Team for Research in
Ubiquitous Secure Technology

A Signal Processing Prospective to Stepping-stone Detection
Ting He and Lang Tong

Citation
Ting He and Lang Tong. "A Signal Processing Prospective to Stepping-stone Detection". Proc. Conference on Information Sciences and Systems 2006 (CISS'06), March, 2006.

Abstract
Malicious use of anonymity techniques makes network attackers difficult to track. The problem is even worse in stepping-stone attacks, where multiple anonymous connections are linked to form an intrusion path. The tracking of a steppingstone attacker requires the detection of all the connection pairs on the intrusion path. In this paper, we consider the problem of identifying a stepping-stone connection pair at an intermediate host. We formulate the problem as one of nonparametric hypotheses testing. Our attacker model allows the attacker to encrypt the traffic and modify the timing. We propose two algorithms which do not depend on the content of the traffic. Our techniques only make generic assumptions such as delay or memory constraints, and therefore they are applicable in most practical systems. We show that our algorithms can detect all the stepping-stone connections while falsely accusing normal traffic with exponentially-decaying probabilities.

Electronic downloads

Citation formats  
  • HTML
    Ting He and Lang Tong. <a
    href="http://www.truststc.org/pubs/67.html" >A
    Signal Processing Prospective to Stepping-stone
    Detection</a>, Proc. Conference on Information
    Sciences and Systems 2006 (CISS'06), March, 2006.
  • Plain text
    Ting He and Lang Tong. "A Signal Processing Prospective
    to Stepping-stone Detection". Proc. Conference on
    Information Sciences and Systems 2006 (CISS'06), March, 2006.
  • BibTeX
    @inproceedings{HeTong06_SignalProcessingProspectiveToSteppingstoneDetection,
        author = {Ting He and Lang Tong},
        title = {A Signal Processing Prospective to Stepping-stone
                  Detection},
        booktitle = {Proc. Conference on Information Sciences and
                  Systems 2006 (CISS'06)},
        month = {March},
        year = {2006},
        abstract = {Malicious use of anonymity techniques makes
                  network attackers difficult to track. The problem
                  is even worse in stepping-stone attacks, where
                  multiple anonymous connections are linked to form
                  an intrusion path. The tracking of a steppingstone
                  attacker requires the detection of all the
                  connection pairs on the intrusion path. In this
                  paper, we consider the problem of identifying a
                  stepping-stone connection pair at an intermediate
                  host. We formulate the problem as one of
                  nonparametric hypotheses testing. Our attacker
                  model allows the attacker to encrypt the traffic
                  and modify the timing. We propose two algorithms
                  which do not depend on the content of the traffic.
                  Our techniques only make generic assumptions such
                  as delay or memory constraints, and therefore they
                  are applicable in most practical systems. We show
                  that our algorithms can detect all the
                  stepping-stone connections while falsely accusing
                  normal traffic with exponentially-decaying
                  probabilities.},
        URL = {http://www.truststc.org/pubs/67.html}
    }
    

Posted by Lang Tong on 20 Apr 2006.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.