Abstract
Most network intruders tend to use stepping-stones to attack or invade other hosts to reduce the risks of being discovered. One typical approach for detecting stepping-stone intrusion is to estimate the number of connections of an interactive session by using the round-trip times (RTTs) of all Send packets. The key of this approach is to match TCP packets, or compute the RTT of each Send packet. Previous methods, which focus on matching each Send packet with its corresponding Echo packet to compute RTTs, have tradeoff between packet matching-rate and matching-accuracy. In this paper, we first propose and prove a clustering algorithm to compute the RTTs of the Send packets of a TCP interactive session, and show that this approach can compute RTTs with both high matching-rate and high matching-accuracy.
Chapter PDF
References
Base, R.: A New Look at Perpetrators of Computer Crime. In: Proceeding of 16th Department of Energy Computer Security Group Conference, Denver, CO (May 1994)
Power, R.: Current and Future Danger. Computer Security Institute, San Francisco (1995)
CERT: CERT/CC Statistics 1988-2005 (accessed July 2005), http://www.cert.org
Zhang, Y., Paxson, V.: Detecting Stepping-Stones. In: Proceedings of the 9th USENIX Security Symposium, Denver, CO, pp. 67–81 (August 2000)
Yung, K.H.: Detecting Long Connection Chains of Interactive Terminal Sessions. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 1–16. Springer, Heidelberg (2002)
Yang, J., Huang, S.-H.S.: Matching TCP Packets and Its Application to the Detection of Long Connection Chains. In: Proceedings (IEEE) of 19th International Conference on Advanced Information Networking and Applications (AINA 2005), Taipei, Taiwan, China, pp. 1005–1010 (March 2005)
University of Southern California: Transmission Control Protocol. RFC 793 (September 1981)
Ylonen, T.: SSH Protocol Architecture. Draft IETF document (June 2004), http://www.ietf.org/internet-drafts/draft-ietf-secsh-architecture-16.txt
Ylonen, T.: SSH Transport Layer Protocol. Draft IETF document (June 2004), http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-18.txt
Li, Q., Mills, D.L.: On the Long-range Dependence of Packet Round-trip Delays in Internet. In: Proceedings of International Conference on Communications (ICC 1998), Atlanta, USA, pp. 1185–1192 (1998)
Kao, E.: An Introduction to Stochastic Processes, pp. 47–87. Duxbury Press, New York (1996)
Feller, W.: An Introduction to Probability Theory and Its Applications, vol. 1, pp. 212–237. John Wiley & Sons, Inc., New York (1968)
Lawrence Berkeley National Laboratory (LBNL): The Packet Capture library (accessed March 2004), ftp://ftp.ee.lbl.gov/libpcap.tar.z
Data Nerds Web Site: Winpcap and Windump (accessed July 2004), http://www.datanerds.net
Donoho, D.L. (ed.): Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In: Proceedings of International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland, pp. 45–59 (September 2002)
Blum, A., Song, D., Venkataraman, S.: Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 258–277. Springer, Heidelberg (2004)
Wang, X., Reeves, D.S.: Robust Correlation of Encrypted Attack Traffic Through Stepping-Stones by Manipulation of Interpacket Delays. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), Washington DC (October 2003)
Yoda, K., Etoh, H.: Finding Connection Chain for Tracing Intruders. In: Proc. 6th European Symposium on Research in Computer Security. LNCS, vol. 1985, pp. 31–42. Springer, Heidelberg (2000)
Staniford-Chen, S., Todd Heberlein, L.: Holding Intruders Accountable on the Internet. In: Proc. IEEE Symposium on Security and Privacy, Oakland, CA, pp. 39–49 (August 1995)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Yang, J., Zhang, Y. (2006). Probabilistic Proof of an Algorithm to Compute TCP Packet Round-Trip Time for Intrusion Detection. In: Zhou, J., Yung, M., Bao, F. (eds) Applied Cryptography and Network Security. ACNS 2006. Lecture Notes in Computer Science, vol 3989. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11767480_2
Download citation
DOI: https://doi.org/10.1007/11767480_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34703-3
Online ISBN: 978-3-540-34704-0
eBook Packages: Computer ScienceComputer Science (R0)