Detecting Stepping Stones in Internet Environments
by
Ping Li B.Eng. (University of Electronic Science and Technology of China)
M.Eng. (University of Electronic Science and Technology of China)
Submitted in Fulfillment of the requirements for the degree of
Doctor of Philosophy
Deakin University
February, 2011
IV
IV
Acknowledgements
I would like to express my sincere gratitude and profound thanks to my supervisor
Professor Wanlei Zhou for his supportive supervision, helpful criticism, valuable
suggestions and endless patience. Without his inspiring enthusiasm and
encouragement, this work could not have been completed. He generously provided me
his time, effort, and insightful advice at all times, and guided me into the door leading
to a successful researcher.
I would like to thank many staff members in School of Information Technology,
Deakin University. They are Professor Lynn Batten, Professor Andrez Goscinski, Dr.
Robin Doss, Dr. Yang Xiang, Dr. Shang Gao, Dr. Gang Li, Dr. Ming Li, Dr. Shui Yu,
Mr. Jun Zhang and Dr. Shuyuan Jin etc. And I am also grateful to Ms. Georgina Cahill,
Mr. Nghia Dang and other staff in the school for their valuable help.
I would also like to thank my friends and colleagues for their wonderful help to my
research and life. They are Dr. Ke Li, Dr. Ashley Chonka, Dr. Leanne Ngo, Dr.
Yiqing Tu, Dr. Faye Ferial Khaddage, Miss Yini Wang, Mr. Theerasak Thapngam, Mr.
Alessio Bonti, Mr. Longxiang Gao, Mr. Yongli Ren, Ms. Wei Zhou, Mr. Sheng Wen,
Ms. Yanli Yu, Mr. Min Gan, Miss Jia Rong and so on.
I cannot end without thanking my family, which include my lovely parents, my dad
Zhongxin Li, and my mum Xianglian Wang for their continue support. Also a special
thanks to the love of my life Yu Deng for his encouragement, care and love and my
angels, Keyue and Kezhuo for their patience and understanding.
V
Publications
During my PhD Candidature, the following research papers were published or
accepted in fully refereed International Conference Proceedings and Journals.
� Yu, Y., Li, K., Zhou, W. and Li, P., Trust Mechanisms in Wireless Sensor
Networks: Attack Analysis and Countermeasures, Journal of Networking and
Computer Applications. Accepted: 12/12/2010 (ERA Rank A, Impact
Factor=1.111).
� Li, P., Zhou, W. and Wang, Y. (2010) Getting the Real-Time Precise Round-Trip
Time for Stepping Stone Detection, NSS 2010 Proceedings of the 3rd IEEE
International Conference on Network & System Security, IEEE Computer Society
Press, United States, pp. 377-382.
� Li, P., Zhou, W. and Yu, Y. (2010) A Quick-Response Real-Time Stepping Stone
Detection Scheme, HPCC 2010 Proceedings of the 12rd IEEE International
Conference on High Performance Computing and Communications, IEEE
Computer Society Press, United States, pp. 677-682.
� Li, K., Zhou, W., Li, P., Hai, J. and Liu, J. (2009) Distinguishing DDoS Attacks
from Flash Crowds Using Probability Metrics, NSS 2009 Proceedings of the 3rd
IEEE International Conference on Network & System Security, IEEE Computer
Society Press, United States, pp. 9-17.
� Li, K., Zhou, W. and Li, P. (2009) Reliable Downloading Algorithms for
BitTorrent-like Systems, NPC 2009 Proceedings of the 6th IFIP International
Conference on Network and Parallel Computing, IEEE Computer Society Press,
United States, pp. 167-173.
VI
VI
� Li, P., Zhou, W. and Li, K. (2008) An Operational Approach to Validate the Path
of BGP, Lecture Notes in Computer Science. Volume 5022/2008, pp. 133-143,
Springer Berlin / Heidelberg.
� Li, K., Zhou, W., Yu, S. and Li, P. (2007) Novel Data Management Algorithms in
Peer-to-Peer Content Distribution Networks, Lecture Notes in Computer Science,
Volume 4798/2007, pp. 538-543, Springer, Germany.
VII
VII
ABSTRACT
Although many countermeasures and legislation have been developed against Internet attacks, the number of attacks is still on the rise, causing devastating consequences such as disrupting critical infrastructure, significant financial loss, and endangering public life. One critical question that researchers and law enforcement agencies still cannot answer easily is where are the real source(s) of Internet attacks coming from? Attackers can easily hide their identities and evade punishment by relaying their attacks through a series of compromised systems or devices which are called stepping stones. Attackers also make detection more difficult by using evasive techniques such as the introduction of dummy packets into the stream, and introducing delay into the timing of the packet stream. The goal of this thesis is to develop an effective and efficient scheme along with a number of related algorithms to detect stepping stones in real Internet environments, even when evasion techniques are used by attackers.
This thesis is organized as follows. Chapter 1 presents an introduction about stepping stone attacks and important issues related to stepping stone detection. Chapter 2 provides a brief, but in-depth introduction to the major characteristics of stepping stone attacks and a detailed survey of the related work carried out in detecting stepping stones. Chapters 3 to 6 present our major contributions for detecting stepping stones. In Chapter 3, we propose a real-time Round Trip Time (RTT) getting algorithm for stepping stones, which can be employed by RTT based stepping stone detection approaches to detect stepping stones. Or it can be used by other stepping stone detection approaches to select the value of important parameters. A simple but effective stepping stone detection scheme which can be employed in Internet is proposed in Chapter 4. Two stepping stone detection algorithms that are highly resistant to evasion techniques are proposed in Chapter 5. In Chapter 6, we present a quantitative and comparative study on network-based passive stepping stone detection proposals based on a series of experiments. Finally, Chapter 7 summarizes the contributions of this thesis and discusses future work.
VIII
VIII
Table of Contents
Acknowledgements ............................................................................. IV
Publications ........................................................................................... V
ABSTRACT ....................................................................................... VII
Table of Contents ............................................................................. VIII
List of Figures .................................................................................... XII
List of Tables ...................................................................................... XV
Chapter 1 Introduction .......................................................................... 1
1.1 Motivation and Rationale ............................................................................ 1
1.2 Contributions of This Thesis ....................................................................... 4
1.3 Approaches of This Thesis .......................................................................... 6
1.4 Organization of This Thesis ........................................................................ 8
Chapter 2 Background ........................................................................ 10
2.1 Attacks Using Stepping Stone ................................................................... 10
2.2 Stepping Stone Detection .......................................................................... 13
2.2.1 Introduction to Stepping Stone Detection Systems ............................ 13
2.2.2 Evading Detection ............................................................................. 15
2.3 Network-Based Passive Stepping Stone Detection Systems ...................... 16
2.3.1 Content Correlation ........................................................................... 16
2.3.2 Count Correlation .............................................................................. 17
2.3.3 Timing Correlation ............................................................................ 20
2.3.4 RTT Correlation ................................................................................ 27
2.3.5 Others ............................................................................................... 28
2.4 Summary .................................................................................................. 29
IX
IX
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping
Stone Detection................................................................................ 30
3.1 Introduction .............................................................................................. 31
3.2 Motivation ................................................................................................ 33
3.3 Estimation-Based Algorithm (EBA) .......................................................... 37
3.3.1 The Estimating Module ..................................................................... 38
3.3.2 The Matching Module ....................................................................... 41
3.4 Evaluation ................................................................................................ 44
3.4.1 Matching Rate ................................................................................... 44
3.4.2 Accurate Rate.................................................................................... 46
3.5 Application ............................................................................................... 49
3.6 Summary .................................................................................................. 54
Chapter 4 Detecting Stepping Stones in Real Internet Environments
.......................................................................................................... 56
4.1 Introduction .............................................................................................. 56
4.2 Definitions and Property for Packet Delay ................................................ 58
4.2.1 Related Definitions ........................................................................... 58
4.2.2 Property of Packet Delay ................................................................... 60
4.3 Algorithm and Analysis ............................................................................ 64
4.3.1 PDBC Algorithm .............................................................................. 64
4.3.2 Analysis ............................................................................................ 65
4.4 Experiments .............................................................................................. 69
4.4.1 Data Source and Testing Method ....................................................... 69
4.4.2 Experimental Results ........................................................................ 72
X
X
4.5 Summary .................................................................................................. 79
Chapter 5 Detecting Chaffed and Jittered Stepping Stone
Connections ..................................................................................... 81
5.1 Introduction .............................................................................................. 82
5.2 Related Works .......................................................................................... 83
5.3 Probability Analysis .................................................................................. 84
5.3.1 Related Definitions ........................................................................... 85
5.3.2 Modelling Connection Streams ......................................................... 87
5.3.3 Probability Bound under Poisson Model with Varying Rate .............. 88
5.3.4 Probability Bound under Poisson Model with a Fixed Rate ............... 91
5.4 Algorithm and Analysis ............................................................................ 93
5.4.1 Abnormal Probability Detection Algorithm ....................................... 94
5.4.2 Speedy Abnormal Probability Detection Algorithm ........................... 98
5.4.3 Analysis and Improvement ................................................................ 98
5.5 Experiment and Results .......................................................................... 101
5.5.1 Experiment Design .......................................................................... 101
5.5.2 Experiment Results ......................................................................... 103
5.6 Summary ................................................................................................ 116
Chapter 6 Experimental Analysis for Stepping Stone Detection
Approaches .................................................................................... 117
6.1 Introduction ............................................................................................ 118
6.2 Design of Experiments ............................................................................ 119
6.2.1 The Implementation of Stepping Stone Detection Approaches ........ 119
6.2.2 Private Dataset ................................................................................ 124
XI
XI
6.2.3 Public Dataset ................................................................................. 126
6.3 Evaluation Results .................................................................................. 130
6.3.1 The Approaches having Maximum Delay Assumption .................... 130
6.3.2 Other Approaches ........................................................................... 135
6.3.3 Experimental Results Summary....................................................... 140
6.4 Summary ................................................................................................ 141
Chapter 7 Conclusions and Future Work ........................................ 142
7.1 Conclusions ............................................................................................ 142
7.1.1 Major Contributions ........................................................................ 142
7.1.2 Significance of this Thesis............................................................... 145
7.2 Future Work ........................................................................................... 146
Bibliography ....................................................................................... 149
XII
List of Figures
Figure 1.1. DDOS attack using stepping stones ......................................................... 2
Figure 2.1. Attacks using stepping stones ................................................................ 11
Figure 2.2. Steal secure data using stepping stones. Source [33] .............................. 12
Figure 3.1. Stepping stone chain between Attacker and Target ................................ 35
Figure 3.2. RTT distribution .................................................................................... 39
Figure 3.3. �RTT distribution.................................................................................. 40
Figure 3.4. Matching module processing ................................................................. 43
Figure 3.5. One connection with simple inputting commands by slow typing speed . 50
Figure 3.6. One connection with complex inputting commands by quick typing speed
................................................................................................................................. 51
Figure 3.7. One chain with simple inputting commands by slow typing speed ......... 52
Figure 3.8. One chain with complex inputting commands by quick typing speed ..... 53
Figure 4.1. Stepping stone packet delay ................................................................... 62
Figure 4.2. Experimental topology for data source ................................................... 69
Figure 4.3. False negative with different � .............................................................. 71
Figure 4.4. False positive with different � ............................................................... 71
Figure 4.5. False negative with different �. .............................................................. 73
Figure 4.6. False positive with different � ................................................................ 73
Figure 4.7. False negative for PDBC,sketching and IPD .......................................... 74
XIII
XIII
Figure 4.8. False positive for PDBC,sketching and IPD ........................................... 74
Figure 4.9. Accuracy for PDBC, sketching and IPD ................................................ 75
Figure 4.10. Accuracy for PDBC with different chaff rate ....................................... 77
Figure 4.11. Accuracy for sketching with different chaff rate................................... 78
Figure 4.12. Accuracy for IPD with different chaff rate ........................................... 78
Figure 5.1. The timing causality on a stepping stone chain ...................................... 85
Figure 5.2. Accuracy for APD with monitoring time rising .................................... 103
Figure 5.3. The impact of correlated connection by fixed delay for APD ............... 104
Figure 5.4. The impact to a normal connection by fixed delay for APD ................. 105
Figure 5.5. The impact to correlated connections by jitters for APD ...................... 106
Figure 5.6. The impact to normal connection by jitters for APD ............................ 107
Figure 5.7. Accuracy for SAPD with monitoring time increasing........................... 108
Figure 5.8. The impact to correlated connections by fixed jitter for SAPD ............. 109
Figure 5.9. The impact to normal connections by fixed delay for SAPD ................ 109
Figure 5.10. Comparing for APD and SAPD by fixed delay .................................. 110
Figure 5.11. Comparing for APD and SAPD by jitter ............................................ 110
Figure 5.12. Impact to correlated connections by jitter with SAPD ........................ 111
Figure 5.13. Impact to normal connections by jitter with SAPD ............................. 111
Figure 5.14. Accuracy with no jitter and chaff ....................................................... 113
Figure 5.15. Accuracy with chaff only ................................................................... 114
Figure 5.16. Accuracy with jitter only ................................................................... 115
Figure 5.17. Accuracy with chaff and jitter ............................................................ 115
Figure 6.1. True positive for DA and DMV by public dataset ................................ 128
Figure 6.2. Accuracy for DA and DMV by private dataset ..................................... 129
XIV
XIV
Figure 6.3. True positive and true negative for S-I and S-III by public dataset ....... 130
Figure 6.4. Accuracy for S-I and S-III by private dataset ....................................... 131
Figure 6.5. Accuracy for Deviation, S-II and S-III by private dataset ..................... 132
Figure 6.6. Accuracy for SI, S-II, SIII and S-IV by private dataset with different chaff
rate ......................................................................................................................... 133
Figure 6.7. Accuracy for SI, S-II, SIII and S-IV by private dataset with different jitter
............................................................................................................................... 134
Figure 6.8. Accuracy by public dataset with 600s duration .................................... 135
Figure 6.9. True positive and true negative by public dataset with 100s duration. . 136
Figure 6.10. Accuracy by private dataset with different durations ......................... 137
Figure 6.11. Accuracy by private dataset with different chaff rate ......................... 138
Figure 6.12. Accuracy by private dataset with different jitters............................... 138
XV
XV
List of Tables
Table 2.1. Network based passive stepping stone detection systems ......................... 17
Table 3.1. Standard deviation comparisons for RTT and �RTT distribution............. 41
Table 3.2. Matching rate examples for EBA ............................................................ 45
Table 4.1. Practical features comparison among the encrypted traffic stepping stone
detection approaches ................................................................................................ 59
Table 4.2. Real-time comparing processing in the PDBC algorithm ......................... 63
Table 4.3. Monitoring time expired processing in PDBC algorithm ......................... 65
Table 4.4. Parameters for PDBC, sketching and IPD ................................................ 76
Table 4.5. Execute time for PDBC, IPD and sketching ............................................ 79
Table 5.1. Real-time comparing processing in APD algorithm ................................. 95
Table 5.2. Monitoring time expired processing in APD algorithm ............................ 96
Table 5.3. Real-time comparing processing in SAPD algorithm ............................... 97
Table 5.4. Monitoring time expired processing in SAPD algorithm.......................... 99
Table 5.5. Parameters values for sketching and S-III .............................................. 112
Table 6.1. Parameters of stepping stone detection approaches ................................ 121
Table 6.2. Parameters values for stepping stone detection approaches .................... 139
Chapter 1 Introduction
1
1
Chapter 1
Introduction
In this Chapter we begin by introducing the motivation and rationale of this thesis. We
then describe the major contributions of our research, and the main approaches used in
our study. Finally, we describe the organization of this thesis.
1.1 Motivation and Rationale
Networks have dramatically altered aspects of our daily activities particularly in
how we communicate and how we learn and conduct business. Unfortunately, while
enjoying the convenience of the Internet, we also have to face network security
problems. Attackers from anywhere may attack a site at any time causing nearly
irreparable damage. Various defense systems have been proposed to detect these
attacks. However, attackers can always evade punishment and new attacks can be
launched again. One of the most important reasons why attackers can easily hide their
identities and evade the desired punishment is by relaying their attacks through a
series of compromised systems or devices which are called stepping stones [1].
Chapter 1 Introduction
2
2
For example, the DDoS (distributed denial of service) [89] attack is one of the
attacks notorious for causing tremendous destruction. Popular websites, such as
Yahoo, Amazon, CNN and eBay, were targeted by a DDoS attack. As shown in
Figure 1.1, the DDoS attack begins with an attacker, who may pass information on
through various stepping stone hosts to reach a controller node, which in turn might
control a number of zombie hosts. The stepping stones, controllers and zombies are all
compromised systems or devices. Upon a signal, these zombies may attack one or
more target machines to perform a DDoS attack. It’s possible for the DDoS defense
systems to detect such a DDoS attack, find the zombies and even find the controllers.
