A Signal Processing Prospective to Stepping-stone Detection

A Signal Processing Prospective to Stepping-stone Detection
Ting He and Lang Tong

Citation
Ting He and Lang Tong. "A Signal Processing Prospective to Stepping-stone Detection". Proc. Conference on Information Sciences and Systems 2006 (CISS'06), March, 2006.

Abstract
Malicious use of anonymity techniques makes network attackers difficult to track. The problem is even worse in stepping-stone attacks, where multiple anonymous connections are linked to form an intrusion path. The tracking of a steppingstone attacker requires the detection of all the connection pairs on the intrusion path. In this paper, we consider the problem of identifying a stepping-stone connection pair at an intermediate host. We formulate the problem as one of nonparametric hypotheses testing. Our attacker model allows the attacker to encrypt the traffic and modify the timing. We propose two algorithms which do not depend on the content of the traffic. Our techniques only make generic assumptions such as delay or memory constraints, and therefore they are applicable in most practical systems. We show that our algorithms can detect all the stepping-stone connections while falsely accusing normal traffic with exponentially-decaying probabilities.

Electronic downloads

HeTong06CISS.pdf · application/pdf · 119 kbytes

Citation formats

HTML

Ting He and Lang Tong. <a
href="http://www.truststc.org/pubs/67.html" >A
Signal Processing Prospective to Stepping-stone
Detection</a>, Proc. Conference on Information
Sciences and Systems 2006 (CISS'06), March, 2006.

Plain text

Ting He and Lang Tong. "A Signal Processing Prospective
to Stepping-stone Detection". Proc. Conference on
Information Sciences and Systems 2006 (CISS'06), March, 2006.

BibTeX

@inproceedings{HeTong06_SignalProcessingProspectiveToSteppingstoneDetection,
    author = {Ting He and Lang Tong},
    title = {A Signal Processing Prospective to Stepping-stone
              Detection},
    booktitle = {Proc. Conference on Information Sciences and
              Systems 2006 (CISS'06)},
    month = {March},
    year = {2006},
    abstract = {Malicious use of anonymity techniques makes
              network attackers difficult to track. The problem
              is even worse in stepping-stone attacks, where
              multiple anonymous connections are linked to form
              an intrusion path. The tracking of a steppingstone
              attacker requires the detection of all the
              connection pairs on the intrusion path. In this
              paper, we consider the problem of identifying a
              stepping-stone connection pair at an intermediate
              host. We formulate the problem as one of
              nonparametric hypotheses testing. Our attacker
              model allows the attacker to encrypt the traffic
              and modify the timing. We propose two algorithms
              which do not depend on the content of the traffic.
              Our techniques only make generic assumptions such
              as delay or memory constraints, and therefore they
              are applicable in most practical systems. We show
              that our algorithms can detect all the
              stepping-stone connections while falsely accusing
              normal traffic with exponentially-decaying
              probabilities.},
    URL = {http://www.truststc.org/pubs/67.html}
}

Posted by Lang Tong on 20 Apr 2006.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.