Mining TCP packets to detect stepping-stone intrusion (non-reviewed)

Abstract

There have been many approaches proposed to detect stepping-stone Intrusion. Besides having the problem of being vulnerable to intruder's time and chaff perturbation, those approaches have high false alarm because they predict an intrusion based on detecting stepping-stone. Being a stepping-stone does not necessarily mean an intrusion because some applications using stepping-stones are legitimate. One better way to detect stepping-stone intrusion is to estimate the length of a connection chain from a host where our monitor program resides to the victim site. This length is measured in connections. Based on our observation, we found that even though some applications (users) need to use stepping-stone, but it is highly suspicious to access a host via more than three computers. The problem of detecting stepping-stone intrusion is reduced to estimating the length of an interactive session; this length is called downstream length from the monitoring host. In this paper, we propose an algorithm to estimate the downstream length by a clustering method.