However, where is the real attacker? Without finding the real attackers hiding behind
various stepping stones, it is impossible to reduce such DDoS attacks.
Attacker
Stepping stone Stepping stone
Stepping stone Stepping stone
Controller Controller
Zombie Zombie Zombie Zombie
Figure 1.1. DDOS attack using stepping stones
Chapter 1 Introduction
3
3
Only by finding stepping stones, is it possible to trace the real attackers hiding
behind the stepping stones. Therefore, the detection of stepping stones is one of the
foundations to reducing issues of security on the Internet.
To date, there has already been some stepping stone detection systems proposed.
However, few of these can be employed in real application. To begin with, in order to
trace-back and identify the source of an attack, real-time and quick-response is
necessary because attackers may have many excuses and techniques (such as a fake IP
address) to deny their attacking activity without spot evidence. In addition to this,
attackers normally launch their attacks in a very short time period to evade detection
plus most stepping stone detection systems don’t take responsiveness into
consideration. Secondly, some stepping stone detection systems assume there is no
packet loss during packet relaying by stepping stones, which is not true for Internet
traffic. Finally, to obtain accurate detection results, some stepping stone detection
systems use complex computations and consume too much storage, which is not
acceptable by real-time applications. Therefore, quick-responsiveness, few
assumptions, small computations and the cost of memory are still challenges to
developing a practical stepping stone detection system.
In addition, current stepping stone detection systems are generally based on a
similarity of the attack streams relayed by stepping stones. For example, the intervals
of packet arrival times are nearly consistent between the attack streams relayed by
stepping stones. However, attackers may evade identification of stepping stone
detection systems by introducing random jitter delays before packets are relayed from
stepping stones or inserting chaffs (chaffs are superfluous packets, which contain no
Chapter 1 Introduction
4
4
valuable information and are not relayed by stepping stones) into the attack flow by
stepping stones. These evasion techniques can completely break most of the similarity
features in attack streams, which may leave most stepping stone detection systems
useless. Therefore, to be resistant to evasion techniques is another challenge to
developing a stepping stone detection system.
In this thesis, our aim is to develop stepping stone detection systems, which can
provide effective and efficient stepping stone detection in real Internet environments, and
even evasive techniques used by attackers.
1.2 Contributions of This Thesis
In this thesis, we develop a Real-Time Round-Trip Time (RTT) getting algorithm
which provides accurate RTTs for stepping stone detection systems, and a simple but
effective stepping stone detection system which can be used in real Internet
environments. We also present two abnormal probability based stepping stone
detection systems that can effectively resist evasion techniques. We further present a
highly quantitative comparative experimental study on stepping stone detection
systems. The main contributions of our research in this thesis are listed as follows.
� We firstly study the RTTs of stepping stones. They are critical for detecting
stepping stones. The RTT based stepping stone detection systems need precise
RTTs in order to directly detect stepping stones, while other stepping stone
systems need RTTs indirectly to calculate some important parameters.
However the RTTs of stepping stones are different from the RTT of TCP, and
it’s not easy to get them with a high degree of precision. We propose the
Chapter 1 Introduction
5
5
Estimation Based Algorithm (EBA) that can achieve real-time RTT accurately.
The experiments show that our algorithm is far more precise than other real-
time RTT getting algorithms. We also present theory analysis from the
probability point, which shows that our algorithm has a high matching rate and
has a high accuracy rate as a complicated non real-time approach.
� We study the practical features of previous stepping stones detection systems.
Due to their demands of storage, computation and the excessive monitoring
time, previous stepping stone detection systems are hardly applicable in real
Internet environments. We propose a simple but effective stepping stone
detection scheme which can reduce some of these demands. Our experiments
show that the proposed approach can achieve more than 90% accuracy by
monitoring for 2 seconds and can achieve more than 95% accuracy by
monitoring for 10 seconds. This is in addition to low computation costs.
� We study the packet timing or frequency features of stepping stone attack
streams which are foundations commonly employed to detect stepping stones.
These features may be altered by attackers introducing jitters and chaffs into
stepping stone connections. However the one timing feature that the packet has
to arrive first before it can leave a node will not be changed. Based on two
Poisson processing models, we formulate and derive two separate upper bounds
of probability that normal streams present when this timing feature of stepping
stone attack streams is used. Based on the two upper bounds of probability, we
further propose two novel stepping stone detection systems which have no
parameter, yet can detect stepping stones accurately even if there are large
jitters and a high chaff rate. We compare the two proposed stepping stone
Chapter 1 Introduction
6
6
detection systems with some of the previous ones. The experiments show that
the two proposed systems are more resistant to chaffs and jitters than previous
ones, and also maintain a high rate of accuracy for detecting stepping stones
attack streams which have no chaffs or jitter perturbations.
� Finally, we study experimental designs of stepping stone detection systems.
There are still two big issues for previous experimental designs. One issue is
the insufficiency of Internet environment applications. Another is the absence
of a highly quantitative comparative experimental study. Based on the
implementation of 13 stepping stone detection systems, the exaction of SSH
[66] data from public traces that have millions of packets, and the capturing of
genuine stepping stone connection chain data from the Internet, we test these
stepping stone detection systems in several scenarios using uniform criteria.
According to the experimental results and analysis, we present the conclusion
in the real-time application of stepping stone detection systems, highlight the
accuracy of stepping stone detection systems, the impaction of assumption, and
the impaction of chaffs and jitters. In addition, we give suggestions for
improvement of some previous stepping stone detection systems.
1.3 Approaches of This Thesis
In this thesis, we use multiple approaches in our research, which are listed below.
� Probability theory. We use probability theory and Chebyshev inequality [88] to
analyze the accurate rate and matching rate of the proposed RTT getting
algorithm. We also use the probability theory to analyze network traffic models
Chapter 1 Introduction
7
7
and formulate the upper bounds of probability that normal streams present with
a timing feature of stepping stone attack streams.
� Queuing Theory. We use this powerful network analysis tool to analyze the
packet delay on the stepping stone attack streams and derive the proposed
Packet Delay Bidirectional Comparison scheme for stepping stone detection.
� Signal Processing. We use the first-order linear recursive filter to estimate the
RTTs of stepping stones in the proposed RTT getting algorithm.
� Private Datasets. We use KpyM [79], OpenSSH [75] and PuTTY[78] SSH
tools to install the SSH [66] client and sever services on some hosts, build
stepping stone topology on the Internet, and obtain the private dataset by using
the Wireshark [77] traffic capturing tool. This private dataset provides an ideal
source for testing and evaluating stepping stone detection systems.
� Public Datasets. We extract SSH data from the Auckland-VIX traces datasets
provided by WITS [52] as the complementary source for testing and evaluating
stepping stone detection approaches.
� Programming Language and Platform. We program and implement 3 of our
proposed stepping stone detection systems and the other 10 stepping stone
detection systems by C language. Furthermore, several scenarios are
implemented for every stepping stone detection system. The exacting and
processing of the dataset and result statistics are implemented by programming
as well. There are more than 30,000 lines of codes totally in our control. We
use cygwin [76] as the platform for program running.
Chapter 1 Introduction
8
8
1.4 Organization of This Thesis
The reminder of this thesis is organized as follows.
� Chapter 2 introduces the background and related work of our research in this
thesis. At first, it provides an introduction to the basic characteristic of attacks
using stepping stones. Then, it introduces the stepping stone detection systems,
the techniques to evade stepping stone detection and the classification of
stepping stone detection systems. Lastly, the chapter focuses on the previous
research related to network-based passive stepping stone detection systems.
� Chapter 3 deals with a real-time RTT getting algorithm for stepping stone
detection called Estimation Based Algorithm (EBA). This chapter begins to
present the motivation for this research. Then it presents detail of the two
modules composed of the EBA, the estimating module and the matching
module. Analysis of the accurate rate and the matching rate of the EBA from
probability theory follows, and finally, this chapter demonstrates the
application of several real-time RTT getting algorithms, including the EBA, to
one of the stepping stone detecting systems.
� Chapter 4 introduces a practical stepping stone detection system which is
efficient and quick-responsive for the purposes of stepping stone detection. This
chapter begins by covering some previous research on practical features
including response time, computation complexity and storage demand. After
this brief discussion of previous research, details of the Packet Delay
Bidirectional Comparison (PDBC) algorithm are introduced. This is followed
Chapter 1 Introduction
9
9
by a number of experiments and evaluations, highlighting the comparison of
previous stepping stone detection systems.
� Chapter 5 deals with stepping stone detection systems which can be highly
resistant to evasion techniques such as chaffs and jitters. This chapter first
presents some previous stepping stone detection systems related to evasion
techniques. Then it introduces two mathematical models for normal streams,
and derives the upper bounds of probability based on the two mathematical
models. With the derived upper bounds, Abnormal Probability Detection
algorithm (APD) and Speedy Abnormal Probability Detection algorithm
(SAPD) are introduced. Lastly, a number of experiments and evaluations
demonstrate the accuracy of the upper bounds. Comparison with certain
stepping stone detection systems is also undertaken.
� Chapter 6 presents a comparative experimental analysis for stepping stone
detection systems. Initially it deals with the implementation of stepping stone
detection systems, the obtaining of datasets and a set of experimental criteria
and scenarios. After the introduction of the experimental designs, a number of
experiments and evaluations are conducted to show the accuracy of stepping
stone detection approaches, the impaction of assumption, and the impaction of
chaffs and jitters. Finally, some important questions on the comparison of
stepping stone detection systems are answered.
� Chapter 7 summarizes the main contributions and innovations of this thesis,
and points out some possible avenues for future work.
Chapter 2 Background
10
10
Chapter 2
Background
This chapter introduces background and other work related to our research in this
thesis. Firstly, it provides an introduction to the basic characteristics of attacks using
stepping stones. Then, it introduces the stepping stone detection system and the
techniques employed to evade stepping stone detection. Finally, focus turns to
previous research related to network-based passive stepping stone detection systems.
2.1 Attacks Using Stepping Stone
The Internet has become increasingly critical nowadays but at the same time, Internet
attacks have increased significantly. One of the most important reasons for this is that
attackers can very easily avoid the desired punishment by maintaining anonymity [1].
Stepping stones are one of the effective strategies adopted by network perpetrators to
maintain their anonymity during an attack.
Instead of using direct communication, an attacker uses a series of intermediate
nodes that have been previously compromised to relay his commands to a victim.
Chapter 2 Background
11
11
These intermediate nodes are called stepping stones [1]. By employing this technique,
attackers construct a connection chain of stepping-stones, which is a sequence of
logins where a person logs into one computer by interactive protocol like SSH and
Telnet, and then logs into another computer, and so on [1]. Attack commands or
programs are sent from the attacker’s machine, transferred by stepping stones, and
then transferred to the targeted machine via a connection chain constructed by the
attackers. Consequently, as shown in Figure 2.1, if the victim detects he is under
attack, he will only know the attack packets are coming from the closest intermediate
node, and the real attacker will be free from punishment.
Stepping stones are often used for launching Denial of Service (DoS) [89] attacks
or used to hack into systems to steal secure data by network perpetrators. We already
described a scenario of DoS attack in chapter 1. Now, let us consider a scenario where
an attacker seeks to penetrate a tightly secured server and retrieve top secret data from
a carefully monitored government network. The hacker first selects nodes with weak
security across geographically diverse locations as candidates to be stepping stones,
the controller, the receiver, the zombies and then he proceeds to compromise them.
Attacker
Stepping Stones
IP network IP network
IP network IP network
Victim
Who is the reaattacker?
Figure 2.1. Attacks using stepping stones
Chapter 2 Background
12
12
Following this, stealing commands are then sent by the hacker, which passes through
various stepping stone hosts to reach the controller node, which in turn controls a
series of zombies. When a signal from the controller is received, these zombies may
modify or exfiltrate information from the victim. Exfiltrated information may then go
to the receiver that, in turn, is separated from the hacker by a series of stepping stones.
This attack scenario, described in the Mitre workshop report [57], has been illustrated
in Figure 2.2. Even if forensic investigators manage to trace the attack path to the
controller, they may not get access to the system logs of the stepping stones. Thus, an
attack using stepping stones is the most favored attack mechanism that guarantees
anonymity to the attacker.
Attacker
Victim
Controller
Zombie
Zombie
Zombie
Receiver
Stepping stone Stepping stone
Stepping stone Stepping stone
Figure 2.2. Steal secure data using stepping stones. Source [33]
Chapter 2 Background
13
13
2.2 Stepping Stone Detection
2.2.1 Introduction to Stepping Stone Detection Systems
Since a stepping stone is just forwarding attack traffic along the stepping stone
connection chain, the traffic of connections in the same connection chain must have
similar characteristics. Therefore, the problem of detecting stepping stones comes
down to finding correlated connections with the same characteristics.
An intuitive approach to solve this problem would be to compare the contents of the
incoming and outgoing packets within a network to find packets with the same content.
However, the use of encrypted communication protocols like SSH have made this
approach ineffective. Therefore, we need to use other features of the traffic like timing
characteristics to detect stepping stones.
Besides the similarity, the stepping stone connections may have anomaly in some
characteristics as well. For example, the response time from a server for the stepping
stone connections may take longer than normal connections because the victim (the
server for stepping stone connection) is located many hops away. However, the
anomaly based methods only find the abnormal connections, and then identify the
stepping stones, they do not identify correlated connections, which means they can’t
be used for tracing attackers.
A stepping stone detection system is a system to analyse the connection traffic and
identify which connections are stepping stone connections or identify which
connection pair are correlated connections. Correlated connections are a pair of
Chapter 2 Background
14
14
connections which are in the same connection chain. The connection which is closest
to the attacker in the connection chain is called the upstream connection. The
connection which is closest to the victim in the connection chain is called the
downstream connection.
Depending on the location where the analysis takes place, the stepping stone
detection systems can be classified as host-based and network based. The host-based
approach [97] [98] requires some kind of monitoring software to be installed on each
participating host. This kind of approach is limited as the attacker can manipulate the
results of the monitoring software if he has control over the host machine. The
network-based approach requires tracing software to be installed in network routers
and switches. This ensures that the whole network comes under the purview of the
scan and the hosts do not need to individually participate.
Stepping stone detection systems can also be classified into passive methods and /
or active methods. Passive methods simply examine the data stream, while active
methods attempt to modify the transmission stream. One active method explored in
certain papers is the process of watermarking [6] [11] [17] [18] [34]. Watermarking is
a method where the packet or packet flow is modified to insert a signature which
needs to be encoded (inserted) at one point and decoded (recovered) at another point.
The active monitor may be more powerful in detecting stepping stones, but it needs to
modify the operation of the network at many points. This means the passive methods
are relative simple and more easily employed in practice.
Chapter 2 Background
15
15
2.2.2 Evading Detection
Attackers may attempt to evade detection by actively modifying connections so
they appear uncorrelated. Encrypting stepping stone connections makes the
approaches [1] based on content unavailable with the widespread application of SSH.
In addition, attackers may also introduce random jitter delays before packets depart
stepping stones or they may insert chaffs into the original attack flow on the stepping
stones. This can completely break the timing and count characteristics employed by
many stepping stone detection systems.
Introducing jitters and inserting chaffs on stepping stones is not a difficult task for
attackers. As a simple example, an attacker can add a number of characters followed
by the same number of DEL (delete) characters. In addition, M. Venkateshaiah et al.
[45] [47] propose a buffering technique to avoid detection by using jitters and chaffs,
along with selective dropping of packets on stepping stones.The SNEAK attack tool
[46] proposed by J.D. Padhye et al. can even can create constant rate streams by using
a buffer delay and chaffs.
Therefore, stepping stone detection systems should take the evasion techniques
used by attackers into consideration as well.
Chapter 2 Background
16
16
2.3 Network-Based Passive Stepping Stone Detection
Systems
Since host-based methods are easily controlled by attackers, and active methods are
hardly employed in practice, we focus our research on the network based passive
stepping stone detection systems. Depending on the characteristics of the system
analyses, characteristics can be classified as content characteristic, timing
characteristic, count characteristic, RTT characteristics and other characteristics. We
then introduce previous works on network based passive stepping stone detection
systems according to these characteristics. All work we surveyed has been listed in
Table 2.1.
