers also developed new techniques to evade being detected. Hackers can add chaff packets or jitter the original packets to decrease the detection rate of these correlation algorithms. Dealing with chaff packet-added intrusions has already been studied, while the jittering part hasn't been touched. Our jittering detection algorithm utilizes statistical distributions to fit the inter-arrival time gaps of traffic flows, extracting features from fitting, and separates jittered ones from normal ones by using support vector machines. The algorithm does not work well for light jittering. Hence, we further propose a hybrid stepping-stone detection algorithm to employ both correlation and jitter detection algorithms to detect intrusions. Experiment results show that our hybrid stepping-stone detection algorithm can successfully detect more than 90% stepping-stone intrusions in most cases with a 0% false positive rate. It is always important for a host to protect itself from being a victim. To detect long connection chain intrusions at the target host, we propose two detection algorithms: a nearest neighbor-based algorithm and an anomaly detection-based algorithm. The first algorithm centers around analyzing the delay between the time a user presses ``enter" to finish a command and the time that the user types the next character, and uses an approximated upstream round-trip time to separate a long connection chain from short ones. Experiment results show that our method can correctly identify long chains from short ones with good accuracy. Besides, based on the idea of anomaly behavior detection, a novel method to identify long connection chains from short chains using a pre-defined short chain profile has been proposed. Each new connection will be compared to the profile. Any connection that differs significantly from the profile will be considered as a suspicious long connection. In addition, several methods are proposed to increase the detection rate by adapting to a user's different typing speed. This algorithm can get better detection accuracy compared to the first one. With the algorithms proposed in this dissertation, we can detect stepping-stones in the middle of the chain in a robust way, and we can further and more effectively protect victim hosts from stepping-stone intrusions at the end of the chain.



Intrusion detection, Network Security, Stepping-stone Detection


Portions of this document appear in: Ding, Wei, Matthew J. Hausknecht, Shou-Hsuan Stephen Huang, and Zach Riggle. "Detecting stepping-stone intruders with long connection chains." In 2009 Fifth International Conference on Information Assurance and Security, vol. 2, pp. 665-669. IEEE, 2009. And in: Ding, Wei, and Shou-Hsuan Stephen Huang. "Detecting intruders using a long connection chain to connect to a host." In 2011 IEEE International Conference on Advanced Information Networking and Applications, pp. 121-128. IEEE, 2011. And in: Ding, Wei, Khoa Le, and Shou-Hsuan Stephen Huang. "Detecting stepping-stones under the influence of packet jittering." In 2013 9th International Conference on Information Assurance and Security (IAS), pp. 31-36. IEEE, 2013.