Abstract
Computer attackers frequently relay their attacks through a compromised host at an innocent site, thereby obscuring the true origin of the attack. There is a growing literature on ways to detect that an interactive connection into a site and another outbound from the site give evidence of such a “stepping stone.” This has been done based on monitoring the access link connecting the site to the Internet (Eg. [7,11, 8]). The earliest work was based on connection content comparisons but more recent work has relied on timing information in order to compare encrypted connections.
Past work on this problem has not yet attempted to cope with the ways in which intruders might attempt to modify their traffic to defeat stepping stone detection. In this paper we give the first consideration to constraining such intruder evasion. We present some unexpected results that show there are theoretical limits on the ability of attackers to disguise their traffic in this way for sufficiently long connections.
We consider evasions that consist of local jittering of packet arrival times (without addition and subtraction of packets), and also the addition of superfluous packets which will be removed later in the connection chain (chaff).
To counter such evasion, we assume that the intruder has a “maximum delay tolerance.” By using wavelets and similar multiscale methods, we show that we can separate the short-term behavior of the streams — where the jittering or chaff indeed masks the correlation — from the long-term behavior of the streams — where the correlation remains.
It therefore appears, at least in principle, that there is an effective countermeasure to this particular evasion tactic, at least for sufficiently long-lived interactive connections.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aldous, D.L.: Probability Approximations Via the Poisson Clumping Heuristic. Springer-Verlag, New York. January 1989
Lindgren, G., Leadbetter, M.R., and Rootzen, H.: Extremes and related properties of stationary sequences and processes. Springer, New York (1983). Russian translation; Nauka: Moscow (1988).
Shimomura, T. and Markoff, J.: Takedown. The pursuit and capture of Kevin Mit-nick, America’s most wanted computer outlaw-by the man who did it. Hyperion. December 1995.
Mallat, S.: A Wavelet Tour of Signal Processing. Academic Press. Second Edition, 2000.
Meyer, Y.:Wavelets: Algorithms and Applications. SIAM. May 1993
Stoll, C.: The Cuckoo’s Egg: Tracking a Spy through the Maze of Computer Espionage. Pocket Books. October 2000
Staniford-Chen, S. and Heberlein, L.: Holding Intruders Accountable on the Internet. Proceedings of the 1995 IEEE Symposium on Security and Privacy, Oakland, CA (1995)
Zhang, Y. and Paxson, V.: Detecting stepping stones. Proceedings of the 9th USENIX Security Symposium, Denver, Colorado, August 2000. http://www.aciri.org/vern/papers/stepping-sec00.ps.gz
Paxson, V. and Floyd, S.: Wide-Area Traffic: The Failure of Poisson Modeling. IEEE/ACM Transactions on Networking, Vol. 3(3), June 1995, 226–244
Wavelab Toolbox for Wavelet Analysis. Requires Matlab. http://www-stat. stanford. edu/ wavelab
Yoda, K. and Etoh, H.: Finding a Connection Chain for Tracing Intruders, In: Guppens, F., Deswarte, Y., Gollamann, D. and Waidner, M. (eds): 6th European Symposium on Research in Computer Security-ESORICS 2000 LNCS-1985, Toulouse, France, Oct 2000
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Donoho, D.L., Flesia, A.G., Shankar, U., Paxson, V., Coit, J., Staniford, S. (2002). Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_2
Download citation
DOI: https://doi.org/10.1007/3-540-36084-0_2
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00020-4
Online ISBN: 978-3-540-36084-1
eBook Packages: Springer Book Archive