Team for Research in
Ubiquitous Secure Technology

A Signal Processing Prospective to Stepping-stone Detection
Ting He and Lang Tong

Citation
Ting He and Lang Tong. "A Signal Processing Prospective to Stepping-stone Detection". Proceedings of Conference on Information Sciences and Systems 2006, March, 2006.

Abstract
In a stepping-stone attack, the attacker send commands to the victim through a chain of compromised hosts acting as ``stepping stones''. The detection of stepping-stone connections at the compromised hosts is a key component in defending against such attacks. The attacker can deter the detection by encrypting the connections and perturbing their timing. In this paper, we consider strategies to identify stepping-stone connections without using the content of the traffic. We propose two activity-based algorithms which can detect stepping-stone connections even though they are encrypted and modified by the attacker. The first algorithm is based on the assumption that the stepping-stone connections have bounded delay. The second algorithm assumes that the stepping-stone host has bounded memory to hold relay packets. We prove that both algorithms have no miss detection and exponentially-decaying false alarm probabilities. When both bounded memory and bounded delay conditions are satisfied, a comparison of the error probabilities suggests how to choose algorithms under different traffic rates.

Electronic downloads

Citation formats  
  • HTML
    Ting He and Lang Tong. <a
    href="http://www.truststc.org/pubs/32.html" >A
    Signal Processing Prospective to Stepping-stone
    Detection</a>, Proceedings of Conference on
    Information Sciences and Systems 2006, March, 2006.
  • Plain text
    Ting He and Lang Tong. "A Signal Processing Prospective
    to Stepping-stone Detection". Proceedings of Conference
    on Information Sciences and Systems 2006, March, 2006.
  • BibTeX
    @inproceedings{HeTong06_SignalProcessingProspectiveToSteppingstoneDetection,
        author = {Ting He and Lang Tong},
        title = {A Signal Processing Prospective to Stepping-stone
                  Detection},
        booktitle = {Proceedings of Conference on Information Sciences
                  and Systems 2006},
        month = {March},
        year = {2006},
        abstract = {In a stepping-stone attack, the attacker send
                  commands to the victim through a chain of
                  compromised hosts acting as ``stepping stones''.
                  The detection of stepping-stone connections at the
                  compromised hosts is a key component in defending
                  against such attacks. The attacker can deter the
                  detection by encrypting the connections and
                  perturbing their timing. In this paper, we
                  consider strategies to identify stepping-stone
                  connections without using the content of the
                  traffic. We propose two activity-based algorithms
                  which can detect stepping-stone connections even
                  though they are encrypted and modified by the
                  attacker. The first algorithm is based on the
                  assumption that the stepping-stone connections
                  have bounded delay. The second algorithm assumes
                  that the stepping-stone host has bounded memory to
                  hold relay packets. We prove that both algorithms
                  have no miss detection and exponentially-decaying
                  false alarm probabilities. When both bounded
                  memory and bounded delay conditions are satisfied,
                  a comparison of the error probabilities suggests
                  how to choose algorithms under different traffic
                  rates. },
        URL = {http://www.truststc.org/pubs/32.html}
    }
    

Posted by Ting He on 16 Feb 2006.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.