通过识别SSH连接中的交叉报文检测踏脚石入侵者

2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA) Pub Date : 2016-03-23 DOI:10.1109/AINA.2016.132

S. S. Huang, Hongyang Zhang, Michael Phay

{"title":"通过识别SSH连接中的交叉报文检测踏脚石入侵者","authors":"S. S. Huang, Hongyang Zhang, Michael Phay","doi":"10.1109/AINA.2016.132","DOIUrl":null,"url":null,"abstract":"Routing packet traffic through a chain of hosts is a common technique for hackers to attack a victim server without exposing themselves. Generally, the use of a long connection chain to log in to a computer system is an indication of the presence of an intruder. This paper presents a new solution to the problem of detecting such long connection chains at the server side. Our hypothesis is that a long connection chain will cause Request and Response packets to cross each other along the chain. So even though we cannot directly observe the packet crossovers from the server side, we can observe some of their side effects. Thus, our detection algorithm is based on detecting this side effect of packet crossovers. We validated the algorithm using test data generated on the Internet. The results show a high detection rate of long connection chains of length three hops with a reasonable false positive rate.","PeriodicalId":438655,"journal":{"name":"2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-03-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"Detecting Stepping-Stone Intruders by Identifying Crossover Packets in SSH Connections\",\"authors\":\"S. S. Huang, Hongyang Zhang, Michael Phay\",\"doi\":\"10.1109/AINA.2016.132\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Routing packet traffic through a chain of hosts is a common technique for hackers to attack a victim server without exposing themselves. Generally, the use of a long connection chain to log in to a computer system is an indication of the presence of an intruder. This paper presents a new solution to the problem of detecting such long connection chains at the server side. Our hypothesis is that a long connection chain will cause Request and Response packets to cross each other along the chain. So even though we cannot directly observe the packet crossovers from the server side, we can observe some of their side effects. Thus, our detection algorithm is based on detecting this side effect of packet crossovers. We validated the algorithm using test data generated on the Internet. The results show a high detection rate of long connection chains of length three hops with a reasonable false positive rate.\",\"PeriodicalId\":438655,\"journal\":{\"name\":\"2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA)\",\"volume\":\"14 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-03-23\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/AINA.2016.132\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/AINA.2016.132","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

摘要

通过主机链路由数据包流量是黑客攻击受害者服务器而不暴露自己的常用技术。通常，使用长连接链登录到计算机系统是入侵者存在的指示。本文提出了一种在服务器端检测这种长连接链问题的新方法。我们的假设是，长连接链将导致请求和响应数据包沿着链相互交叉。因此，尽管我们不能从服务器端直接观察数据包的交换，但我们可以观察到它们的一些副作用。因此，我们的检测算法是基于检测包交叉的这种副作用。我们使用互联网上生成的测试数据验证了算法。结果表明，该方法对长度为3跳的长连接链具有较高的检测率和合理的误报率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Detecting Stepping-Stone Intruders by Identifying Crossover Packets in SSH Connections

Routing packet traffic through a chain of hosts is a common technique for hackers to attack a victim server without exposing themselves. Generally, the use of a long connection chain to log in to a computer system is an indication of the presence of an intruder. This paper presents a new solution to the problem of detecting such long connection chains at the server side. Our hypothesis is that a long connection chain will cause Request and Response packets to cross each other along the chain. So even though we cannot directly observe the packet crossovers from the server side, we can observe some of their side effects. Thus, our detection algorithm is based on detecting this side effect of packet crossovers. We validated the algorithm using test data generated on the Internet. The results show a high detection rate of long connection chains of length three hops with a reasonable false positive rate.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA)

自引率

0.00%

发文量