2.3.1 Content Correlation
� Thumbprint
Staniford and Heberlein [1] initially explored steppingstone detection by considering a
chain of Telnet [65] connections, in which the content is transmitted in the clear and
therefore, it could be statistically analysed. Their approach was to create thumbprints
by tabulating character frequencies during set time intervals over all Telnet
connections into and out of a domain, and to compare them by looking for
suspiciously good matches. As a technical feature, they used statistical analysis tools
(principal components) to reduce the dimensionality of the feature vector, enabling
rapid comparisons of features of different connections. However, it cannot be used to
detect encrypted connections.
Chapter 2 Background
17
17
2.3.2 Count Correlation
� Multiscale
Table 2.1. Network based passive stepping stone detection systems
System Characteris-tic
Function Author Year
Thumbprints Content Identify correlated connections
S. Staniford Chen and L.T.Herberlein
1995[1]
Multiscale Character Count
Identify correlated connections
D. L. Donoho, et al.
2002[5]
DA Packet Count
Identify correlated connections
A. Blum, et al. 2004[8]
DMV Packet Count
Identify correlated connections
T. He and L. Tong
2006[21]
Request-Response
Packet Count
Identify correlated connections
Huang et al. 2007[33]
ON/OFF Timing Identify correlated connections
Y. Zhang, V. Paxson
2000[2]
Deviation Timing Identify correlated connections
K. Yoda and H. Etoh
2000[3]
IPD Timing Identify correlated connections
X. Wang, et al. 2002[4]
DM Timing Identify correlated connections
T. He and L. Tong
2006[10]
S-I, S-II, S-III and S-IV
Timing Identify correlated connections
L. Zhang, et al.
2006[9]
Sketching Timing Identify correlated connections
B. Coskun and N. Memon
2009[35]
Send-Ack/ Send-Echo
RTT Identify abnormal connections
K. H. Yung 2002[12]
RTT-Thumbprints
RTT Identify correlated connections
Yang, and Huang
2005[48]
Step-Function
RTT Identify abnormal connections
Yang, and Huang
2006[16]
Anomaly Other Identify abnormal connections
Kampasi et al. 2007[49]
Chapter 2 Background
18
18
“Multiscale” proposed by Donoho et al. [5] uses character count to detect stepping
stones. This method uses wavelets and similar multiscale methods to separate the
short-term behavior of the streams (the jittering or chaff) from the long-term behavior
of the streams (the remaining correlation). This method requires the connections to
remain for long periods however the authors never implemented it in a scalable
system. Despite this, it is the first method to address robustness to added delay jitter
and introduction of chaff. It was also the first method to introduce two constraints,
with many methods following. One constraint, the causality constraint, requires a
packet to arrive first before it can leave a node. Another constraint is the maximum
tolerable delay constraint, where packets have a limit on the length a packet can be
delayed at a stepping stone. Assume 2C is downstream connection of 1C , and 1( )N t
= # of symbols in 1C on [0, t) and similarly for 2 ( )N t , there are below conclusions for
the two constraints.
1) Causality constraint: 2 1( ) ( )N t N t�
2) Maximum tolerable delay constraint: 2 1( ) ( )N t N t�� �
� DA
Following the two constraints in the “multiscale” method, Blum et al. [8] proposed
the DA (Detect-Attacks) method which is based on packet count. Using ideas from
Computational Learning Theory and the analysis of random walks, Blum et al.
achieve provable (polynomial) upper bounds on the number of packets needed to
confidently detect and identify stepping stone streams with proven guarantees on the
false positives. In addition, Blum et al. also proposed the DAC (Detect-Attacks-Chaffs)
Chapter 2 Background
19
19
method, which is able to detect connections with chaffs. DA and DAC are nearly same
except the computing of upper bounds is different. The upper bounds for DAC are
much bigger than the upper bounds for DA.
In DA and DAC, when a packet arrives at a connection, the connections obtain the
difference of packet numbers between the compared connections. If the difference is
bigger than specified number p� , then return normal connections; if the total number
of packets observed on two compared connections is bigger than the upper bound
which can be calculated by p� , then return correlated connections.
These methods are simple. However, their upper bounds on the number of packets
required is large, and Blum et al. do not discuss how to detect stepping stones when
the number of packets is inadequate or when there is large amounts of chaff.
� DMV
Based on Blum’s et al. work [8], He et al. [20, 21] proposed DMV (Detect-
Maximum-Variation) method which is also based on packet counts. Compared with
DA, DMV records a maximum and minimum difference of packet numbers between
two compared connections. If the difference between the maximum value and
minimum value is larger than the specified number, then return normal connections.
He et al. proves that DMV always outperforms DA. He also claimed that the DMV
algorithm has a time complexity of ( )O n and uses only constant memory
( (log( ))O p� , to be precise), where n is the monitored packet number, and p� is
the largest number of packets the attacker can send within maximum tolerable delay.
But similar to DA, DMV needs a large number of packets to detect stepping stones.
Chapter 2 Background
20
20
� Request-Response
Huang et al. [33] developed a method to detect stepping stones by comparing the
bidirectional packet counts. Their method is based on their observation that if the
frequency of the send stream is linearly related to the frequency of the echo stream,
then the stepping stone is identified. This method works well in Huang’s et al.
simulation when multiple connection streams pass through the same stepping stone
node and the operations performed by users are similar.
However, the packet count needs for this method are large, and in their simulation
the packet count is based on a scale of a thousand. In addition to their paper, as stated
in their conclusion, their work is incomplete. For example, they not did prove via
experimentation that steams with chaff could be detected, and for other traffic,
additional constraints may be required.
2.3.3 Timing Correlation
� ON/OFF
The ON/OFF based approach proposed by Zhang et al. [2] is the first timing-based
method which can trace stepping stones even if the traffic were to be encrypted. In
their approach, they calculate the correlation of different connections by using each
connection’s OFF periods. A connection is considered to be in an OFF period when
there is no data traffic on a connection for more than idleT . When a packet with a non-
Chapter 2 Background
21
21
empty payload appears, the connection ends its OFF period and begins an ON period.
Two OFF periods are considered correlated if their ending times differ by �� .
For two connections 1C and 2C , let 1OFF and 2OFF be the number of OFF periods
in each, and 1,2OFF be the number of these which are correlated. They consider 1C and
2C are correlated connections if 1,2
1 2min( , )OFF
OFF OFF�� .
This method is simple, but is easily affected by chaffs and jitters.
� Deviation
Deviation is another timing-based measure proposed by Yoda et al. [3]. The
measure relies on the idea that as packets flow through a connection, the total size of
transferred bytes tends to increase monotonically in time. Therefore, if two
connections belong to the same connection chain, the total size of transferred bytes
should grow at a similar rate.
Assume connection 1C is an upstream connection from 2C . The deviation between
connections 1C and 2C is calculated as follows. For each connection, the algorithm
constructs a graph with the timestamp value in the x axis and the TCP connection
sequence number in the y axis, while ignoring retransmitted packets. The graphs are
conceptually superposed and the graph of 2C is repositioned along both x and y axis
until the average horizontal distance between the two graphs is minimized. Based on
the graphs, the authors’ present the method to calculate the deviation between two
connections. Then, the connections with small deviations are thought to be correlated
connections.
Chapter 2 Background
22
22
Obviously, this measure only works if the packet sizes are not altered at the
stepping stones, and thus it is unable to correlate connections where padding is added
to the payload, e.g. when certain types of encryption are used.
� IPD
Wang et al. [4] propose a two-phased stepping stone detection system by using
Inter-Packet Delay (IPD) timing characteristics. The first phase finds “correlation
points” between two packet streams. The second phase obtains the correlation value of
the two connections from the set of correlation points. Considering the correlation
metric for true real-time correlation cannot be defined over the entire duration of a
connection, and therefore they introduce window size, which means the packet
number base calculates correlation points. In other words, IPD is designed for a quick
response.
Correlation points are found by the following algorithm. Let it represent the
timestamp of the thi packet on a connection. The IPD is defined as
1i i id t t� �
The IPD vector, then, is 1( , , )nd d, )nd, . A window of this vector is defined as
, 1 1( , , ) ( , , )j s n j j sW d d d d � � 1)1d) () (
Given two connections X and Y whose IPD vectors are 1( , , )mx x, )m, and
1( , , )ny y, )ny, respectively, for a given window size s, the tuple (j, j+k) – i.e., the values
of the start of the windows — is defined as a correlation point if the maximum taken
Chapter 2 Background
23
23
over the offset value k of the similarity measure of () is greater than a given
correlation point threshold CP� . That is,
, ,max ( ( ), ( ))j s j k s CPkW X W Y �� �
Four similarity measures of () are defined, and a particularly successful one is the
Min/Max Sum ratio. That is,
1
, , 1
min( , )( ( ), ( ))
max( , )
j si i ki j
j s j k s j si i ki j
x yW X W Y
x y
� �
�� � �
�
��
The second phase of the process uses the Correlation Value Function (CVF) to
decide if two streams are correlated. After obtaining a set of correlation points – i.e.,
1 1 1( , ) ( , )n n nj j k j j k� �( ,,n n,,(( , – they are represented as two n-dimensional vectors
1( , , )x nC j j , )n, n, and 1 1( , , )y n nC j k j k � �,,,, , then if the value of CVF is bigger than a
given correlation value threshold � , the compared connections are considered
correlated connections. The CVF is defined below.
1
2 21 1
( ( )) ( ( ))( , )
( ( )) ( ( ))
ni x i i yi
x y n ni x i i yi i
j E C j k E CCVF C C
j E C j k E C
� � � �
� �� � � �� � � �
�� �
Although IPD is designed for a quick response, as described, it is very complex.
And all IPD information should be stored during the monitored time and the
computation time is normally large because it compares packets with the number of
window sizes for every packet.
Chapter 2 Background
24
24
� DM
He et al. [10] proposed a timing-based detection algorithm “DETECT-MATCH”
(DM) to detect stepping stones. They applied the causality constraint and maximum
tolerable delay constraint proposed by Donoho et al. [5] to the timing characteristic,
which means a packet delay on the correlated connections must be in the range of [0,
�), where � is the maximum tolerable delay.
They map the packet’s arrivals on the compared connections by the causality
constraint and maximum tolerable delay constraint. For two connections, A and B, the
delay between a packet arrival on A and a packet arrival on B is in the range [0, �),
and if it’s similar to all the following packet arrivals on A, and all the following
packet arrivals on B, then the two compared connections are considered correlated
connections.
However, there are packet drops [44] during the packet relay of stepping stones in
real application which can break the maximum tolerable delay constraint. So whether
it can be applied in practice should be doubted.
� S-I, S-II, S-III and S-IV
Zhang et al. [9] provide four timing methods with the intention of detecting
stepping stones effectively even under jitter and chaff perturbations. Similar to DM
[10], they are also based on the causality constraint and bounded by the delay
constraint. S-I is the same with DM. In S-III, if every packet arrival in one connection
has a non-repeated map in the other connection’s packet arrivals, which possess a
delay in the range of [0, �), then the two compared connections are considered
correlated connections.
Chapter 2 Background
25
25
Differing from S-I and S-III, S-II and S-IV initially performs the packet filtering
function, and then applies any other stepping stone detection method. For every packet
arrival iu on connection A, S-II selects the packet arrival on the other connection B
which is first after iu as the mapping packet arrival. If the mapping packet arrival
can’t be found, then A and B are normal connections; otherwise other stepping stone
detection methods are used for detection between the original packet arrival on A and
the mapping packet arrival on B. S-IV is different from S-II in that it selects the
packet arrival on connection B which has a delay in the range of [0, �) as the mapping
packet arrival.
However the schemes of Zhang et al. can detect stepping stone traffic if chaff is
inserted only in the departing stream. And, if chaff is inserted in the incoming stream,
one chaff packet can to evade their schemes. This is similar to DM, which also has the
assumption of a “no packet drop”.
� Sketching
The sketching method proposed by Coskun et al. [35] identifies correlated
connections with the similar packet-timing sketches characteristic. A packet-timing
sketch is a short, constant-length integer array, which summarizes the connection’s
packet-timing information. It is calculated following the three steps below.
It first computes the packet-count vector FV of connection F. Let TSL denote the
length of these timeslots forming the time axis. Then time slot t is defined as the tht
time interval after an epoch ( epochT ) such that [ ( 1) , ( ) ]epoch TS epoch TST t L T t L� � � . Based
Chapter 2 Background
26
26
on these time-slots, then it is able to obtain ( )FV t , which is the number of packets that
flow F transmits during time-slot t.
Secondly, it applies a random linear transformation to obtain the integer-array
sketch by projecting the packet-count vector FV onto the k random basis vectors
1,2,i kB , k, as follows:
( ) ( ) ( )F i Ft
C i B t V t�
��
� and 1Pr( ( ) 1) Pr( ( ) 1)2i iB t B t �
Thirdly, it binarizes the integer-array sketch by
1 ( ) 0( )
0 ( ) 0F
FF
C iS i
C i��
� ��
After finding the binary sketches for compared connections, it then calculates the
Hamming Distance between the binary sketches. If the Hamming Distance is smaller
than the specified threshold, the compared connections are considered correlated
connections.
Coskun et al. also presented a method to efficiently search for correlated
connections. They claimed that the computation time is ( )O n nm� , where m is
the number of ingress connections and n is egress connections. However, they failed
to mention the computing costs to achieve the binary sketches. In addition, when the
array of binary sketches is larger than the number of slots, it will not be more efficient
than direct comparison.
Chapter 2 Background
27
27
2.3.4 RTT Correlation
Since the packets sent are always echoed back on the interactive connections, the
Round-Trip Time (RTT) between the send packet and the corresponding echo packet,
which provides information on how many downstream hops the final victim is located,
is also used to detect stepping stones.
� Send-Ack/Send-Echo
Yung [12] was the first to propose a method detecting stepping stones by RTT. The
basic idea is to estimate the length of a downstream connection chain by computing
the ratio between Send-Ack delay and Send-Echo delay. Send-Ack delay is the time
taken by a send packet travelling to the next host (i.e. stepping stone) and get
acknowledged. Send-Echo delay is the time-delay for a send packet to reach the server
side (in a stepping stone mechanism, the server is the victim) and get echoed back. In
a direct connection, the Send-Ack and Send-Echo are expected to be similar. In an
indirect connection (connection-chain), however, the Send-Echo time is expected to
be larger than the Send-Ack time.
This method can detect connections which have more than two hops downstream,
however it cannot identify correlated connections.
� RTT-Thumbprint
Yang et al. [48] proposed a method to detect stepping stones by RTT-thumbprint,
which is a sequence of timestamp pairs between each send packet and its
corresponding echo packets. Two different algorithms are presented, one exhaustive
Chapter 2 Background
28
28
and the other heuristic, with the heuristic algorithm actually performing as well as the
exhaustive algorithm, but with more efficiency.
However this method is based on the assumption that the inter-packet delays are
larger than RTT, so there is one-to-one mapping between send packets and echo
packets. In practice, many actions can throw this process off, including dropped and
retransmitted packets.
� Step-Function
Yang et al. [16] proposed a method of detecting stepping stones using the feature
that RTT changes small for normal connections but increases proportionally with the
number of stepping-stones in the chain. The steps involved with RTT changes reflect
the number of hosts in the connections and if the number of steps for a connection is
more than a specified number, this connection may be considered stepping stone
connection.
Similar to the “Send-Ack/Send-Echo” method, it can identify stepping stone
connections, however it cannot identify correlated connections. In addition, it has to
keep monitoring the traffic on the connections.
2.3.5 Others
� Anomaly
Kampasi et al. [49] provide three algorithms to detect stepping stone connections
with either jitter, chaff or both. The algorithms can be used together with other timing
based stepping stone detection methods to improve stepping stone detection when
Chapter 2 Background
29
29
either jitter, chaff or both are introduced into a packet stream. The main premise of the
design is that if an attacker adds jitter or chaff, then the traffic will appear anomalous,
and that will be when the three specialized algorithms take effect.
However, the three algorithms are unable to identify correlated connections.
2.4 Summary
Stepping stones are one of the effective strategies adopted by network perpetrators
to maintain anonymity of an attack. Attackers may further attempt to evade detection
by actively modifying connections so they appear uncorrelated. As a mode to be easily
employed and hardly controlled by an attacker, many network based passive stepping
stone detection systems have been proposed to identify correlated connections or just
identify stepping stones.
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
30
30
Chapter 3
Getting the Real-Time Round-Trip Time
for Stepping Stone Detection
Stepping stone attacks are often used by network intruders to hide their identities. The
Round Trip Times (RTT) between the send packets and corresponding echo packets
for the connection chains of stepping stones are critical for detecting such attacks.
