Detecting Stepping-Stone with Chaff Perturbations

Abstract

Attackers on the Internet like to indirectly launch network intrusions by using stepping-stones. In this paper, we propose a novel approach to decrease the packet bound by performing a transformation of packet difference of two streams of a host in order to distinguish stepping-stone connections. The adjustment is critical in the case of chaff perturbation by the intruder. Previous work requires the assumption that the total chaff packets be limited by a given number. We replaced the assumption by using a given chaff rate. It is found that after transformation, the bound range is much smaller for attacking connection, resulting in smaller probability of false negative detection.