{"title":"挖掘TCP报文检测踏脚石入侵(未审查)","authors":"Long Ni, Jianhua Yang, D. Y. Song","doi":"10.1109/SECON.2008.4494298","DOIUrl":null,"url":null,"abstract":"There have been many approaches proposed to detect stepping-stone Intrusion. Besides having the problem of being vulnerable to intruder's time and chaff perturbation, those approaches have high false alarm because they predict an intrusion based on detecting stepping-stone. Being a stepping-stone does not necessarily mean an intrusion because some applications using stepping-stones are legitimate. One better way to detect stepping-stone intrusion is to estimate the length of a connection chain from a host where our monitor program resides to the victim site. This length is measured in connections. Based on our observation, we found that even though some applications (users) need to use stepping-stone, but it is highly suspicious to access a host via more than three computers. The problem of detecting stepping-stone intrusion is reduced to estimating the length of an interactive session; this length is called downstream length from the monitoring host. In this paper, we propose an algorithm to estimate the downstream length by a clustering method.","PeriodicalId":188817,"journal":{"name":"IEEE SoutheastCon 2008","volume":"11 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2008-04-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Mining TCP packets to detect stepping-stone intrusion (non-reviewed)\",\"authors\":\"Long Ni, Jianhua Yang, D. Y. Song\",\"doi\":\"10.1109/SECON.2008.4494298\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"There have been many approaches proposed to detect stepping-stone Intrusion. Besides having the problem of being vulnerable to intruder's time and chaff perturbation, those approaches have high false alarm because they predict an intrusion based on detecting stepping-stone. Being a stepping-stone does not necessarily mean an intrusion because some applications using stepping-stones are legitimate. One better way to detect stepping-stone intrusion is to estimate the length of a connection chain from a host where our monitor program resides to the victim site. This length is measured in connections. Based on our observation, we found that even though some applications (users) need to use stepping-stone, but it is highly suspicious to access a host via more than three computers. The problem of detecting stepping-stone intrusion is reduced to estimating the length of an interactive session; this length is called downstream length from the monitoring host. In this paper, we propose an algorithm to estimate the downstream length by a clustering method.\",\"PeriodicalId\":188817,\"journal\":{\"name\":\"IEEE SoutheastCon 2008\",\"volume\":\"11 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2008-04-03\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE SoutheastCon 2008\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SECON.2008.4494298\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE SoutheastCon 2008","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SECON.2008.4494298","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Mining TCP packets to detect stepping-stone intrusion (non-reviewed)
There have been many approaches proposed to detect stepping-stone Intrusion. Besides having the problem of being vulnerable to intruder's time and chaff perturbation, those approaches have high false alarm because they predict an intrusion based on detecting stepping-stone. Being a stepping-stone does not necessarily mean an intrusion because some applications using stepping-stones are legitimate. One better way to detect stepping-stone intrusion is to estimate the length of a connection chain from a host where our monitor program resides to the victim site. This length is measured in connections. Based on our observation, we found that even though some applications (users) need to use stepping-stone, but it is highly suspicious to access a host via more than three computers. The problem of detecting stepping-stone intrusion is reduced to estimating the length of an interactive session; this length is called downstream length from the monitoring host. In this paper, we propose an algorithm to estimate the downstream length by a clustering method.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