However previous real-time RTT getting approaches cannot precisely obtain RTTs. In
this chapter, we propose a novel real-time RTT getting algorithm which can be used at
all times by RTT based stepping stone detection approaches to identify stepping
stones, and be used sparsely to obtain the value of parameters by other non-RTT based
stepping stone detection approaches. Our experiments show that it is far more accurate
than the previous real-time RTT getting algorithms. We also present the probability
analysis which shows that our algorithm has a high matching rate and accuracy rate.
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
31
31
3.1 Introduction
Depending on the characteristics of the system analyses, Stepping stone detection
systems can be mainly classified as timing correlation[2, 3, 4, 9, 10, 35], count
correlation[8, 21] and RTT correlation[12, 16]. Whichever stepping stone detection
approach is used, RTTs will be either directly or indirectly involved. In the ON/OFF
approach [2], Zhang and Paxson suggested the selection of the control parameter �
should be based on the RTT of a connection. Donoho et al. [5] argued that there
should be a maximum tolerable delay that a packet can be delayed at a stepping stone.
Based on this argument, some packet number based approaches [8, 21] and timing
based approaches [9, 10] have been proposed. The maximum tolerable delay in all of
these approaches is a supposed inputting parameter, but no approaches indicate what
value it should be. In fact, the RTT is just the representation of the maximum tolerable
delay.
Unlike other types of approaches, RTT based approaches use RTT directly. Since
RTT is computed by both send and echo packets, one of the benefits of RTT based
approaches is that they can filter unsymmetrical Internet packets and chaff packets,
and can be more resistant to network imperfections and intruder evasion than any
other type of approaches. “Send-Ack/Send-Echo” [12] is the first approach proposed
to detect stepping stones by RTT. The basic idea is to estimate the length of a
downstream connection chain by computing the ration between packet Send-Ack
delay and Send-Echo delay (i.e. RTT). In this approach, if the length of a downstream
connection chain is more than a specified number, the connection may be considered a
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
32
32
stepping stone connection. However, Yung’s method only gives good results when
network traffic is relatively uniform. “Step-Function” approach [16] then was
proposed, by using the feature that RTT changes small for normal connections but
increases proportionally with the number of stepping stones in the chain. The steps of
RTT changes reflect the number of hosts in the connections. If the step of RTT
changes for an interactive connection is more than a specified number, this connection
may be considered a stepping stone connection. This approach can detect stepping
stones correctly if the RTTs can be obtained precisely.
However, it is not easy to get the RTT with high precision, as echo packets have no
obvious characteristic to identify correlated send packets. “Send-Ack/Send-Echo”
approach [12] used a statistical method to match TCP send and echo packets. This can
result in a correct match only when the echo packet is received before the next send
packet is sent. In addition to this, it cannot be used in real-time. In “Step-Function”
approach, Yang and Huang [16] proposed Conservative and Greedy algorithms to
obtain RTT. But these two algorithms are based on the assumption that every send
packet exactly matches one echo packet. Yang [51] proposed a standard deviation-
based clustering approach (SDBA) which calculates time delay between all send
packets and echo packets, and finds the cluster with the smallest standard deviation.
Although it can achieve high accuracy, it is inefficient and cannot be used in real-time.
To block or trace attacks, a stepping stone detection approach should be able to
identify stepping stone connections as soon as possible. Therefore, obtaining accurate
RTTs in real-time remains a challenge.
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
33
33
In this chapter, we propose an Estimation-Based Algorithm (EBA) to discover RTT
in real-time. As a RTT getting approach, the EBA algorithm can be used at all times
by RTT based stepping stone detection approaches, such as “Step-Function” [16]. It
can also be used sparingly to find the value of parameters by other non-RTT based
stepping stone detection approaches. The experiments show that our algorithm is far
more accurate than other real-time RTT getting algorithms. We also present the theory
analysis from the probability point, which shows that our algorithm has a high
matching rate and also a high accuracy rate similar to the complicated non real-time
SDBA [51] approach.
The rest of the chapter is organized as follows. In Section 3.2 we introduce the
motivation of our algorithm. The detail of our Estimation-Based RTT algorithm is
presented in Section 3.3. Section 3.4 gives the probability analysis. Some
experimental application results are given in Section 3.5. Finally, we summarize this
chapter in Section 3.6.
3.2 Motivation
RTT estimation is one of the key characteristics of the current TCP mechanism. In
order to find a suitable value for the retransmission time-out, all TCP implementations
attempt to estimate the current RTT of every active connection by observing the
pattern of delay for recent segments. Our estimation-based RTT algorithm is
motivated by this observation.
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
34
34
However the RTT for stepping stone is different from the RTT for TCP. We here
formally give definitions of RTT and related terms.
Send packet: The packets sent in interactive connections from attacker (client) to
target (server), having both ‘Push (P)’ and ‘Acknowledgement (A)’ flags or only a ‘P’
flag[61].
Echo packet: The packets sent in interactive connections from target (server) to
attacker (client), having both ‘Push (P)’ and ‘Acknowledgement (A)’ flags or only a
‘P’ flag.
Ack packet: The packets, having flag ‘A’ only.
RTT for TCP: The time delay between the send packet and the corresponding ack
packet or echo packet on an interactive connection is called Round-Trip Time (RTT)
for TCP on this interactive connection. Here, the corresponding ack packet or echo
packet can be identified by the sequence number.
RTT for stepping stone: The time delay between the send packet and the
corresponding echo packet on an interactive connection is called Round-Trip Time
(RTT) for a stepping stone on this interactive connection. Because the data sent is
normally echoed back for interactive connections, we call the echo packet triggered by
a send packet as the corresponding echo packet for this send packet. If not specified,
all the RTT in this thesis is considered as the RTT for the stepping stone.
Connection number: We call the number of relay hosts from the specified
connection to the target machine as the connection number on its downstream
connection.
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
35
35
See Figure 3.1 for an illustration of the above definition. From this illustration, we
see that an attacker establishes a connection chain to the targeted machine by a series
of stepping stones. Commands typed by the attacker are relayed to the target by a
series of stepping stones, executed on target and then echoed back to the attacker by a
series of stepping stones. The RTT for stepping stone on connection i is the time delay
of the send command (packet) and the corresponding echoed back command (packet)
on connection i.
Normally, to achieve the RTT for a stepping stone, we must find the corresponding
echo packets for the send packets first. However it is not so easy to find the
corresponding echo packet as it is to find the ack packets which can be identified by
their sequence number in the TCP head. The reasons for this are explained below.
The information we get from the packet content is just TCP packet head
information such as packet length, and sequence number, etc. Since intruders normally
Attacker Stepping
stone 1
Stepping
stone i-1
Stepping
stone i Target
Echo
i
RTT for stepping stone
Send
RTT for TCP
Ack
Figure 3.1. Stepping stone chain between Attacker and Target
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
36
36
select encrypted connections, such as SSH instead of normal telnet connections, we
are unable to see the data content of the packet. Nor can we benefit from the head
information. For encrypted connections, even the packet length fails to represent the
real TCP data length. TCP’s sequence number and acknowledgement number are used
by the Conservative algorithm [16] to match packet. But the sequence number and
acknowledgement number are only meaningful for one neighbouring TCP connection
and are not that helpful for matching packets in a TCP connection chain, which leads
to only a few send packets being matched in the Conservative algorithm.
The packet mapping information has no order, since packets transmitted on the
Internet are complex and one send packet may correspond with several echo packets.
For example, when a command is executed at the target host, the result may be sent
back with several packets. Plus, one send packet may have no corresponding packet.
For example, the password won’t be sent back by the target host. In addition to this,
due to the packet re-transmission and cumulative acknowledgement, several send
packets may correspond with one echo packet. Therefore, we cannot assume that each
send packet is answered exactly by one echo packet (i.e. one-to-one mapping), which
is the strategy used by the Greedy algorithm [16]. The Greedy algorithm has a low
accuracy rate because most probably the packets are not using one-to-one mapping.
Time interval information between two consecutive send packets is not always
large enough. We can assume some time intervals are bigger than the RTT. However
we can’t assume that on every occasion an interval is larger than the RTT because
users (including intruders) when connecting to a host, may need to pause in order to
read, think, or respond to the previous operation. However they do not need to pause
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
37
37
for every operation. So normally there are overlaps of RTT, i.e. the next send packets
may be sent prior to the corresponding echo packets having been received. One
deficiency of Yung’s proposal [12] is that it cannot deal with this case of RTT overlap.
Our Estimation-Based Algorithm is different from the above methods, in that it
calculates RTT estimation (ERTT) value first, instead of finding corresponding echo
packet directly. If the ERTT is accurate enough, and the send packet has the
corresponding echo packet, the corresponding echo packet should arrive around ERTT
later than the send packet. This makes it easy to find the corresponding echo packet by
our algorithm and we don’t even need to consider if it’s one-to-one mapping or if
there is RTT overlap.
3.3 Estimation-Based Algorithm (EBA)
Before presenting the Algorithm, we present some definitions related to the algorithm
first.
RTT sequence: A RTT sequence 1 2{ , , , }iRTT RTT RTT, }, is a series of real
RTTs in chronological order calculated by the time delay between arrival epoch of the
send packet and arrival corresponding echo packet on an interactive connection.
ERTT: The estimation value for RTT.
ERTT sequence: A ERTT sequence 1 2{ , , , }iERTT ERTT ERTT, }, is a series
of ERTTs in chronological order calculated by the EBA algorithm.
�RTT: The deviation that RTT from ERTT.
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
38
38
�RTT sequence: A �RTT sequence 1 2{ , , , }iRTT RTT RTT� � �, }, is a series
of �RTTs in chronological order, and i i iRTT RTT ERTT� �
FR (fluctuate range): The maximum value that iRTT can deviate from iERTT .
Our algorithm is composed of two modules: the estimating module and the
matching module. Next we will present the detailed algorithm description for each
module and include some improvements.
3.3.1 The Estimating Module
The Estimating Module is responsible for calculating the ERTT. We use the first-
order linear recursive filter to estimate the RTT, which is also being used in current
TCP RTT estimation mechanisms. For the RTT sequence
1 2{ , , , }iRTT RTT RTT, }, and ERTT sequence 1 2{ , , , }iERTT ERTT ERTT, },
on an interactive connection, ERTT can be calculated by the last ERTT and RTT, as
shown in equations (1) and (2)
1 1* (1 )*i i iERTT a ERTT a RTT� � � � (1)
1 1ERTT RTT (2)
In (1), a is the weighting factor, used to adjust how quickly the estimation value
responds to the real value. The weighting factor in TCP RTT estimation mechanism
by current TCP/IP implementation normally, is set to 0.875, which has been used for
many years and is seen as being reasonable up until now over the Internet [56]. We
also tested parameter a using different values in our algorithm, and we found that we
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
39
39
can obtain the smallest standard deviations for �RTT, when a equals 0.875. The
smaller the �RTT, the more precise the estimation. Therefore, we set parameter a
0.875 in our applications.
To calculate ERTT, the key is how to obtain the first real RTT (i.e. 1RTT ). From
the previous analysis in this section, we know it is inevitable that there are some time
intervals between two consecutive send packets which are considerably larger than the
RTT of a network during an interactive terminal session. This means it is reasonable
to begin or resume our estimation from these large time intervals. If two consecutive
send packets have a timestamp difference of more than TI (a predefined time interval
threshold), we will assume the existence of a large gap and then get the 1RTT .
130 140 150 160 170 180 190 2000
0.05
0.1
0.15
0.2
0.25
RTT(microsecond)
Pro
babi
lity
Figure 3.2. RTT distribution
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
40
40
Normally, we can consider the first echo packet is matched with the first send
packet after the large interval. So we calculate 1RTT as the time delay between the
first echo packet and the first send packet.
To evaluate the accuracy of our estimating algorithm, we built a connection chain
with three connections. We then input simple characters with big intervals so the send
packets with echo packets are one-to-one mapping and there is no overlap of RTT and
we easily get the real RTTs by one-to-one matching. Figure 3.2 shows the RTT
distribution using the real RTTs we achieved, where Y-axis stands for the probability
that each RTT occurred, and X-axis stands for the RTT value in unit microseconds.
From Figure 3.2, we found that the RTT distribution is more-or-less a Poisson
distribution with a relatively narrow range.
-30 -20 -10 0 10 20 30 400
0.05
0.1
0.15
0.2
0.25
Pro
babi
lity
�RTT(microsecond)
Figure 3.3. �RTT distribution
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
41
41
At the same time, we calculated ERTT by equation (1) and (2) with the real RTT
data we obtained. Then we compared the ERTT with the real RTT, obtained the
�RTT distribution as shown in Figure 3.3, which is near normal distribution, and
discovered that more than 97% of the |�RTTs| are smaller than 17 ms.
We also found that the standard deviation for the �RTT distribution is nearly the
same as the standard deviation for the �RTT distribution. The standard deviation in
Figure 3.2 is 9.31ms and the standard deviation in Figure 3.3 is 9.38ms. Table 3.1
shows other standard deviation examples we experimented with in our tests.
3.3.2 The Matching Module
Since most iRTT fluctuates around iERTT with a relatively narrow range, we
consider a time delay is the iRTT if the time delay between an echo packet and the
Table 3.1. Standard deviation comparisons for RTT and �RTT distribution
Examples Standard deviation for RTT(ms)
Standard deviation for �RTT(ms)
1 1.735 1.771
2 2.841 2.827
3 3.663 3.722
4 5.312 5.538
5 6.469 6.651
6 9.016 9.043
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
42
42
send packet is in the range of iERTT FR� and iERTT FR� . This is the basic idea
of the matching process.
We found that the �RTT distribution is near normal distribution. So the maximum
�RTT (i.e. FR) is infinite in theory. But our destination is to achieve real RTTs which
are used to detect stepping stones by using the “Step-Function” stepping stone
detection approach [16]. The few real RTTs that are too small or too big, and of no
benefit to us, are filtered by selecting an appropriate FR. When the value of FR
becomes bigger, more packets will be in the range of iERTT FR� and
iERTT FR� , and the probability to find matched packets will be higher, but the
incorrect probability will also be higher. So the value of FR is critical for our
algorithm. We will discuss the value of FR further in Section 3.4.
In our algorithm, we have a queue called SendQ, which stores the send packets in
time order. When the time interval between two consecutive send packets is bigger
than the TI, we will reset the SendQ. If we find the corresponding echo packet for one
send packet, or if we are sure there is no corresponding echo packet for that send
packet, we will delete that send packet from the SendQ queue.
By the estimating algorithm we can achieve the ERTT. Now, when we capture an
echo packet, we will get the first send packet from SendQ and calculate the time delay
delayT between the echo packet and the send packet. If the delayT is smaller than
iERTT FR� , we consider there is no send packet to match this echo packet; if the
delayT is in the range between iERTT FR� and iERTT FR� , we consider they
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
43
43
match each other, and the iRTT is delayT ; if the delayT is larger than iERTT FR� ,
we consider there is no echo packet to match this send packet, and we will get the next
send packet to repeat the above process. Figure 3.4 describes the matching process.
Capture the next packet P
Is P a Send packet
Compute Time Intervals TI since last Send
TI > Threshold
E S T I M A T I N G M O D U L E
Is P an Echo packet
Compute the Time Delay
SendQ
Tdelay > ERTTi + FR
Tdelay < ERTTi - FR
No No
Yes
No
No
Yes
No Yes
RTTi = Tdelay
Reset SendQ
Put P in SendQ
Get first packet Ps from SendQ
Yes
Yes
RTTi
ERTT
Figure 3.4. Matching module processing
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
44
44
Through this matching process, we can obtain RTT, and store every RTT. At the
same time, we input the RTT to the estimating process, and find the new ERTT for
continuous processing. The stored RTTs can be used to judge if the monitored host is
a stepping stone by the RTT based stepping stone detection approaches, or be used to
calculate the parameters of non- RTT based stepping stone detection approaches.
3.4 Evaluation
3.4.1 Matching Rate
The matching rate is defined as the ratio between the number of matched packet pairs
and the number of send packets having corresponding echo packets. According to our
algorithm, only the RTT whose difference with ERTT is smaller than FR can be
matched. So FR is critical to our algorithm. The bigger the FR, the higher the
matching rate will be but the incorrect probability will be higher as well. In addition,
our main destination is to achieve the real RTTs which are used to detect stepping
stones. The few too small or too big real RTTs cannot benefit us, therefore our
algorithm also has the filter’s function.
Assume echo packet eiP is the corresponding echo packet to send packet siP , the
timestamps for eiP and siP are eit and sit , respectively. If eiP is selected to match siP ,
the time delay between them is iRTT . We then assume we also had known iERTT .
