Recent Advances in Intrusion Detection

Volume 3224 of the series Lecture Notes in Computer Science pp 258-277

Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds

  • Avrim BlumAffiliated withCarnegie Mellon University
  • , Dawn SongAffiliated withCarnegie Mellon University
  • , Shobha VenkataramanAffiliated withCarnegie Mellon University

* Final gross prices may vary according to local VAT.

Get Access


Intruders on the Internet often prefer to launch network intrusions indirectly, i.e., using a chain of hosts on the Internet as relay machines using protocols such as Telnet or SSH. This type of attack is called a stepping-stone attack. In this paper, we propose and analyze algorithms for stepping-stone detection using ideas from Computational Learning Theory and the analysis of random walks. Our results are the first to achieve provable (polynomial) upper bounds on the number of packets needed to confidently detect and identify encrypted stepping-stone streams with proven guarantees on the probability of falsely accusing non-attacking pairs. Moreover, our methods and analysis rely on mild assumptions, especially in comparison to previous work. We also examine the consequences when the attacker inserts chaff into the stepping-stone traffic, and give bounds on the amount of chaff that an attacker would have to send to evade detection. Our results are based on a new approach which can detect correlation of streams at a fine-grained level. Our approach may also apply to more generalized traffic analysis domains, such as anonymous communication.


Network intrusion detection Evasion Stepping stones Interactive sessions Random walks