Detecting Encrypted Interactive Stepping-Stone Connections

Detecting Encrypted Interactive Stepping-Stone Connections
Ting He, Lang Tong

Citation
Ting He, Lang Tong. "Detecting Encrypted Interactive Stepping-Stone Connections". Proceedings of IEEE ICASSP, Cornell University, May, 2006.

Abstract
Network intruders often hide their identities by sending attacks through a chain of compromised hosts that are used as “stepping stones”. The difficulty in defending against such attacks lies in detecting stepping-stone connections at the compromised hosts. In this paper, to distinguish normal from attacking connections, we consider strategies that do not depend on the content of the traffic so that they are applicable to encrypted traffic. We propose a low complexity detection algorithm that has no miss detection and an exponentially-decaying false alarm probability. A sequential strategy is then developed to reduce the required number of testing packets.

Electronic downloads

HeTong06ICASSP.pdf · application/pdf · 89 kbytes

Citation formats

HTML

Ting He, Lang Tong. <a
href="http://www.truststc.org/pubs/171.html"
>Detecting Encrypted Interactive Stepping-Stone
Connections</a>, Proceedings of IEEE ICASSP, Cornell
University, May, 2006.

Plain text

Ting He, Lang Tong. "Detecting Encrypted Interactive
Stepping-Stone Connections". Proceedings of IEEE
ICASSP, Cornell University, May, 2006.

BibTeX

@inproceedings{HeTong06_DetectingEncryptedInteractiveSteppingStoneConnections,
    author = {Ting He and Lang Tong},
    title = {Detecting Encrypted Interactive Stepping-Stone
              Connections},
    booktitle = {Proceedings of IEEE ICASSP},
    organization = {Cornell University},
    month = {May},
    year = {2006},
    abstract = {Network intruders often hide their identities by
              sending attacks through a chain of compromised
              hosts that are used as â��stepping stonesâ��. The
              difficulty in defending against such attacks lies
              in detecting stepping-stone connections at the
              compromised hosts. In this paper, to distinguish
              normal from attacking connections, we consider
              strategies that do not depend on the content of
              the traffic so that they are applicable to
              encrypted traffic. We propose a low complexity
              detection algorithm that has no miss detection and
              an exponentially-decaying false alarm probability.
              A sequential strategy is then developed to reduce
              the required number of testing packets.},
    URL = {http://www.truststc.org/pubs/171.html}
}

Posted by Lang Tong on 11 Feb 2007.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.