Then we can get:
si i ei si it ERTT FR t t ERTT FR� � � � � �
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
45
45
i ei si iERTT FR t t ERTT FR� � � � �
i i iERTT FR RTT ERTT FR� � � �
| |i iRTT ERTT FR� �
We assume �RTT has standard deviation � , and FRu�
. We evaluate the
matching rate, which is the probability that siP has a corresponding packet being
found, i.e., the probability that eiP is selected to match siP by using Chebyshev
inequality [88] is the following:
2
Matching rate= P ( has corresponding packet being found)
P(| | )11
i iRTT ERTT FR
u
� �
� �
The matching rate is related to the value of u which is the ratio between FR and
Table 3.2. Matching rate examples for EBA
Examples Standard deviation for �RTT(ms)
u Matching Rate (%)
1 1.771 16.940 99.651
2 2.827 10.612 99.112
3 3.722 8.060 98.461
4 5.538 5.417 96.592
5 6.651 4.510 95.086
6 9.043 3.317 90.802
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
46
46
standard deviation of �RTT. In our experiments, FR was set to 30ms, which worked
well. We calculated using the previous standard deviation examples for �RTT we had
obtained, and achieved the u and matching rate as shown in Table 3.2. We know that
matching rates for all the standard deviation examples are higher than 90% which is
high enough to detect stepping stones.
3.4.2 Accurate Rate
We firstly estimated the probability of making an incorrect choice of echo packet eiP
for send packet siP . There are two reasons that eiP is incorrectly selected to match
siP :
eiP should be the corresponding packet for previous send packets, but is not
selected to match previous send packets because the real 1iRTT � is more than ERTT +
FR. In this case, the most probability is that eiP is the corresponding packet for the
last send packet ( 1)s iP � . We assume the timestamps for ( 1)s iP � , siP , eiP are
( 1)s it � , sit , eit respectively, and the time delay between eit and ( 1)s it � is 1iRTT � . So we
can get
( 1) 1ei si i s i it t ERTT FR t ERTT FR� �� � � � � �
( 1) 1 ( 1) 1s i i si i s i it RTT t ERTT FR t ERTT FR� � � �� � � � � � �
1 ( 1) 1i i si s i i iRTT ERTT t t FR ERTT ERTT FR� � �� � � � � � �
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
47
47
Since eiP is not selected to match ( 1)s iP � , ERTT is not calculated again. So
iERTT is equal to 1iERTT � . Then
1 1 ( 1)i i si s iRTT ERTT t t FR FR� � �� � � � �
In addition, we assume 1iL � is the time interval between these two consecutive send
packets, i.e. ( 1) 1si s i it t L� �� . And L is the smallest time interval between two
consecutive send packets. Then
1 1 1i i iRTT ERTT L FR� � �� � � and 1 2iL FR� �
11 1 2
ii i
LRTT ERTT �� �� � (3)
eiP should be the corresponding packet for ( 1)s iP � -- the next send packet of siP ,
but it is matched with siP . Because the difference of the timestamps siP and eiP is
closer to iERTT than the difference of timestamps ( 1)s iP � and eiP , we assume the
timestamps for siP , ( 1)s iP � , eiP are sit , ( 1)s it � , eit and the time delay between eit and
( 1)s it � is iRTT . Then we can get
1 ( 1)( )ei si i i ei s it t ERTT ERTT t t� �� � � � �
( 1) ( 1) 1 ( 1)( )ei s i s i si i i ei s it t t t ERTT ERTT t t� � � �� � � � � � �
( 1)( 1)
( )2
s i siei s i i
t tt t ERTT ��
� �� � �
2i
i iLRTT ERTT �� � (4)
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
48
48
So we have | | 2 2i
i iL LRTT ERTT� � � from (3) and (4). And we assume
�RTT has the standard deviation � , and 2Lv�
, get the probability that eiP is
incorrectly selected to match siP by using Chebyshev inequality as the following:
ei
2
P (incorrect choice of P for P )
P(| | )21
si
i iLRTT ERTT
v
� �
�
Then the accuracy rate, i.e. the probability to make a correct selection of a packet
RTT can be estimated by using the following inequality:
ei
2
Accurate rate=P (correct choice of P for P )
11
si
v� �
Yang [51] claims that the accuracy rate of his SDBA algorithm is higher
than 2
11q
� ,where 2Lq�
, � is the standard deviation of RTT. We knew that the
standard deviation for RTT is close to the standard deviation of �RTT, i.e.� �� ,
then v q� . Therefore, our algorithm has nearly the same accuracy rate of SDBA.
Yang [51] claimed that the probability of the accuracy rate for his SDBA experiment
examples was higher than 97%.
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
49
49
3.5 Application
To achieve comparable results, we also implemented other real-time RTT getting
algorithms -- the Greedy and Conservative algorithms [16]. In order to test the
accuracy of the RTT getting algorithms, we applied the “Step-Function” [16] stepping
stone detection approach, and ascertained whether the RTT getting algorithms were
accurate enough to be applied to detect stepping stone.
The “Step-Function” approach is responsible for monitoring the steps of the RTT
changes on an interactive connection which reflect the number of connections in its
downstream connections chain. When the steps of RTTs change and are more than a
specified number, the connection will be considered a stepping stone connection.
Then further action such as block or trace-back may be taken. Since the RTT getting
algorithms are responsible for getting stepping stone RTTs in real-time, we
concentrated our experiment on the RTT values that the RTT getting algorithm can
achieve and the levels that RTT changes.
We estimated our experiments from two perspectives: if the RTT getting algorithms
can achieve RTTs with one level for a single connection, and if the RTT getting
algorithms can achieve RTTs with the correct number of levels during the establishing
of a connection chain. In addition, as we mentioned before, the typing speed and
inputting commands can affect the ordering and mapping of the send and echo packets.
So we conducted our experiments by using modes as well: slow typing speed and
simple inputting commands, quick typing speed and complex inputting commands.
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
50
50
To begin with, we built a connection in the Internet by SSH from host H1 to host
H2. We then captured the SSH packets and applied Greedy, Conservative and EBA
algorithms concurrently at host H1 from the time that host H2 was first connected. We
input simple commands by slow typing speed and complex commands with quick
typing speed respectively at the connection terminal of H1. We obtained the results by
simple inputting commands and slow typing speed as shown in Figure 3.5 and the
result by complex inputting commands and quick typing speed as shown in Figure 3.6,
where X-axis represents the send packet number, and Y-axis represents RTT values in
units of ms.
From Figure 3.5, we know that all three algorithms are concentrated around one
level, if we can ignore the big protuberances. This is despite the EBA algorithm
0 314 0 303 0 2960
100
200
300
400
500
600
Send Packets
RTT
(mic
rose
cond
)
GreedyConservativeEBA
Figure 3.5. One connection with simple inputting commands by slow typing
speed.
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
51
51
apparently being better than the Greedy and Conservative algorithms, as all the RTT
results are closely around 47 ms.
In Figure 3.6, the RTTs obtained by the Greedy algorithm are concentrated around
three levels, and it will be incorrectly considered a connection chain with three
connections by the “Step-Function” stepping stone detection approach. For the
Conservative algorithm, there were only 38 RTTs obtained, which is far fewer than
the 217 RTTs for the Greedy algorithm and 207 RTTs for the EBA algorithm. It will
be hard for the “Step-Function” approach to judge what kind of connection it is due to
a small number of RTTs. For the EBA algorithm, all the RTTs it obtained are closely
around 49 ms, so the “Step-Function” approach can identify it is a single connection.
0 217 0 38 0 2070
100
200
300
400
500
600
700
800
900
1000
Send Packets
RTT
(mic
rose
cond
)
GreedyConservativeEBA
Figure 3.6. One connection with complex inputting commands by quick typing
speed
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
52
52
We then built a connection chain by SSH that passed through host H1 to host H2,
then to host H3, and then to host H4. We captured the SSH packets and applied the
Greedy, Conservative and EBA algorithms concurrently at host H1 from the time host
H2 was first connected to the time the whole connection chain was built. We input
simple commands by slow typing speed and complex commands by quick speed
respectively at the connection terminal of H1 during the chain building. We obtained
the result by simple inputting commands and slow typing speed as shown in Figure
3.7 and the result by complex inputting commands and quick typing speed as shown
in Figure 3.8, where X-axis represents the send packet number, and Y-axis represents
RTT values in units of ms.
0 422 324 0 38900
100
200
300
400
500
600
700
800
900
1000
Send Packets
RTT
(mic
rose
cond
)
GreedyConservativeEBA
Figure 3.7. One chain with simple inputting commands by slow typing speed
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
53
53
In Figure 3.7, the RTTs obtained by the Greedy and Conservative algorithms are
approximately clustered around three levels. But both of them have too many large
protuberances that may affect the identification of steps for the “Step-Function”
approach.
From Figure 3.8, we know that the RTTs obtained by the Greedy algorithm are
clustered around many levels, and the “Step-Function” approach will consider it a
stepping stone connection when it is just a single connection. For the Conservative
algorithm, there are only 200 RTTs obtained, which is far fewer than the 970 and 898
RTTs for the Greedy algorithm and the EBA algorithm, respectively.
0 970 0 200 0 8980
100
200
300
400
500
600
700
800
900
1000
Send Packets
RTT
(mic
rose
cond
)
GreedyConservativeEBA
Figure 3.8. One chain with complex inputting commands by quick typing speed
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
54
54
In both Figure 3.7 and Figure 3.8, all the RTTs that the EBA algorithm obtained are
closely around three levels: 47 ms, 102ms and 170 ms. Therefore, the RTTs achieved
by the EBA algorithm can correctly reflect how many connections it has in its
downstream connection chain by any kind of typing speed and inputting commands.
From all of our experimental results, we found that the numbers of send packets
which are matched by the EBA algorithm are all fractionally smaller than those by the
Greedy algorithm. We achieved the ratios of the EBA send packet number and Greedy
send packet number for the above figures, which were all higher than 90%. As the
Greedy algorithm matches all the send packets, whether or not they had corresponding
echo packets, the real number of send packets having corresponding echo packets
should be smaller than the number of Greedy send packets. We are confident that the
real matching rate for the above figures should be higher than 90%.
We also achieved the standard deviations of �RTTs for the above figures among
1.771ms and 9.043ms. Although we are unable to achieve an exact accuracy rate from
the above figure, our algorithm can achieve RTTs precise enough to detect stepping
stones for a wide range of standard deviations for �RTTs.
3.6 Summary
RTTs are critical for stepping stone detection approaches. But how to achieve precise
RTTs for stepping stones in real-time remains a challenge. In this chapter, we propose
a novel real-time RTT getting algorithm which can be used at all times by RTT based
stepping stone detection approaches to detect stepping stones, and be used sparsely to
Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection
55
55
achieve the value of parameters by other non-RTT based stepping stone detection
approaches. We present the probability analysis in theory, which demonstrates our
algorithm has more than a 90% matching rate, and has a higher rate of accuracy than
the non real-time complicated RTT getting algorithm SDBA. Our experimental results
show that our algorithm is much more precise than previous real-time methods in the
detection of stepping stones.
Chapter 4 Detecting Stepping Stones in Real Internet Environments
56
56
Chapter 4
Detecting Stepping Stones in Real Internet
Environments
Stepping stones are often used by network intruders to launch attacks. However
current stepping stone detection approaches are hardly applicable in real Internet
environments due to their demands of storage, computation and excessive monitoring
time. In this chapter, we propose a simple but effective stepping stone detection
scheme that can reduce some of these demands. Our experiments show that our
proposed approach can achieve more than 90% accuracy by monitoring for 2 seconds
and can also achieve more than 95% accuracy by monitoring for10 seconds, and all at
with low computational costs.
4.1 Introduction
Chapter 4 Detecting Stepping Stones in Real Internet Environments
57
57
A stepping stones detection system normally detect stepping stones in a network by
searching for correlations such as identical payload or similar packet timings between
interactive connections at the network borders or routers. If a pair of interactive
connections is detected as part of a stepping stone chain, they can be blocked
immediately to stop the attack, thereby preventing further harm. Or, one can compile
them in the hope of tracing the stepping stone paths to identify the source of an attack.
To prevent such attacks, a stepping stone detection approach should be able to
correctly identify correlated connections as quickly as possible, since many attackers
launch their attacks in a very short time to evade detection. Plus, the quicker the
response, the less harm that will be done. To trace-back and identify the source of an
attack, real-time and quick-response is also because attackers may have many excuses
and techniques (such as a fake IP address) to deny their attacking activity when no
spot evidence is available. However current approaches seldom take responsiveness
into consideration (See Chapter 2 for related work).
Meanwhile, a stepping stone detection approach should not assume there is no
packet dropping during packet transmission on the Internet. Omar et al. [44] claim that
packet dropping, assumed by [5][8][9][10][21], would occur over a wide area of a
network. Therefore, the accuracy of these approaches with such assumptions should
be doubted when these approaches are applied in real Internet environments.
Besides the responsiveness and the no-packet-dropping assumption, a practical
stepping stone detection approach should have a lower demand for storage and
computation. It’s not hard to find correlations by complex computations, but when
Chapter 4 Detecting Stepping Stones in Real Internet Environments
58
58
applied to real environments, a stepping stone detection programme shouldn’t
overburden the whole system.
As shown in Table 4.1, among all current stepping stone detection approaches, only
sketching [35] takes these three factors into consideration, but it has a low accuracy.
In this chapter, we propose the Packet Delay Bidirectional Comparison (PDBC)
scheme which is a simple but practical stepping stone detection algorithm. It has no
assumptions of no-packet-dropping, and is designed with high efficiency. Our
experiments and analysis show that our system has high accuracy, quick
responsiveness along with low storage and computation costs. At the same time, it can
also be resistant to chaffs. We also present a comparison with previous methods,
including the sketching approach.
The rest of the chapter is organized as follows. Section 4.2 explains the definition
and properties. We demonstrate the scheme in Section 4.3 and experimental results are
given in Section 4.4. Finally, we summarize this chapter in Section 4.5.
4.2 Definitions and Property for Packet Delay
In this section we begin by defining some terms, and then present property for a
packet delay.
4.2.1 Related Definitions
Definition 4.1 (RTT) The packets sent in interactive connections from an attacker
(client) to a target (server) are called send packets; and the packets sent in the reverse
Chapter 4 Detecting Stepping Stones in Real Internet Environments
59
59
direction are called echo packets. The time delay between the send packet and the
corresponding echo packet on a connection is called the Round-Trip Time (RTT) for
this interactive connection.
Table 4.1. Practical features comparison among the encrypted traffic stepping
stone detection approaches
Approach Quick Responsiveness
No-packet-dropping assumption
Computation complexity
Storage demand
ON/OFF No No low high
Deviation No No high high
IPD Requires a few dozen packets
No high high
Multiscale No Yes low low
DA No Yes low low
DMV No Yes low low
DM No Yes high high
SI,SII,SIII,SIV
No Yes Depends on algorithm
high
RTT-Thumbprint
No Yes high high
Sketching Designed to response quickly
No Designed to be run efficiently
Depends on sketches
Chapter 4 Detecting Stepping Stones in Real Internet Environments
60
60
Definition 4.2 (RTT sequence) An RTT sequence aRtt is a series of RTTs in
chronological order obtained by an RTT getting algorithm on connection a . Let
1 1 2 2{ ( ), ( ), ( ) }( 0)i ia a a a a a aRtt Rtt t Rtt t Rtt t i �( ) }( 0)i i((a a((( ) }((( ) }(( ) }(((( ) }(( ) }((( , where i
aRtt (i > 0) is the ith
RTT obtained by the RTT getting algorithm for interactive connection a . iat is the
arrival epoch of echo packet by which to get the ith RTT on connection a . For an
easy description of an algorithm, the RTT sequence representation here is slightly
different from the definition in Section 3.3.
Definition 4.3 (Upstream and downstream connection) We say that connection
a is an upstream connection of connection b , and b is a downstream connection of
a when a and b are in the same connection chain, and a bRtt Rtt� is around the
same time.
Because the upstream connections have more relay nodes than their downstream
connections, for a relayed same send packet, the RTT for upstream connections is
larger than the RTT for their downstream.
Definition 4.4 (Correlated connections) We say that connection a and
connection b are correlated connections, if a and b are in the same connection
chain.
4.2.2 Property of Packet Delay
Theorem 4.1. Let interactive connections a and b be in the same connection chain,
connection a is the upstream connection of connection b , and ( )n na aRtt t and
Chapter 4 Detecting Stepping Stones in Real Internet Environments
61
61
( )m mb bRtt t are the RTTs got for connections a and b respectively by the same
original send packet. Then ( 2( )) 0n m n ma b a bE Rtt Rtt t t� � � , if the routes of the send
packet are the same as the corresponding echo packets.
