Team for Research in
Ubiquitous Secure Technology

Citation
Ting He, Lang Tong. "A Signal Processing Perspective to Stepping-Stone Detection". Proceedings of IEEE CISS, Cornell University, March, 2006.

Abstract
Malicious use of anonymity techniques makes network attackers difficult to track. The problem is even worse in stepping-stone attacks, where multiple anonymous connections are linked to form an intrusion path. The tracking of a steppingstone attacker requires the detection of all the connection pairs on the intrusion path. In this paper, we consider the problem of identifying a stepping-stone connection pair at an intermediate host. We formulate the problem as one of nonparametric hypotheses testing. Our attacker model allows the attacker to encrypt the traffic and modify the timing. We propose two algorithms which do not depend on the content of the traffic. Our techniques only make generic assumptions such as delay or memory constraints, and therefore they are applicable in most practical systems. We show that our algorithms can detect all the stepping-stone connections while falsely accusing normal traffic with exponentially-decaying probabilities.

Electronic downloads

• HeTong06CISS.pdf · application/pdf · 119 kbytes

• HTML

  Ting He, Lang Tong. <a
  href="http://www.truststc.org/pubs/172.html" >A
  Signal Processing Perspective to Stepping-Stone
  Detection</a>, Proceedings of IEEE CISS, Cornell
  University, March, 2006.

• Plain text

  Ting He, Lang Tong. "A Signal Processing Perspective to
  Stepping-Stone Detection". Proceedings of IEEE CISS,
  Cornell University, March, 2006.

• BibTeX

  @inproceedings{HeTong06_SignalProcessingPerspectiveToSteppingStoneDetection,
      author = {Ting He and Lang Tong},
      title = {A Signal Processing Perspective to Stepping-Stone
                Detection},
      booktitle = {Proceedings of IEEE CISS},
      organization = {Cornell University},
      month = {March},
      year = {2006},
      abstract = {Malicious use of anonymity techniques makes
                network attackers difficult to track. The problem
                is even worse in stepping-stone attacks, where
                multiple anonymous connections are linked to form
                an intrusion path. The tracking of a steppingstone
                attacker requires the detection of all the
                connection pairs on the intrusion path. In this
                paper, we consider the problem of identifying a
                stepping-stone connection pair at an intermediate
                host. We formulate the problem as one of
                nonparametric hypotheses testing. Our attacker
                model allows the attacker to encrypt the traffic
                and modify the timing. We propose two algorithms
                which do not depend on the content of the traffic.
                Our techniques only make generic assumptions such
                as delay or memory constraints, and therefore they
                are applicable in most practical systems. We show
                that our algorithms can detect all the
                stepping-stone connections while falsely accusing
                normal traffic with exponentially-decaying
                probabilities.},
      URL = {http://www.truststc.org/pubs/172.html}
  }
  

Posted by Lang Tong on 11 Feb 2007.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.