Detection of Interactive Stepping Stones: Algorithms and Confidence Bounds

  • Avrim Blum
  • Dawn Song
  • Shobha Venkataraman
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3224)


Intruders on the Internet often prefer to launch network intrusions indirectly, i.e., using a chain of hosts on the Internet as relay machines using protocols such as Telnet or SSH. This type of attack is called a stepping-stone attack. In this paper, we propose and analyze algorithms for stepping-stone detection using ideas from Computational Learning Theory and the analysis of random walks. Our results are the first to achieve provable (polynomial) upper bounds on the number of packets needed to confidently detect and identify encrypted stepping-stone streams with proven guarantees on the probability of falsely accusing non-attacking pairs. Moreover, our methods and analysis rely on mild assumptions, especially in comparison to previous work. We also examine the consequences when the attacker inserts chaff into the stepping-stone traffic, and give bounds on the amount of chaff that an attacker would have to send to evade detection. Our results are based on a new approach which can detect correlation of streams at a fine-grained level. Our approach may also apply to more generalized traffic analysis domains, such as anonymous communication.


Network intrusion detection Evasion Stepping stones Interactive sessions Random walks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Staniford-Chen, S., Heberlein, L.T.: Holding intruders accountable on the internet. In: Proceedings of the 1995 IEEE Symposium on Security and Privacy, Oakland, CA, pp. 39–49 (1995)Google Scholar
  2. 2.
    Zhang, Y., Paxson, V.: Detecting stepping stones. In: Proceedings of the 9th USENIX Security Symposium, August 2000, pp. 171–184 (2000)Google Scholar
  3. 3.
    Yoda, K., Etoh, H.: Finding a connection chain for tracing intruders. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Donoho, D., Flesia, A.G., Shankar, U., Paxson, V., Coit, J., Staniford, S.: Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 17. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Wang, X., Reeves, D.: Robust correlation of encrypted attack traffic through stepping stones by manipulation of inter-packet delays. In: Proceedings of the 2003 ACM Conference on Computer and Communications Security (CCS 2003), pp. 20–29. ACM Press, New York (2003)CrossRefGoogle Scholar
  6. 6.
    Kearns, M., Vazirani, U.: An Introduction to Computational Learning Theory. MIT Press, Cambridge (1994)Google Scholar
  7. 7.
    Valiant, L.: A theory of the learnable. Communications of the ACM 27, 1134–1142 (1984)zbMATHCrossRefGoogle Scholar
  8. 8.
    Blumer, A., Ehrenfeucht, A., Haussler, D., Warmuth, M.K.: Occam’s razor. Information Processing Letters 24, 377–380 (1987)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Stoll, C.: The Cuckoo’s Egg: Tracking a Spy through the Maze of Computer Espionage. Pocket Books (2000)Google Scholar
  10. 10.
    Wang, X., Reeves, D., Wu, S., Yuill, J.: Sleepy watermark tracing: An active network-based intrusion response framework. In: Proceedings of the 16th International Information Security Conference (IFIP/Sec 2001), pp. 369–384 (2001)Google Scholar
  11. 11.
    Wang, X., Reeves, D., Wu, S.: Inter-packet delay-based correlation for tracing encrypted connections through stepping stones. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 244–263. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Wang, X.: The loop fallacy and serialization in tracing intrusion connections through stepping stones. In: Proceedings of the 2004 ACM Symposium on Applied Computing, Nicosia, Cyprus, pp. 404–411. ACM Press, New York (2004)CrossRefGoogle Scholar
  13. 13.
    Paxson, V., Floyd, S.: Wide-area traffic: The failure of poisson modeling. IEEE/ACM Transactions on Networking 3, 226–244 (1995)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Avrim Blum
    • 1
  • Dawn Song
    • 1
  • Shobha Venkataraman
    • 1
  1. 1.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations