Constructing Correlations in Attack Connection Chains Using Active Perturbation

  • Qiang Li
  • Yan Lin
  • Kun Liu
  • Jiubin Ju
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3521)


Usually network attackers conceal their real attacking paths by establishing interactive connections along a series of intermediate hosts (stepping stones) before they attack the final target. We propose two methods for detecting stepping stones by actively perturbing inter-packet delay of connections. Within the attacker’s perturbation range, the average value of the packets in the detecting window is set to increase periodically. The methods can construct correlations in attacking connection chains by analyzing the change of the average value of the inter-packet delay between the two connection chains. The methods can reduce the complexity of correlation computations and improve the efficiency of detecting stepping stones.


Traceback Connection Chain Active Delay 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Lee, S.C., Shields, C.: Tracing the Source of Network Attack: A Technical, Legal and Societal Problem. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (June 2001)Google Scholar
  2. 2.
    Zhang, Y., Paxson, V.: Detecting Stepping Stones. In: Proceedings of 9th USENIX Security Symposium (August 2000)Google Scholar
  3. 3.
    Donoho, D., Flesia, A.G., Shanka, U., Paxson, V., Coit, J., Staniford, S.: Multiscale Stepping Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 17. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    NLANR Trace Archive,
  5. 5.
    Wang, X., Reeves, D., Wu, S.F., Yuill, J.: Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework. In: Proceedings of IFIP Conference on Security (March 2001)Google Scholar
  6. 6.
    Kwong, H.Y.: Detecting Long Connection Chains of Interactive Terminal Sessions. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 1. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Staniford-Chen, S., Heberlein, L.T.: Holding Intruders Accountable on the Internet. In: Proceedings of IEEE Symposium on Security and Privacy (1995)Google Scholar
  8. 8.
    Yoda, K., Etoh, H.: Finding a Connection Chain for Tracing Intruders. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Wang, X., Reeves, D., Wu, S.F.: Inter-packet delay based correlation for tracing encrypted connections through stepping stones. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, p. 244. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Active Network Intrusion Detection and Response project (2001),
  11. 11.
    Wang, X., Reeves, D.S.: Robust Correlation of Encrypted Attack Traffic Through Stepping Stones by Manipulation of Interpacket Delays. In: Proc. of ACM Conference on Computer and Communications Security CCS 2003 (October 2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Qiang Li
    • 1
  • Yan Lin
    • 1
  • Kun Liu
    • 1
  • Jiubin Ju
    • 1
  1. 1.JiLin UniversityChangChunChina

Personalised recommendations