Detecting Stepping-Stone Intrusion and Resisting Evasion through TCP/IP Packets Cross-Matching
نویسندگان
چکیده
In this paper, we propose a cross-matching algorithm that can detect stepping-stone intrusion. The theoretical analysis of this algorithm shows that it can completely resist intruder’s time-jittering evasion. The results of the experiments and the simulation show that this algorithm can also resist intruders’ chaff-perturbation with chaff-rate up to 80%. Compared with A. Blum’s approach, which can resist chaff-perturbation with every x inserted packets out of 8*(x+1), this approach has promising performance in terms of resistance to intruders’ manipulation.
منابع مشابه
Matching TCP/IP Packets to Detect Stepping-Stone Intrusion
We propose a “Step-Function” method to detect network attackers from using a long connection chain to hide their identities when they launch attacks. The objective of the method is to estimate the length of a connection chain based on the changes in packet round trip times. The key point to compute the round trip time of a connection chain is to match a Send and its corresponding Echo packet. W...
متن کاملProbabilistic analysis of an algorithm to compute TCP packet round-trip time for intrusion detection
Estimating the length of a connection chain is challenging and critical in detecting stepping-stone intrusion. In this paper, we propose a novel method, called standard deviation-based clustering approach (SDBA), to estimate the length of an interactive connection chain by computing round-trip time (RTT). SDBA takes advantage of RTTs distribution and inter-arrival distribution of ‘‘send’’ packe...
متن کاملModeling and Detecting Stepping-Stone Intrusion
Most network intruders launch their attacks through steppingstones to reduce the risks of being discovered. To uncover such intrusions, one prevalent, challenging, and critical way is to compare an incoming connection with an outgoing connection to determine if a computer is used as stepping-stone. In this paper, we present four models to describe stepping-stone intrusion. We also propose the i...
متن کاملStepping-stone Detection Technique Forrecognizing Legitimate and Attack Connections
A stepping-stone connection has always been assumed as an intrusion since the first research on stepping-stone connections twenty years ago. However, not all stepping-stone connections are malicious. This paper proposes an enhanced stepping-stone detection (SSD) technique which is capable to identify legitimate connections from stepping-stone connections. Stepping-stone connections are identifi...
متن کاملActive Mapping: Resisting NIDS Evasion without Altering Traffic
A critical problem faced by a Network Intrusion Detection System (NIDS) is that of ambiguity. The NIDS cannot always determine what traffic reaches a given host nor how that host will interpret the traffic, and attackers may exploit this ambiguity to avoid detection or cause misleading alarms. We present a novel, lightweight solution, Active Mapping, which eliminates TCP/IP-based ambiguity in a...
متن کامل