Proof. The packet delay consists of four components, including processing delay,
queuing delay, transmission delay and propagation delay [69]. Given a packet of size
p that traverses a path of h hops, each link of capacity iC and propagation delay
i� , the average propagation and transmission delay can be written as:
propagation1
h
ii
T �
�
transmission1
h
i i
pTC
�
Applying Kleinrock [99] independence approximation, each link can be modelled
as an M/M/1 queue [90]. The average number of packets in the queue can be written
as:
1
hi
i i i
N �� �
�� (where i� , i� are the arrival rate and service rate
for every link separately)
Apply Little’s Law [81], the average queuing delay per packet can be written as:
queuing1
1 hi
i i i
T �� � �
�� (where � is the total arrival rate)
Ignoring the processing delay, the average packet delay can be written as:
Chapter 4 Detecting Stepping Stones in Real Internet Environments
62
62
propagation transmission queuing
1 1 1
1h h hi
ii i ii i i
T T T T
pC
��� � �
� �
� ��� � �
Let the send packet time delay from connection a to b be abT , and the echo
packet time delay from connection b to a be baT , as shown in Figure 4.1. If the
routes of a send packet are the same as the corresponding echo packets, the links from
connection a to connection b should be the same with the links from b to a . So
every parameter on abT including i� , iC , i� , i� , � are the same as all parameters on
baT . The size of the send packet and corresponding echo packet are also the same. So
we can achieve:
( ) ( )ab baE T E T
Attacker Stepping stone a
Stepping stone b
Target
RTTb
send echo
RTTa
Tab
Tba
Figure 4.1. Stepping stone packet delay
Chapter 4 Detecting Stepping Stones in Real Internet Environments
63
63
Let the RTT from connection a to connection b be abRTT , and
ab ab baRTT T T � . By their definition we get:
n mab a bRTT Rtt Rtt �
n mba a bT t t �
ab ab baT RTT T �
Table 4.2. Real-time comparing processing in the PDBC algorithm
PDBC_compare ( , )na bRtt Rtt
If ( a bRtt Rtt� )
For(m strat from the last rtt sequence index to the front index)
If( n n m ma a b bt Rtt t Rtt� � � )
UCV_ab++;
Break;
Else if( 2( )n m n ma b a bRtt Rtt t t� � � � � )
CV_ab++;
Break;
Endif
Endif
Endfor
Endif
Chapter 4 Detecting Stepping Stones in Real Internet Environments
64
64
Then we can get:
( ) ( ) ( 2( )) 0n m n mab ba a b a bE T E T E Rtt Rtt t t� � � �
4.3 Algorithm and Analysis
4.3.1 PDBC Algorithm
Based on Theorem 4.1, we designed the Packet Delay Bidirectional Comparison
(PDBC) algorithm which examines the interactive connections and demonstrates that
if a connections pair is correlated within a specified monitor time, i.e. if the
connections pair in the same connection chain it can be run at the network gateway
node or as an independent process at the stepping stone host.
When packets come in on an interactive connections, PDBC will firstly calculate
the RTT in real-time by the RTT getting algorithm. We use Estimation-Based RTT
getting Algorithm proposed in Chapter 3 because it is far more precise than other real-
time RTT getting algorithms as analysed in Chapter 3.
Once a new RTT ( )n na aRtt t is obtained, the algorithm will compare all other
connections whose RTT is smaller than the current one. If there exists one RTT
( )m mb bRtt t on a comparing connection for such that:
2( )n m n ma b a bRtt Rtt t t� � � � � (1)
We then increase the correlated value (CV) for this pair of comparing connections,
otherwise we increase the uncorrelated value (UCV) for this pair of comparing
Chapter 4 Detecting Stepping Stones in Real Internet Environments
65
65
connections. The detail processing for the comparing between a new RTT ( )n na aRtt t
and other connection bRtt is shown in Table 4.2.
When the monitored time expired, we calculated the correlated rate (CR) by
CVCRCV UCV
�
If the CR for a pair of connections is higher than a specified threshold �, we then
consider it a pair of correlated connections, otherwise, it will be considered a normal
connection pair. The detail processing of monitoring time expired on a comparing pair
is shown in Table 4.3.
4.3.2 Analysis
� Computation Time
During the comparing processing, we do not need to compare the new RTT with
every RTT of other connections. All we need to do is compare the RTTs whose arrival
Table 4.3. Monitoring time expired processing in PDBC algorithm
PDBC_Monitor_Expired(UCV_ab, CV_ab)
CR = CV_ab/ (CV_ab+UCV_ab);
If(CR>�)
Return CORRELATED;
Else
Return NORMAL;
Chapter 4 Detecting Stepping Stones in Real Internet Environments
66
66
epoch for a send packet is later than the new RTT’s send packet arrival epoch. Then
the question arises, how many RTTs on another connection will be compared with the
new RTT?
If we consider two connections: a and b , and we suppose a bRtt Rtt� , the
total number RTTs on connection a is n, the packet arrival rate on connection b is
� . When a new RTT is achieved on connection a , the RTTs to be compared on
connection b should have a send packet arrival epoch bRtt earlier than the new
RTT’s echo packet. Therefore, the answer should be the packet number sent on
connection b during a bRtt Rtt� . Let p be the average number of RTTs on
connection b which will compared with a RTT on connection a . So we get:
( )* 1a bp Rtt Rtt � � �� �� � for a correlated connection pair
( )*a bp Rtt Rtt � �� �� � for a normal connection pair
We then get the computation time for comparing two connections pair as
( ( )* * )a bO Rtt Rtt n n�� �� �� � for a correlated connections pair, and
( ( )* * )a bO Rtt Rtt n��� �� � for a normal connections pair. Generally, the value of
( )*a bRtt Rtt ��� �� � is small if there is no manual intended delay added. In our
experiments, it equalled 0 in most cases, which resulted in the computation time no
bigger than ( )O n .
� Storage demand
Chapter 4 Detecting Stepping Stones in Real Internet Environments
67
67
On the other hand, because limited recent RTTs need to be compared, the algorithm
doesn’t need to store all RTTs. Suppose the maximum RTT value for all comparing
interactive connections is MRTT. When a new RTT for an interactive connection is
obtained, it will check if there are stored RTTs on this connection whose epoch are
MRTT earlier than the current time, and if so, are then deleted from storage. Therefore,
PDBC requires little storage.
� Parameters selection
According to Chebyshev inequality (Kao [1996]; Feller [1968]) and Theorem 4.1,
we get:
n m n ma a b b a b
ab ba ab ba
2ab ba
P(|Rtt (t ) - Rtt (t ) - 2(t - t )|< = P(|T - T - E(T - T )| < )
standard deviation of |T - T | 1 ( )
���
� ��
Therefore, the bigger the �, the higher the probability for equation (1) is. However,
the accuracy decreases as well.
For the CR threshold parameter �, with the decrease of �, the probability to be
determined for correlated connections will increase, but the probability for normal
connections to be determined for correlated connections will increase as well.
This means we should balance the two parameters in the applications and select
suitable values for the applications. In our experiments, we present the impaction of
different parameters. When � is set to 30ms and � is set to 0.2, we achieve the highest
accuracy.
� Asymmetric Routing
Chapter 4 Detecting Stepping Stones in Real Internet Environments
68
68
Due to the route of the Internet normally following the shortest path rules, the
routes of send packets are normally the same with the corresponding echo packets.
But there still exists some situations where the routing is asymmetric. For these
situations, we introduce an asymmetric parameter � for ( ) ( )ab baE T E T� . We
then change equation (1) to (2) in this situation.
(1 )( )n m n ma b a bRtt Rtt t t�� � � � � � (2)
� Chaffs resistant
Attackers may also introduce superfluous packets, called chaff, which contain no
valuable information and are not relayed to the succeeding flow of the chain, in order
to perturb the timing information. In fact, when packets are transmitted on the Internet,
packet merges, packet drops and packets retransmissions occur, which can be
considered as a natural chaffs perturbation. Therefore, a stepping stone detection
approach should not assume there are no packet drops and the approach should be
resistant to chaffs to some extent.
Since PDBC is based on the RTTs achieved by the EBA algorithm, which is able to
filter unsymmetrical packets as analysed in Chapter 3, the PDBC scheme can also be
resistant to chaffs as well.
Chapter 4 Detecting Stepping Stones in Real Internet Environments
69
69
4.4 Experiments
4.4.1 Data Source and Testing Method
The data from a LAN environment or a simulation, generally presents packets one-to-
one mapping which makes stepping stone detection easier. To test the applications of
stepping stones detection approaches, the data must first be real data from the Internet.
In order to achieve this, we designed the topology on Internet environments and found
real stepping stone connection chain data for testing the stepping stone detection
approaches.
We built two separate connection chains on the Internet by SSH from host H1 and
host H2, with both passing through host H3, then to hosts H4, H5, H6, and finally
connecting to host H7. H4 and H6 are in the same network segment, as shown in
Figure 4.2. The other hosts were located in different areas of Melbourne, Australia.
We started to capture the packets at host H4 when all the connection chains were built.
We then quickly entered commands at the terminal of H1 and H2 and concurrently for
about three minutes. After that, we stopped capturing packets.
Figure 4.2. Experimental topology for data source
Chapter 4 Detecting Stepping Stones in Real Internet Environments
70
70
Since H4 and H6 are in the same network segment, there are eight SSH connections
which belong to two connection chains in the captured data. This means there is a total
of 12 correlated connections and 16 uncorrelated connections. As it is easier to detect
stepping stones in light traffic, we quickly entered commands so we could at least
obtain normal traffic. During the experiment we found there was more than 7%
retransmission packets on some connections, which is higher than the normal 1%-6%
Internet retransmission rate [53]. In addition to this, certain packet number differences
in some connection chains were more than 17%, which means there are many packet
drops and merges during the packet transmission on the connection chains. Therefore,
the captured data can be considered Internet data with normal or even heavy traffic.
With the captured data, then we can run the stepping stone detection approaches
from a start epoch of the captured data until a specified time (such as 10 seconds), and
then output the results of every two connection pairs. More results can be obtained by
selecting a different start epoch. We use the epoch of every 500ms along the data
source as the start epochs in our experiments, and run all the numbers of the start
epochs we selected. Every time we achieved 28 results, there were a total of more than
8000 results for 10 seconds of monitored time. With these results we then calculated
and obtained the accuracy. We used the terms below to weigh the accuracy.
False negative: the rate that a correlated connections pair is judged as compared to a
normal connections pair.
False positive: the rate that a normal connections pair is judged as compared to a
correlated connections pair.
Chapter 4 Detecting Stepping Stones in Real Internet Environments
71
71
Accuracy: the rate a correlated connections pair is judged as compared to a
0 10 20 30 40 50 60 70 800
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
Times(s)
Fals
e N
egat
ive
PDBC
�=20
�=30�=40
�=50
Figure 4.3. False negative with different �
0 10 20 30 40 50 60 70 800
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
Times
Fals
e P
ositi
ve
PDBC
�=20
�=30�=40
�=50
Figure 4.4. False positive with different �
Chapter 4 Detecting Stepping Stones in Real Internet Environments
72
72
correlated connections pair and the rate a normal connections pair is judged as
compared to a normal connections pair.
As attackers may add chaff to evade detection, we also created chaff inserting data
by introducing chaff packets into the original captured data at random times with
different Chaff Rates (CR), the ratio of the number of introduced chaff packets to the
number of original send packets.
4.4.2 Experimental Results
4.4.2.1 Parameters Impaction
In our experiments, there are two parameters: �, which is the maximum deviation of
packet delay difference in two directions, and �, which is the CR threshold. We then
ran the PDBC scheme with the original captured data and tested the impaction to the
accuracy of the algorithm by the parameters.
Figure 4.3 and Figure 4.4 shows the false negative and false positive results
separately with different � and different monitoring times. We can see that both of the
false negative and false positive decrease with the monitoring time increasing. But the
false negative decreases and false positive increases when � increases, which is
consistent with our previous analysis. To achieve the highest accuracy, we set � to
30ms in later experiments.
Figure 4.5 and Figure 4.6 shows the false negative and false positive results
separately with different � and different monitoring time. We can see that both of the
false negative and false positive decreases while the monitoring time increases. But
Chapter 4 Detecting Stepping Stones in Real Internet Environments
73
73
the false negative increases and false positive decreases with the � increasing. To
0 10 20 30 40 50 60 70 800
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
Times
Fals
e Ne
gativ
ePDBC
� =0.1
� =0.2
� =0.3� =0.4
� =0.5
Figure 4.5. False negative with different �
0 10 20 30 40 50 60 70 800
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
Times(s)
Fals
e P
ositi
ve
PDBC
�=0.1
�=0.2
�=0.3�=0.4
�=0.5
Figure 4.6. False positive with different �
Chapter 4 Detecting Stepping Stones in Real Internet Environments
74
74
achieve the highest accuracy, we set � to 0.2 in later experiments.
0 10 20 30 40 50 60 70 800
10
20
30
40
50
60
70
80
90
100
Monitoring time(s)
Fals
e ne
gativ
e(%
)PDBCsketchingIPD
Figure 4.7. False negative for PDBC,sketching and IPD
0 10 20 30 40 50 60 70 800
10
20
30
40
50
60
70
80
90
100
Monitoring time(s)
Fals
e po
sitiv
e(%
)
PDBCsketchingIPD
Figure 4.8. False positive for PDBC, sketching and IPD
Chapter 4 Detecting Stepping Stones in Real Internet Environments
75
75
4.4.2.2 Responsiveness and Accuracy
To compare our algorithm with previous approaches, we also implemented IPD [4]
and sketching [35] approaches, which are the only two approaches that take
responsiveness into consideration, as shown in Table 4.1. During our experiments, the
parameters we used, as shown in Table 4.4, which enabled us to get the best results for
every approach.
Figure 4.7, Figure 4.8 and Figure 4.9 shows the false negative, false positive and
accuracy results as compared with the IPD and sketching approaches using the
original captured data. We discovered that while both of the false negative and false
positive for the PDBC and sketching approaches drops with the monitored time
0 10 20 30 40 50 60 70 8040
50
60
70
80
90
100
Monitoring time(s)
Acc
urac
y(%
) PDBCsketchingIPD
Figure 4.9. Accuracy for PDBC, sketching and IPD
Chapter 4 Detecting Stepping Stones in Real Internet Environments
76
76
increasing, IPD has a different false negative and false positive changing direction
with the monitored time increasing. So the accuracy for PDBC and sketching
approaches rises to 100% with the monitored time increasing, and the accuracy for
IPD rises to around 95% to begin with and then drops with the monitored time
increasing. This is despite the apparent low rate of accuracy for the sketching
approaches when the monitoring time is shorter than 60 seconds. For PDBC, even if
the monitoring time is 2 seconds, it can still achieve above 90% accuracy, while the
other two approaches only have around 50% accuracy. In addition, the accuracy for
IPD is higher than 95% when the monitored time is longer than 10s and we can get
100% accuracy when the monitored time is longer than 60s.
4.4.2.3 Chaffs perturbation
Table 4.4. Parameters for PDBC, sketching and IPD
Approach Parameters
PDBC �=30ms �=71
Sketching slot=1500ms thresh=71
IPD window_size=10 point_thresh =0.8 thresh = 0.7
Chapter 4 Detecting Stepping Stones in Real Internet Environments
77
77
To test if the stepping stone detection approaches can be resistant to chaffs, we run
them by the chaffs inserting data with different chaff rate.
Figure 4.10 shows the accuracy comparison for PDBC with a chaff rate of 0, 10%,
20% and 40%. We can see that the PDBC is hardly affected by chaffs. The accuracy
comparison for sketching and IPD with different chaff rate is shown on Figure 4.11
and 4.12 respectively, which show the accuracy for IPD and sketching is affected by
chaffs, especially IPD.
4.4.2.4 Performance
We recorded the execution time for running the three stepping stone approaches
within the specified monitoring time with the start epoch changing from the beginning
to the end of the data source. However we did the pre-processing such as calculating
0 10 20 30 40 50 60 70 8040
50
60
70
80
90
100
Monitoring time(s)
Accu
racy
(%)
chaff rate = 0chaff rate = 10%chaff rate = 20%chaff rate = 40%
Figure 4.10. Accuracy for PDBC with different chaff rate
Chapter 4 Detecting Stepping Stones in Real Internet Environments
78
78
RTT, and calculating packets counts in slots, calculating inter-packet delay only once.
