Ting He and Lang Tong
Citation
Ting He and Lang Tong. "A Signal Processing Prospective to Stepping-stone Detection". Proceedings of Conference on Information Sciences and Systems 2006, March, 2006.
Abstract
In a stepping-stone attack, the attacker send commands to the
victim through a chain of compromised hosts acting as ``stepping
stones''. The detection of stepping-stone connections at the
compromised hosts is a key component in defending against such
attacks. The attacker can deter the detection by encrypting the
connections and perturbing their timing. In this paper, we
consider strategies to identify stepping-stone connections without
using the content of the traffic. We propose two activity-based
algorithms which can detect stepping-stone connections even though
they are encrypted and modified by the attacker. The first
algorithm is based on the assumption that the stepping-stone
connections have bounded delay. The second algorithm assumes that
the stepping-stone host has bounded memory to hold relay packets.
We prove that both algorithms have no miss detection and
exponentially-decaying false alarm probabilities. When both
bounded memory and bounded delay conditions are satisfied, a
comparison of the error probabilities suggests how to choose
algorithms under different traffic rates.
Electronic downloads
| Citation formats |
- HTML
Ting He and Lang Tong. <a href="http://www.truststc.org/pubs/32.html" >A Signal Processing Prospective to Stepping-stone Detection</a>, Proceedings of Conference on Information Sciences and Systems 2006, March, 2006.
- Plain text
Ting He and Lang Tong. "A Signal Processing Prospective to Stepping-stone Detection". Proceedings of Conference on Information Sciences and Systems 2006, March, 2006.
- BibTeX
@inproceedings{HeTong06_SignalProcessingProspectiveToSteppingstoneDetection, author = {Ting He and Lang Tong}, title = {A Signal Processing Prospective to Stepping-stone Detection}, booktitle = {Proceedings of Conference on Information Sciences and Systems 2006}, month = {March}, year = {2006}, abstract = {In a stepping-stone attack, the attacker send commands to the victim through a chain of compromised hosts acting as ``stepping stones''. The detection of stepping-stone connections at the compromised hosts is a key component in defending against such attacks. The attacker can deter the detection by encrypting the connections and perturbing their timing. In this paper, we consider strategies to identify stepping-stone connections without using the content of the traffic. We propose two activity-based algorithms which can detect stepping-stone connections even though they are encrypted and modified by the attacker. The first algorithm is based on the assumption that the stepping-stone connections have bounded delay. The second algorithm assumes that the stepping-stone host has bounded memory to hold relay packets. We prove that both algorithms have no miss detection and exponentially-decaying false alarm probabilities. When both bounded memory and bounded delay conditions are satisfied, a comparison of the error probabilities suggests how to choose algorithms under different traffic rates. }, URL = {http://www.truststc.org/pubs/32.html} }
Posted by Ting He on 16 Feb 2006.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.