Detecting Stepping-Stone Intruders by Identifying Crossover Packets in SSH Connections

Abstract

Routing packet traffic through a chain of hosts is a common technique for hackers to attack a victim server without exposing themselves. Generally, the use of a long connection chain to log in to a computer system is an indication of the presence of an intruder. This paper presents a new solution to the problem of detecting such long connection chains at the server side. Our hypothesis is that a long connection chain will cause Request and Response packets to cross each other along the chain. So even though we cannot directly observe the packet crossovers from the server side, we can observe some of their side effects. Thus, our detection algorithm is based on detecting this side effect of packet crossovers. We validated the algorithm using test data generated on the Internet. The results show a high detection rate of long connection chains of length three hops with a reasonable false positive rate.