So the execution time only reflects the processing for comparison. We found these
0 10 20 30 40 50 60 70 8040
50
60
70
80
90
100
Monitoring time(s)
Acc
urac
y(%
)
chaff rate=0chaff rate=10%chaff rate=20%chaff rate=40%
Figure 4.11. Accuracy for sketching with different chaff rate
0 10 20 30 40 50 60 70 8040
50
60
70
80
90
100
Monitoring time(s)
Accu
racy
(%)
chaff rate=0chaff rate=10%chaff rate=20%chaff rate=40%
Figure 4.12. Accuracy for IPD with different chaff rate
Chapter 4 Detecting Stepping Stones in Real Internet Environments
79
79
execution time values were relatively stable, and the average values are shown in
Table 4.5. Since the computation time for PDBC is smaller than ( )O n in our
experiments, the execution time for PDBC changes only slightly for different
monitored times. Because IPD compares packets with the number of window sizes for
every packet, the execution time will increase exponentially with the monitoring time
increasing. For the sketching scheme, one of the main computing costs is calculating
sketches, which will increase linearly.
4.5 Summary
Quick responsiveness with high accuracy and low computation costs are critical
challenges for applying stepping stone detection approaches in the real Internet
environment. In this chapter, we propose a simple but practical stepping stone
detection algorithm which has less storage and computation costs than existing
algorithms. The results of the experiments demonstrated our method can achieve
detection results with more than 90% accuracy within 2 seconds, and 100% accuracy
within 60 seconds. This is much better than the IPD and sketching approaches which
Table 4.5. Execute time for PDBC, IPD and sketching
Approach Execute time /Monitored time(10s)
Execute time /Monitored time(40s)
Execute time /Monitored time(80s)
PDBC 3.281s 3.281s 3.343s
IPD 4.109s 22.187s 52.437s
Sketching 4.640s 7.578s 8.640s
Chapter 4 Detecting Stepping Stones in Real Internet Environments
80
80
were the only two approaches taking responsiveness into consideration. Our
experiments also demonstrate that our approach can also be resistant to chaffs.
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
81
Chapter 5
Detecting Chaffed and Jittered Stepping
Stone Connections
Packet timing or frequency (count) characteristics are foundations commonly
employed in detecting stepping stones. However these characteristics may be altered
by attackers introducing jitters and chaffs into stepping stone connections. But the
timing causality that the packet has to arrive first before it can leave a node won’t be
changed. In this chapter, based on two Poisson processing models, we formulate and
prove two separate upper bounds of probability that normal connections present with
the timing causality of correlated connections. In addition, based on the two upper
bounds of probability, we propose two novel algorithms which have no parameters
that can detect stepping stones accurately even if there are big jitters and a high chaff
rate. We compare our algorithms with previous ones and our experiments show that
our algorithms are more resistant to chaffs and jitters than previous ones. In addition
to this, our algorithms maintain high accuracy for detecting normal stepping stones
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
82
with no chaff or jitter perturbation. We also present comparisons between our
algorithms through analysis and experimentation.
5.1 Introduction
Current stepping stone detection approaches [2, 3, 4, 5, 8, 9, 10, 21, 35] are
predominately based on timing or frequency characteristics that may be altered during
the packet transmission on the Internet Additionally, attackers may also introduce
random jitter delays before packets depart from stepping stones or they may insert
chaffs (chaffs are superfluous packets, which contain no valuable information and are
not relayed by stepping stones) into the original attack flow on stepping stones, which
can even completely break the timing and frequency features.
However the timing causality of the packet arriving first before it can leave a node
does not be change. Therefore, the packet arrival epochs on stepping stones keep the
order of stepping stone chain. But this timing causality between correlated stepping
stone connections may be appeared between normal connections as well. In our
experiments we gave much attention to the normal connections instead of stepping
stone connections, and found the existence of an upper bound for the probability that
normal connections present with the timing causality of correlated stepping stone
connections. In addition, based on the upper bounds of probability, we designed the
Abnormal Probability Detection algorithm (APD) and Speedy Abnormal Probability
Detection algorithm (SAPD) which can accurately detect stepping stones even with
chaff and jitter perturbation. In this chapter, we also compare our proposals with
previous approaches.
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
83
The rest of this chapter is organised as follows. In Section 5.2, we present related
work on the ability of stepping stone detections to resist evasion. We also analyse and
explain the mathematical models of connection streams, and present proof for two
formulas on the upper bounds of probability based on two Poisson models in Section
5.3. Section 5.4 describes the detail of two algorithms based on the two formulas.
Section 5.5 explains our experimental results. And finally, we conclude this chapter in
Section 5.6.
5.2 Related Works
With many approaches proposed to detect stepping stones, the evading technique
developed concurrently. At first, encryption to stepping stone connections makes the
approaches [1] based on content unavailable. Then, the introduction of chaffs and
jitters may perturb the timing or frequency characteristics of stepping stones, which
are the foundations of most stepping stone detection approaches [2, 3, 4, 5, 8, 9, 10, 21,
35]. The SNEAK attack tool [46] can even create constant rate streams by inserting
jitters and chaffs, which are completely removed from the inter packet information.
The evasion techniques of introducing chaffs and jitters also caught the attention of
researchers. Donoho et al. [5] argue that attackers have maximum tolerable delay
constraints and correlation between stepping stone connections can be detected
regardless of chaff packets if connections last long enough. Similarly, under a
maximum tolerable delay constraint, Blum et al. [8] present confidence bounds on the
stepping stone detections. Their algorithm is based on the difference of the number of
packets between two connections at a given time. This difference is expected to be
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
84
low for correlated connections even if there are a few chaff packets. In [9], Zhang et al.
propose several algorithms with special focus on random delays and chaff. They
compared most previous stepping stone detection approaches [2, 3, 4, 5, 8] and their
experiments demonstrated their proposals were more effective in resisting chaffs and
jitters even though their algorithms are also based on the assumption there is no packet
dropping, and their experimental data is not real connection data. In [54], Wu et al.
tried to improve the chaff resistance properties of [8]. However, they assumed that the
chaff is introduced for only one of the connections of a correlated connection pair.
Coskun et al. [35] proposed a sketching method and claimed it could resist chaff and
jitter perturbations. However, his experiments only involve cases of small jitter and
low chaff rates. Kampasi et al. [49] provide methods to improve stepping stone
detection when either jitter, chaff or both are introduced into a packet stream. But
these methods are only used as supplements to other stepping stone detection
approaches.
5.3 Probability Analysis
In this section, we begin by formally defining some terms. Then we introduce two
network stream models. Based on these two models, we formulate and prove two
different upper bounds of probability that stepping stone’s timing causality appears on
normal connections.
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
85
5.3.1 Related Definitions
Normally attackers launch stepping stone attacks by constructing a chain of interactive
connections on a series of compromised hosts (stepping stones) using protocols such
as Telnet or SSH, as shown on Figure 5.1.
Definition 5.1 (RTT and timing causality) The packets sent in interactive
connections from an attacker (client) to a target (server) are called send packets, and
the packets sent in the reverse direction are called echo packets. The time delay
between the send packet and the corresponding echo packet on a connection is called
Round-Trip Time (RTT) for this interactive connection.
From Figure 5.1, and also from the timing causality that the packet has to arrive
first before it can leave a node, we can see that for the same send packet, it arrives first
on stepping stone i-1, then arrives on stepping stone i. Until the send packet arrives at
Attacker Stepping stone 1
Stepping stone i-1
Stepping stone i
Target
RTT
Send Echo
a
Figure 5.1. The timing causality on a stepping stone chain
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
86
the target host, the corresponding echo packet will be generated, and will be sent back
to stepping stone i, and then to stepping stone i-1.
If two connections are in the same connection chain, we consider them as a
correlated connection pair, otherwise they are a normal connection pair.
Definition 5.2 (RTT Sequence and Packet Pair) A RTT sequence aRtt is a
series of RTTs in chronological order obtained by an RTT getting algorithm on
connection a . Let 1 1 1 2 2 2{ ( , ), ( , ), ( , ) }( 0)s e s e i si eia a a a a a a a a aRtt Rtt t t Rtt t t Rtt t t i �) }( 0)i si ei((a a a( ,( ,( , ) }(( , ) }(( ,( ,( , ) }((((( , ) }(( , ) }(((( ,
where iaRtt is the ith RTT obtained by the RTT getting algorithm for interactive
connection a . siat and ei
at are the arrival epoch of the Send and Echo packet by which
to get the ith RTT on connection a . ( , )si eia at t is called Packet Pair, and
si ei ia a at t Rtt � . For an easy description of the algorithm, the RTT sequence
representation here is slightly different from the definition in Section 3.3 and Section
4.3.
Definition 5.3 (Correlated Packet Pair and Correlated Probability) For the
packet pair ( , )si eia at t on connection a and the packet pair ( , )sj ej
b bt t on connection b ,
if there exists si sj ei eja b a bt t t t� � � , we consider ( , ) ( , )sj ej si ei
b b a at t t t� are a
correlated packet pair. By definition 5.2, we can also achieve for a correlated packet
pair, there exists:
si sj sj j si ia b b b a asi sj si i ja b a a b
t t t Rtt t Rtt
t t t Rtt Rtt
� � � � �
� � � � (1)
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
87
For the packet pair ( , )si eia at t on a , if there exists any packet pair ( , )sj ej
b bt t on b
such that ( , ) ( , )sj ej si eib b a at t t t� , we consider ( , )si ei
a at t has correlated pair. Correlated
Probability abCP is defined as the ratio that the number of packet pairs of a , having
correlated pairs on b to the number of total packet pairs of a .
The Correlated Probability for two normal connections seems random. But it is
actually related with the packet frequency and RTT value which we will prove in a
later analysis.
5.3.2 Modelling Connection Streams
Network streams are frequently modelled as a Poisson process [90]. The famous
Jackson’s theorem [80], a significant development in the theory of networks of queues,
simply assumes packet arrivals are Poisson processes. To detect stepping stones,
connection streams (the packet arrivals on connections) are generally modelled as
Poisson processes as well [5, 8, 9, 10].
Normally, Poisson processes with a fixed rate [5, 8, 9, 10] are used to generate the
model. In this situation, the distribution of the packet interval follows the exponential
distribution with distribution function xe �� � , where� is the expected packet arrival
rate, and can be considered 1T (T is the expected packet interval, equals the average
packet interval).
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
88
Let us assume for every packet arrival on connection streams with different
rate ( )i i n� � and over time ( )iT i n� , which is the packet interval of ith packet, we
can get * 1i iT� . Then the average arrival rate is the same as the model with a fixed
rate Poisson distribution, as explained below:
1
1 1
n
i ii
n n
i ii i
Tn
T T
��
�
� �.
This means the Poisson process with a fixed rate can be modelled as many Poisson
distributions with varying rates, and over varying time periods [8]. As a result,
connection streams can be modelled as Poisson processes with varying rates, and over
varying time period. In this situation, the distribution of every inter arrival time will
follow the exponential distribution with distribution function ixie
�� � , where1
iiT
� .
5.3.3 Probability Bound under Poisson Model with Varying Rate
Theorem 5.1. Let’s assume normal connections a and b behave as sequences of a
Poisson processes. For the two RTT sequences obtained by the RTT getting algorithm
on connection a and b during the same time range:
1 1 1 2 2 2{ ( , ), ( , ), ( , )}( 0)s e s e n sn ena a a a a a a a a aRtt Rtt t t Rtt t t Rtt t t n �(n sn(((((((((((((
1 1 1 2 2 2{ ( , ), ( , ), ( , )}( 0)s e s e m sm emb b b b b b b b b bRtt Rtt t t Rtt t t Rtt t t m �b b((m sm(((((((((((((((( ,
If ( , )i ja bRtt Rtt i n j m� � � � � ,
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
89
( , )( )sj ejb bt t j m� is the first packet pair on connection b after ( )si
at i n� ,
( )
( 1) ( 1)
)
1( , ) ( ,1) ( , )1
jia b
j
ij
Rtt Rttb
s i si sj s ji a a j b ba
b
eucp i j MIN a t t b t te
� �
� �
�
� � �
�
Then 1
1
1 ( , )1
n
ab abi
CP UVCP ucp i jn
�
� � �
Proof. Firstly, we derive the probability that one packet pair ( , ) {1, }si eia at t i n }
has correlated pairs on connection b .
According to (1), we know that only the packet pairs whose arrival epoch of a send
packet is after siat have a chance to be correlated with ( , )si ei
a at t . If the first packet pair
on connection b after siat is not correlated with ( , )si ei
a at t , then the later packet is also
not correlated with siat . So the probability that ( , )si ei
a at t has correlated pairs on
connection b equals the probability that the first packet pair on connection b after siat
is correlated with ( , )si eia at t , i.e. Pr(( , ) ( , ))sj ej si ei
b b a at t t t� .
Then we derive Pr(( , ) ( , ))sj ej si eib b a at t t t� from two cases:
a) When i ji a ba Rtt Rtt� �
! � ! �! � ! �! � ! �! � ! � ! � ! �
sj ej si eib b a a
sj ej si ei sj s(i+1) sj s(i+1)b b a a b a b a
sj ej si ei sj s(i+1) sj s(i+1)b b a a b a b a
sj ej si ei sj s(i+1) sj ej si ei sjb b a a b a b b a a b a
Pr( , , )
Pr( , , )*Pr( )
Pr( , , )*Pr( )
Pr( , , ) Pr( , ,
t t t t
t t t t t t t t
t t t t t t t t
t t t t t t t t t t t t
�
� � �
� � � �
� � � � � � s(i+1) )
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
90
� If ( 1)sj s ib at t ��
We assume connection stream b behaves as a Poisson process with rate j� during
the jth packet arrival. Then we can derive:
! � ! �sj ej si ei sj s(i+1)b b a a b a
si sja b
sj s(i+1)b a
si sja b
si sj s(i+1)a b a
Pr( , , )
Pr( )Pr( )
Pr( )Pr( )
si i ja a b
si i ja a b
t t t t t t
t t t Rtt Rttt t
t t t Rtt Rttt t t
� �
� � � �
�
� � � �
� �
( 1)
( 1)
( 1)( 1)
( 1)
( )11
j s jsi ija a b b
s jsia b
s js ija b
s jsia b
jia jb
i j
t Rtt Rtt t xjt t
t t xjt t
Rtt Rtt
a
e dx
e dx
ee
�
�
�
�
�
�
�
�
��
�
� � � �
�
� �
�
� �
�
�
�
"
"
� If ( 1)sj s ib at t ��
By the precondition of i ji a ba Rtt Rtt� � , we can achieve the below inequation which
is in conflict with definition 5.3.
sj ( 1)b
s i si si i ja a i a a bt t t a t Rtt Rtt�� � � � �
So ( 1)Pr(( , ) ( , ) | ) 0sj ej si ei sj s ib b a a b at t t t t t �� �
As a result, when i ji a ba Rtt Rtt� � , we can get:
! � ! �( )
sj ej si eib b a a
1Pr( , , )1
jia jb
i j
Rtt Rtt
aet t t t
e
�
�
� �
�
�� �
�
By the analysis in 5.3.2, we know 1j
jb� , so we can further get:
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
91
! � ! �( )
sj ej si eib b a a
1Pr( , , ) ( , )1
jia b
j
ij
Rtt Rttb
ab
et t t t ucp i je
� �
�
�� �
�
b) When i ji a ba Rtt Rtt� �
We can get Pr(( , ) ( , )) 1 ( , ),sj ej si eib b a at t t t ucp i j� � as the below inequation exists:
( )
1 1( )1
jia b
j
ij
Rtt Rttb
i ji a ba
b
e a Rtt Rtte
� �
�
�� � �
�
From cases a) and b), we can derive:
Pr ( ( , )si eia at t has correlated pairs on connection b)
= Pr(( , ) ( , )) ( , ),sj ej si eib b a at t t t ucp i j� �
According to the definition of abCP , it can be considered as the expected value of
the Pr(( , ) ( , ))sj ej si eib b a at t t t� . So we get:
1
ab1
1CP ( , ) 1
n
iucp i j
n
�
�� �
5.3.4 Probability Bound under Poisson Model with a Fixed Rate
Theorem 5.2. For two normal connections a and b , assuming they behave as
Poisson processes with an equal rate of � ,
then | | | |(1 )*ln(1 )a b a bRtt Rtt Rtt Rttab abCP UVCP e e� �� � � �� � � , where aRtt and bRtt are the
average RTT on connection a and b separately.
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
92
Proof. Let’s assume a bRtt Rtt� . Similar to the proof of Theorem 5.1, we first
derive the probability that one packet pair ( , )si eia at t of connection a has correlated
pairs on connection b , which equals ! � ! �sj ej si eib b a aPr( , , )t t t t� , where ( , )sj ej
b bt t is the first
packet pair on connection b after siat
By the proof of Theorem 5.1, we knew that:
� When i ji a ba Rtt Rtt� � (where ( 1)s i si
i a aa t t� � )
! � ! �( )
sj ej si eib b a a
1Pr( , , )1
jia jb
i j
Rtt Rtt
aet t t t
e
�
�
� �
�
�� �
�, where j� is the varying packet arrival rate of
connection b .
