Team for Research in
Ubiquitous Secure Technology

A Signal Processing Perspective to Stepping-Stone Detection
Ting He, Lang Tong

Citation
Ting He, Lang Tong. "A Signal Processing Perspective to Stepping-Stone Detection". Proceedings of IEEE CISS, Cornell University, March, 2006.

Abstract
Malicious use of anonymity techniques makes network attackers difficult to track. The problem is even worse in stepping-stone attacks, where multiple anonymous connections are linked to form an intrusion path. The tracking of a steppingstone attacker requires the detection of all the connection pairs on the intrusion path. In this paper, we consider the problem of identifying a stepping-stone connection pair at an intermediate host. We formulate the problem as one of nonparametric hypotheses testing. Our attacker model allows the attacker to encrypt the traffic and modify the timing. We propose two algorithms which do not depend on the content of the traffic. Our techniques only make generic assumptions such as delay or memory constraints, and therefore they are applicable in most practical systems. We show that our algorithms can detect all the stepping-stone connections while falsely accusing normal traffic with exponentially-decaying probabilities.

Electronic downloads

Citation formats  
  • HTML
    Ting He, Lang Tong. <a
    href="http://www.truststc.org/pubs/172.html" >A
    Signal Processing Perspective to Stepping-Stone
    Detection</a>, Proceedings of IEEE CISS, Cornell
    University, March, 2006.
  • Plain text
    Ting He, Lang Tong. "A Signal Processing Perspective to
    Stepping-Stone Detection". Proceedings of IEEE CISS,
    Cornell University, March, 2006.
  • BibTeX
    @inproceedings{HeTong06_SignalProcessingPerspectiveToSteppingStoneDetection,
        author = {Ting He and Lang Tong},
        title = {A Signal Processing Perspective to Stepping-Stone
                  Detection},
        booktitle = {Proceedings of IEEE CISS},
        organization = {Cornell University},
        month = {March},
        year = {2006},
        abstract = {Malicious use of anonymity techniques makes
                  network attackers difficult to track. The problem
                  is even worse in stepping-stone attacks, where
                  multiple anonymous connections are linked to form
                  an intrusion path. The tracking of a steppingstone
                  attacker requires the detection of all the
                  connection pairs on the intrusion path. In this
                  paper, we consider the problem of identifying a
                  stepping-stone connection pair at an intermediate
                  host. We formulate the problem as one of
                  nonparametric hypotheses testing. Our attacker
                  model allows the attacker to encrypt the traffic
                  and modify the timing. We propose two algorithms
                  which do not depend on the content of the traffic.
                  Our techniques only make generic assumptions such
                  as delay or memory constraints, and therefore they
                  are applicable in most practical systems. We show
                  that our algorithms can detect all the
                  stepping-stone connections while falsely accusing
                  normal traffic with exponentially-decaying
                  probabilities.},
        URL = {http://www.truststc.org/pubs/172.html}
    }
    

Posted by Lang Tong on 11 Feb 2007.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.