Stepping-Stone Detection Via Request-Response Traffic Analysis

  • Shou-Husan Stephen Huang
  • Robert Lychev
  • Jianhua Yang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4610)


In this paper, we develop an algorithm that may be used as a stepping-stone detection tool. Our approach is based on analyzing correlations between the cumulative number of packets sent in outgoing connections and that of the incoming connections. We present a study of our method’s effectiveness with actual connections as well as simulations of time-jittering (introduction of inter-packet delay) and chaff (introduction of superfluous packets). Experimental results suggest that our algorithm works well in the following scenarios: (1) distinguishing connection chains that go through the same stepping stone host and carry traffic of users who perform similar operations at the same time; and (2) distinguishing a single connection chain from unrelated incoming and outgoing connections even in the presence of chaff. The result suggests that time-jittering will not diminish our method’s usefulness.


Step Stone Incoming Connection Outgoing Connection USENIX Security Symposium Packet Marking 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Blum, A., Song, D., Venkataraman, S.: Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 258–277. Springer, Heidelberg (2004)Google Scholar
  2. 2.
    Brunk, H.D.: An Introduction to Mathematical Statistics, Ginn and Company (1960)Google Scholar
  3. 3.
    Donoho, D., Flesia, A.G., Shankar, U., Paxson, V., Coit, J., Staniford, S.: Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 45–59. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Duwairi, B., Chakrabarti, A., Manimaran, G.: An Efficient Probabilistic Packet Marking Scheme for IP Traceback. In: Mitrou, N.M., Kontovasilis, K., Rouskas, G.N., Iliadis, I., Merakos, L. (eds.) NETWORKING 2004. LNCS, vol. 3042, pp. 1263–1269. Springer, Heidelberg (2004)Google Scholar
  5. 5.
    Goodrich, M.T.: Efficient Packet Marking for Large-Scale IP Traceback. In: Proc. of ACM CCS 2002, Washington, DC, USA, pp. 117–126 (2002)Google Scholar
  6. 6.
    Jung, H.T., Kim, H.L., Seo, Y.M., Choe, G., Min, S.L., Kim, C.S., Koh, K.: Caller Identification System in the Internet Environment. In: Proc. of 4th USINEX Security Symposium, Santa Clara, CA, USA, pp. 69–78 (1993)Google Scholar
  7. 7.
    Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical Network Support for IP Traceback. In: Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, Stockholm, Sweden, pp. 295–306 (2000)Google Scholar
  8. 8.
    Song, D., Perrig, A.: Advanced and Authenticated Marking Scheme for IP Traceback. In: Proc. of IEEE INFOCOM, Anchorage, AL, USA, pp. 878–886 (2001)Google Scholar
  9. 9.
    Snapp, S., et al.: DIDS, (Distributed Intrusion Detection System) – Motivation, Architecture and Early Prototype. In: Proc. of 14th National Computer Security Conference, Columbus, OH, USA, pp. 167–176 (1991)Google Scholar
  10. 10.
    Staniford-Chen, S., Heberlein, L.T.: Holding Intruders Accountable on the Internet. In: Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 39–49 (1995)Google Scholar
  11. 11.
    Wang, X., Reeves, D.S., Wu, S.F., Yuill, J.: Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework. In: Proc. of 16th International Conference on Information Security, Paris, France, pp. 369–384 (2001)Google Scholar
  12. 12.
    Wang, X., Reeves, D.S.: Robust Correlation of Encrypted Attack Traffic through Stepping Stones by Manipulation of Inter-packet Delays. In: Proc. of the 10th ACM Conference on Computer and Communications Security, Washington, DC, USA, pp. 20–29 (2003)Google Scholar
  13. 13.
    Wang, X.: The Loop Fallacy and Serialization in Tracing Intrusion Connections through Stepping Stones. In: Proc. of the ACM Symposium on Applied Computing, Nicosia, Cyprus, pp. 404–411 (2004)Google Scholar
  14. 14.
    Xin, J., Zhang, L., Aswegan, B., Dickerson, J., Daniels, T., Guan, Y.: A Testbed for Evaluation and Analysis of Stepping Stone Attack Attribution Techniques. In: Proc. of the 2nd International IEEE/Create-Net Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, Barcelona, Spain (2006)Google Scholar
  15. 15.
    Yoda, K., Etoh, H.: Finding a Connection Chain for Tracing Intruders. In: Proceedings of 6th European Symposium on Research in Computer Security, Toulouse, France, pp. 191–205 (2000)Google Scholar
  16. 16.
    Zhang, Y., Paxson, V.: Detecting Stepping Stones. In: Proc. of the 9th USENIX Security Symposium, Denver, CO, USA, pp. 171–184 (2000)Google Scholar
  17. 17.
    Zhang, L., Persaud, A.G., Johnson, A., Guan, Y.: Detection of Stepping Stone Attack under Delay and Chaff Perturbations. In: Proc. of 25th IEEE International Performance Computing and Communications Conference, Phoenix, AZ, USA (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Shou-Husan Stephen Huang
    • 1
  • Robert Lychev
    • 2
  • Jianhua Yang
    • 3
  1. 1.Department of Computer Science, University of Houston, 4800 Calhoun Rd., Houston, TX 77004USA
  2. 2.Department of Computer Science, University of Massachusetts Amherst, Amherst, MA 01003USA
  3. 3.Department of Mathematics & Computer Science, Bennett College, 900 E. Washington St., Greensboro, NC 27401USA

Personalised recommendations