Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay
- David L. DonohoAffiliated withDepartment of Statistics, Stanford University
- , Ana Georgina FlesiaAffiliated withDepartment of Statistics, Stanford University
- , Umesh ShankarAffiliated withDepartment of Computer Science, University of California at Berkeley
- , Vern PaxsonAffiliated withInternational Computer Science Institute
- , Jason CoitAffiliated withKarlsruhe UniversitySilicon Defense
- , Stuart StanifordAffiliated withKarlsruhe UniversitySilicon Defense
Computer attackers frequently relay their attacks through a compromised host at an innocent site, thereby obscuring the true origin of the attack. There is a growing literature on ways to detect that an interactive connection into a site and another outbound from the site give evidence of such a “stepping stone.” This has been done based on monitoring the access link connecting the site to the Internet (Eg. [7,11, 8]). The earliest work was based on connection content comparisons but more recent work has relied on timing information in order to compare encrypted connections.
Past work on this problem has not yet attempted to cope with the ways in which intruders might attempt to modify their traffic to defeat stepping stone detection. In this paper we give the first consideration to constraining such intruder evasion. We present some unexpected results that show there are theoretical limits on the ability of attackers to disguise their traffic in this way for sufficiently long connections.
We consider evasions that consist of local jittering of packet arrival times (without addition and subtraction of packets), and also the addition of superfluous packets which will be removed later in the connection chain (chaff).
To counter such evasion, we assume that the intruder has a “maximum delay tolerance.” By using wavelets and similar multiscale methods, we show that we can separate the short-term behavior of the streams — where the jittering or chaff indeed masks the correlation — from the long-term behavior of the streams — where the correlation remains.
It therefore appears, at least in principle, that there is an effective countermeasure to this particular evasion tactic, at least for sufficiently long-lived interactive connections.
KeywordsNetwork intrusion detection Evasion Stepping Stone Interactive Session Multiscale Methods Wavelets Universal Keystroke Interarrival Distribution
- Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay
- Book Title
- Recent Advances in Intrusion Detection
- Book Subtitle
- 5th International Symposium, RAID 2002 Zurich, Switzerland, October 16–18, 2002 Proceedings
- pp 17-35
- Print ISBN
- Online ISBN
- Series Title
- Lecture Notes in Computer Science
- Series Volume
- Series ISSN
- Springer Berlin Heidelberg
- Copyright Holder
- Springer-Verlag Berlin Heidelberg
- Additional Links
- Network intrusion detection
- Stepping Stone
- Interactive Session
- Multiscale Methods
- Universal Keystroke
- Interarrival Distribution
- Industry Sectors
- eBook Packages
- Editor Affiliations
- 4. IBM Zurich Research Laboratory
- 5. Department of Computer Science, University of California at Santa Barbara
- 6. Centro Serra, University of Pisa
- Author Affiliations
- 7. Department of Statistics, Stanford University, Sequoia Hall, 390 Serra Mall, Stanford, CA, 94305-4065, USA
- 8. Department of Computer Science, University of California at Berkeley, 567 Soda Hall, Berkeley, CA, 94704
- 9. International Computer Science Institute, 1947 Center St. suite 600, Berkeley, CA, 94704-1198
- 10. Silicon Defense, 203 F Street, suit E, Davis, CA, 95616, USA
To view the rest of this content please follow the download PDF link above.