Team for Research in
Ubiquitous Secure Technology

Robust Detection of Stepping-Stone Attacks
Ting He, Lang Tong

Citation
Ting He, Lang Tong. "Robust Detection of Stepping-Stone Attacks". Proceedings of 25th Army Science Conference, Cornell University, November, 2006.

Abstract
The detection of encrypted stepping-stone attack is considered. Besides encryption and padding, the attacker is capable of inserting chaff packets and perturbing packet timing and transmission order. Based on the assumption that packet arrivals form renewal processes, and a pair of such renewal processes is also renewal, a nonparametric detector is proposed to detect attacking traffic by testing the correlation between interarrival times in the incoming process and the outgoing process. The detector requires no knowledge of the interarrival distributions, and it is shown to have exponentially decaying detection error probabilities for all distributions. The error exponents are characterized using the Vapnik-Chervonenkis Theory. An efficient algorithm is proposed based on the detector structure to detect renewal processes with linearly correlated interarrival times. It is shown that the proposed algorithm is robust against an amount of chaff arbitrarily close to the amount of chaff needed to mimic independent processes.

Electronic downloads

Citation formats  
  • HTML
    Ting He, Lang Tong. <a
    href="http://www.truststc.org/pubs/168.html"
    >Robust Detection of Stepping-Stone Attacks</a>,
    Proceedings of 25th Army Science Conference, Cornell
    University, November, 2006.
  • Plain text
    Ting He, Lang Tong. "Robust Detection of Stepping-Stone
    Attacks". Proceedings of 25th Army Science Conference,
    Cornell University, November, 2006.
  • BibTeX
    @inproceedings{HeTong06_RobustDetectionOfSteppingStoneAttacks,
        author = {Ting He and Lang Tong},
        title = {Robust Detection of Stepping-Stone Attacks},
        booktitle = {Proceedings of 25th Army Science Conference},
        organization = {Cornell University},
        month = {November},
        year = {2006},
        abstract = {The detection of encrypted stepping-stone attack
                  is considered. Besides encryption and padding, the
                  attacker is capable of inserting chaff packets and
                  perturbing packet timing and transmission order.
                  Based on the assumption that packet arrivals form
                  renewal processes, and a pair of such renewal
                  processes is also renewal, a nonparametric
                  detector is proposed to detect attacking traffic
                  by testing the correlation between interarrival
                  times in the incoming process and the outgoing
                  process. The detector requires no knowledge of the
                  interarrival distributions, and it is shown to
                  have exponentially decaying detection error
                  probabilities for all distributions. The error
                  exponents are characterized using the
                  Vapnik-Chervonenkis Theory. An efficient algorithm
                  is proposed based on the detector structure to
                  detect renewal processes with linearly correlated
                  interarrival times. It is shown that the proposed
                  algorithm is robust against an amount of chaff
                  arbitrarily close to the amount of chaff needed to
                  mimic independent processes.},
        URL = {http://www.truststc.org/pubs/168.html}
    }
    

Posted by Lang Tong on 11 Feb 2007.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.