Evading Stepping Stone Detection Under the Cloak of Streaming Media

Network-based intrusions have become a serious treat to the users of the Internet. To help cover their tracks, attackers launch attacks from a series of previously compromised systems called stepping stones. Timing correlations on incoming and outgoing packets can lead to detection of the stepping stone and can be used to trace the attacker through each link. Existing approaches, however, deliberately ignore the fact that an attacker can add chaff packets to a traffic stream. An attacker that has complete control over the stepping stone node can install rogue applications that use chaff and introduce delays to make the incoming and outgoing streams have very different traffic characteristics. In this work, we show that such an attacker could avoid detection by the best stepping stone detection methods. We propose a simple buffering technique that could be used by an attacker on a stepping stone to evade detection. In our technique, packets are buffered, selectively dropped, and chaff packets are added to generate constant rate traffic. This traffic has the characteristics of a multimedia stream, such as voice over IP (VoIP), which is quite common on the Internet today. To test the effectiveness of our technique, we simulate both the traffic and detection using a watermark-based timing analysis algorithm. We show that our buffering technique can successfully evade detection with latencies that are reasonable for interactive streams.