Team for Research in
Ubiquitous Secure Technology

Citation
Ting He, Lang Tong. "Robust Detection of Stepping-Stone Attacks". Proceedings of 25th Army Science Conference, Cornell University, November, 2006.

Abstract
The detection of encrypted stepping-stone attack is considered. Besides encryption and padding, the attacker is capable of inserting chaff packets and perturbing packet timing and transmission order. Based on the assumption that packet arrivals form renewal processes, and a pair of such renewal processes is also renewal, a nonparametric detector is proposed to detect attacking traffic by testing the correlation between interarrival times in the incoming process and the outgoing process. The detector requires no knowledge of the interarrival distributions, and it is shown to have exponentially decaying detection error probabilities for all distributions. The error exponents are characterized using the Vapnik-Chervonenkis Theory. An efficient algorithm is proposed based on the detector structure to detect renewal processes with linearly correlated interarrival times. It is shown that the proposed algorithm is robust against an amount of chaff arbitrarily close to the amount of chaff needed to mimic independent processes.

Electronic downloads

• HeTong06ASC.pdf · application/pdf · 145 kbytes

• HTML

  Ting He, Lang Tong. <a
  href="http://www.truststc.org/pubs/168.html"
  >Robust Detection of Stepping-Stone Attacks</a>,
  Proceedings of 25th Army Science Conference, Cornell
  University, November, 2006.

• Plain text

  Ting He, Lang Tong. "Robust Detection of Stepping-Stone
  Attacks". Proceedings of 25th Army Science Conference,
  Cornell University, November, 2006.

• BibTeX

  @inproceedings{HeTong06_RobustDetectionOfSteppingStoneAttacks,
      author = {Ting He and Lang Tong},
      title = {Robust Detection of Stepping-Stone Attacks},
      booktitle = {Proceedings of 25th Army Science Conference},
      organization = {Cornell University},
      month = {November},
      year = {2006},
      abstract = {The detection of encrypted stepping-stone attack
                is considered. Besides encryption and padding, the
                attacker is capable of inserting chaff packets and
                perturbing packet timing and transmission order.
                Based on the assumption that packet arrivals form
                renewal processes, and a pair of such renewal
                processes is also renewal, a nonparametric
                detector is proposed to detect attacking traffic
                by testing the correlation between interarrival
                times in the incoming process and the outgoing
                process. The detector requires no knowledge of the
                interarrival distributions, and it is shown to
                have exponentially decaying detection error
                probabilities for all distributions. The error
                exponents are characterized using the
                Vapnik-Chervonenkis Theory. An efficient algorithm
                is proposed based on the detector structure to
                detect renewal processes with linearly correlated
                interarrival times. It is shown that the proposed
                algorithm is robust against an amount of chaff
                arbitrarily close to the amount of chaff needed to
                mimic independent processes.},
      URL = {http://www.truststc.org/pubs/168.html}
  }
  

Posted by Lang Tong on 11 Feb 2007.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.