� When i ji a ba Rtt Rtt� � ,
! � ! �sj ej si eib b a aPr( , , ) 1t t t t� �
As RTT always varies in a narrow range [56], we can approximately replace
i ja bRtt Rtt� with a bRtt Rtt� . By the assumption that connection b behaves as a
Poisson process with fixed rate� , we get that:
� When i a ba Rtt Rtt� �
! � ! �( )
sj ej si eib b a a
1Pr( , , )1
a b
i
Rtt Rtt
aet t t t
e
�
�
� �
�
�� �
�
� When i a ba Rtt Rtt� �
! � ! �sj ej si eib b a aPr( , , ) 1t t t t� �
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
93
abCP should be the expected value of ! � ! �sj ej si eib b a aPr( , , )t t t t� , and because
connection a behaves as Poisson processes with rate � , which means ia is
exponential distribution. Then we can derive:
! � ! �sj ej si eib b a a0
( )
0
( ) ( ) ( )
( ) (
Pr( , , )*
11* *( )1
1 (1 )*ln(1 )
(1 )*ln(1
a ba b
a b
a a ab b b
a ab b
ab
x
Rtt RttRtt Rtt x xxRtt Rtt
Rtt Rtt Rtt Rtt Rtt Rtt
Rtt Rtt Rtt Rtt
CP
t t t t e dx
ee dx e dxe
e e e
e e
�
�� �
�
� � �
�
�
� �
�� �
� �� ��� ���
� � � � � �
� � � �
�
� �
� � � � �
� �
"
" "
) )�
Now we can relax the assumption a bRtt Rtt� by replacing the a bRtt Rtt� with
| |a bRtt Rtt� , and get:
| | | |(1 )*ln(1 )a ab bRtt Rtt Rtt Rttab abCP UFCP e e� �� � � �� � �
5.4 Algorithm and Analysis
By the definition of the correlated pair, we get that if all packets on a appear in b ,
abCP should be 1 for all correlated connection pairs. We then consider the case that
not all packets on a appear in b . We can divide correlated connection streams into
two parts: one part whose abCP is 1, includes all the packets appearing on both
connections. The second part whose abCP has an upper bound, includes the packets
just appearing on their own connection. From this point of view, if abCP is larger
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
94
than the upper bound, we consider the connection pair as correlated connection pairs.
Otherwise, it would be normal pairs.
Based on the upper bounds from the two Poisson models, two stepping stone
detection algorithms are designed.
5.4.1 Abnormal Probability Detection Algorithm
The Abnormal Probability Detection algorithm is based on Theorem 5.1. It examines
the interactive connections and demonstrates if a connections pair is correlated within
a specified monitoring time. It can also be run in real-time at the network gateway
node or as an independent process of the stepping stone hosts.
When packets come in on a connection, APD will firstly calculate the RTT in real-
time by the Estimation-Based RTT getting Algorithm proposed in Chapter 3. Once a
new RTT sequence iaRtt is obtained, the algorithm will do a comparison with each
connection that needs to be compared.
For every comparing pair, let bC be the connection with a bigger RTT, and sC be
the connection with a smaller RTT. We have a variable LAST_INDEX recording the
first RTT sequence index of bC , which is later than every RTT sequence on sC .
When the new RTT sequence is on bC , and if we can’t find a RTT sequence on
sC , which is later than the new RTT sequence, we will set the variable
LAST_INDEX with the index of the new RTT sequence. Otherwise we will set
LAST_INDEX to 0, increase the total count for the comparing connection pair,
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
95
calculate ucp (i, j), and check if they are Correlated Packet Pair. If they are Correlated
Table 5.1. Real-time comparing processing in APD algorithm
APD_compare ( , )ia bRtt Rtt
If (( a bRtt Rtt� )&&(last_uncompared_index_ab!=0))
For(j strat from the last_uncompared_index_ab to the latest index)
If( iaRtt is the first rtt sequences after j
bRtt )
Count_ab++;
UVCP = ucp(i,j)+UVCP;
If ( iaRtt is correlated with j
bRtt )
Count_correlated_ab++;
Endif
Endif
Endfor
last_uncompared_index_ab = 0;
Else if ( a bRtt Rtt� )
If (last_uncompared_index_ab == 0)
If (find one RTT sequence jbRtt is the first RTT sequence after
iaRtt )
Count_ab++;
UVCP = ucp(i,j)+UVCP;
If ( iaRtt is correlated with j
bRtt )
Count_correlated_ab++;
Endif
Else
last_uncompared_index_ab = 0;
Endif
Endif
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
96
Packet Pair, we will increase the correlated count for the comparing connection pair.
The detail processing for the above comparing is shown in Table 5.1. If the new
RTT sequence is on the connection sC and the variable LAST_INDEX is not zero,
we will get RTT sequence on bC starting from the index of LAST_INDEX until the
last index, and check if iaRtt is later than this RTT sequence. If so, we will increase
the total count for the comparing connection pair, calculate ucp (i, j), and check if they
are Correlated Packet Pair. If they are Correlated Packet Pair, we will increase the
correlated count for the comparing connection pair.
When the monitoring time for a comparing connection pair expires, we calculate
the CP by the ratio of correlated count and total count, and UVCP by the ratio of
UVCP to the total count. If CP>UVCP, then we consider it as a Correlated
Connection pair, otherwise it will be considered a Normal Connection pair. The detail
processing of monitoring time expired on a comparing pair is shown in Table 5.2.
Table 5.2. Monitoring time expired processing in APD algorithm
APD_Monitor_Expired(UVCP, Count_ab, Count_correlated_ab)
UVCP = UVCP/ Count_ab;
CP = Count_correlated_ab/ Count_ab;
If(CP>UVCP)
Return CORRELATED;
Else
Return NORMAL;
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
97
During the processing, the algorithm may store some RTTs, but it doesn’t need to
Table 5.3. Real-time comparing processing in SAPD algorithm
SAPD_compare ( , )ia bRtt Rtt
If (( a bRtt Rtt� )&&(last_uncompared_index_ab!=0))
For(j strat from the last_uncompared_index_ab to the latest index)
If( iaRtt is the first rtt sequences after j
bRtt )
Count_ab++;
If ( iaRtt is correlated with j
bRtt )
Count_correlated_ab++;
Endif
Endif
Endfor
last_uncompared_index_ab = 0;
Else if ( a bRtt Rtt� )
If (last_uncompared_index_ab == 0)
If (find one RTT sequence jbRtt is the first RTT sequence after
iaRtt )
Count_ab++;
If ( iaRtt is correlated with j
bRtt )
Count_correlated_ab++;
Endif
Else
last_uncompared_index_ab = I;
Endif
Endif
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
98
store all RTTs. When the variable LAST_INDEX is set to zero, we can clear all stored
RTT for the comparing connection pair. Therefore, APD requires little storage.
5.4.2 Speedy Abnormal Probability Detection Algorithm
The Speedy Abnormal Probability Detection algorithm is based on Theorem 5.2. It is
nearly the same as the APD algorithm, except that it computes the probability bound
one time instead of n times (where n is the number of RTT sequences on the
connection with a bigger RTT). The detail processing for comparing and monitoring
time expired are shown in Tables 5.3 and 5.4 respectively.
However the calculating of UFCP will deal with � , which is the packet arrival rate
for the comparing connection pair. According to the analysis of 5.3.2, it can be
considered as 1T (T is the expected packet inter arrival time). However, we also have
the assumption that comparing connections has the same packet arrival rate� . So
how to set � is crucial for the algorithm. In our experiments, we found that
when1
( )2
a bT T� � , we were able to get a more accurate result.
5.4.3 Analysis and Improvement
� Assumptions
Assumptions such as no packet dropping and maximum delay constraint are generally
used by many stepping stone detection approaches [5, 8, 9, 10, 21]. However this is
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
99
not the facts of the real application. Omar et al. [44] claim that most of the papers
presented assumed no packet loss, and that packet loss would occur over a wide area
network.
The two algorithms we proposed are only based on the assumption of Poisson
models, which are often used in a network area. So APD and SAPD are more suited to
Internet environments.
� Resisting chaffs
APD and SAPD algorithms are dependent on the RTTs obtained by the Estimation-
Based (EBA) RTT getting Algorithm that can filter unsymmetrical chaff packets, as
proposed in Chapter 3. This means our algorithms can be resistant to chaffs.
� No parameters
There is no parameter in either of the two algorithms. This means we do not need to
adjust any parameters according to different network situations as most stepping stone
Table 5.4. Monitoring time expired processing in SAPD algorithm
SAPD_Monitor_Expired(UFCP, Count_ab, Count_correlated_ab)
Calculate UFCP;
CP = Count_correlated_ab/ Count_ab;
If(CP>UFCP)
Return CORRELATED;
Else
Return NORMAL;
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
100
detection approaches do. As a result, it is more practical than other detection
approaches.
� Resisting to jitters
Our algorithms can effectively resist jitters when UVCP or UFCP is far or a bit
smaller than 1. When UVCP and UFCP is close to 1, for a correlated connection pair
the gap between CP and UVCP or UFCP is close to 0. By the front proof, we know
that UVCP or UFCP will be 1 when the RTT difference is larger than the packet
interval. However in practice, it is harder to reduce the packet intervals due to the
minimum packet interval time normally controlled by OS and networks instead of
attackers. It is relative easier to increase the RTT difference by adding jitters.
However the delay in stepping stone attacks is usually bounded [5]. In practice, long
delay can cause the packets to be dropped. Furthermore, in interactive connections,
there is usually a certain order according to which packets should arrive to the victim,
and the delay of earlier packets will cause all subsequent packets to be delayed. So,
the packet interval will increase with jitter being added. Therefore, it is hard for
attackers to let UVCP and UFCP near to 1 simply by adding jitters.
On the other hand, if there exists such a long RTT difference in practice, and if we
get an abnormally large RTT on a connection, this connection can be assumed a
jittered connection.
� Performance
The performance of APD is mainly affected by the calculating of ucp (i, j). In
SAPD, we only need to once calculate UFCP, which means SAPD should be more
effective than APD.
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
101
� Improvement
Considering CP for a correlated connection pair is normally close to 1, if UVCP or
UFCP is becoming smaller than a specified value (such as 0.2), we will let UVCP or
UFCP be the specified value. Thus, we can remove the inaccuracy which is caused by
probability calculating when there is a small number of samples.
As RTT normally varies in a narrow range [56], we can use one of the RTT to
replace the mean value of RTT for UFCP calculating.
5.5 Experiment and Results
5.5.1 Experiment Design
5.5.1.1 Data Source
Packet timing or frequency features may be altered during packet transmission on the
Internet by packet merging and packet dropping, especially when traffic is heavy. The
data from the LAN environment or simulation generally presents a packet’s one-to-
one mapping, which makes stepping stone detection easier. We use our captured
genuine stepping stone dataset from the self-built connection chains on the Internet
from Chapter 4.
This dataset includes two connection chains which are composed of 4 connections
respectively, which means there are a total of 16 normal connection pairs and 12
correlated connection pairs, with each connection lasting three minutes. Additionally,
there is more than a 7% rate of retransmission packets for some connections, and the
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
102
packet number differences in some connection chains is more than 17%, which means
there are many packets drops and merges during the packet transmission on the
connection chains. Therefore, the captured data can be considered Internet data with
normal or even heavy traffic.
5.5.1.2 Testing Method
With the captured data we can ran the stepping stone detection approaches from a start
epoch of the captured data until a specified time (such as 60 seconds), and output the
results of every two connection pairs. More results can be obtained by selecting a
different start epoch. We use the epoch of every 500ms along the data source as the
start epochs in our experiments and ran all the start epochs we selected. Every time we
achieved 28 results, there were a total of more than 4000 results with 60 seconds of
monitoring time. With these results we can calculate and obtain the accuracy.
To test the impaction of chaffs, we created the chaff inserting data by introducing
chaff packets into the original captured data at random times with a different Chaff
Rate (CR), and the ratio of the number of introduced chaff packets to the number of
original send packets. Then we ran the stepping stone detection approaches with
different CR chaff inserting data to check the effect of chaffs.
To test the impaction of jitters, we modified the stepping stone detection algorithms.
For the APD and SAPD algorithm, when we achieved the packet pairs by the RTT
getting algorithm on the connection with a larger RTT, we subtract a random amount
chosen from the interval [0, max Jitter] to the arrival epoch of the send packet in the
packet pair. For other stepping stone detection algorithms, because they only consider
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
103
data from one direction, we directly added a random delay chosen from the interval [0,
max Jitter] to the arrival epoch of each packet on one of the compared connections.
5.5.2 Experiment Results
5.5.2.1 APD
To begin with, we ran the APD algorithm by the original data source with different
monitoring times, with the accuracy shown in Figure 5.2. We found that the accuracy
increases with the monitoring time rises because the computing of probability is based
10 20 30 40 50 60 70 80 90 100 110 1200
10
20
30
40
50
60
70
80
90
100
Monitoring Time(s)
Acc
urac
y(%
)
jitter=0 chaff=0jitter=1000 chaff=0jitter=1000 chaff=0.4
Figure 5.2. Accuracy for APD with monitoring time rising
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
104
on large amounts of data. It even has the potential to reach 100% accuracy when the
monitoring time is 50s.
As shown in Figure 5.2, we further tested the accuracy when jitter is added while
running the APD algorithm by the original data source or the chaff inserted data. We
found that the accuracy increases with the monitoring time rising as well when chaff
and jitter is added. Even with a large jitter of 1000ms and a high chaff rate of 0.4,
100% accuracy can be achieved when the monitoring time is larger than 110s.
By the definition of UVCP, we know UVCP will be close to 1 which makes it hard
to detect stepping stones, with the RTT difference rising or the packet arrival rates
rising (i.e. packet interval time dropping) on the compared connection pairs. As our
analysis in 5.4.3 demonstrates, attackers find it hard to reduce the packet interval
times.
0 500 1000 1500 2000 2500 30000
10
20
30
40
50
60
70
80
90
100
Fixed delay(ms)
Rat
e(%
)
CPUVCPTrue Positive
Figure 5.3. The impact of correlated connection by fixed delay for APD
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
105
Next we show how UVCP and CP are affected by a varying RTT difference. To get
a relative steady RTT difference, we adding a fixed delay instead of add a random
jitter as described in 5.5.1.2. And adding delay will not change the packet interval
time much, only change the RTT difference.
We then run the APD algorithm with a different fixed delay added to the original
data source. Figure 5.3 shows CP and UVCP varying for correlated connection pairs
on one of the monitoring time slots with the fixed delay rising. The monitoring time in
Figure 5.3 is 120 seconds. The total true positive varying with the different fixed delay
is also shown in Figure 5.3. We discovered the CP for correlated connection pairs is
always very high (more than 90%), but the UVCP increases and is close to CP by the
fixed delay (i.e. RTT difference) rising.
0 500 1000 1500 2000 2500 30000
10
20
30
40
50
60
70
80
90
100
Fixed delay(ms)
Rat
e(%
)
CPUVCPTrue Negative
Figure 5.4. The impact to a normal connection by fixed delay for APD
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
106
Most importantly, we found the true positive dropped significantly when the fixed
delay was bigger than 1600ms, which we call the dropping point. In addition, we
found the RTT difference is around 1700ms and packet intervals on the connection
with a larger RTT is around 1500ms on the dropping point. Therefore, we found that
APD can obtain high accuracy when the RTT difference is not much larger than
packet interval time. This is in accordance with the front proof and analysis. As the
front proof and analysis demonstrates, we know it is hard to make a RTT difference
bigger than the packet interval time simply by attackers adding jitter.
Figure 5.4 shows varying CP, UVCP and true negative for normal connection pairs.
We found that the variance for CP and UVCP is almost identical, with UVCP is
always slightly higher than CP, which demonstrate the truth of Theorem 5.1. The true
negative keeps relative high which means the accuracy is mainly decided by true
positive.
0 500 1000 1500 2000 2500 3000 3500 4000 4500 50000
10
20
30
40
50
60
70
80
90
100
Max Jitter(ms)
Rate
(%)
CPUVCPTrue Positive
Figure 5.5. The impact to correlated connections by jitters for APD
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
107
Following this, we ran the APD algorithm with jitter added to the original data
source in order to find the random delay impact. Figure 5.5 and 5.6 shows the variance
of CP, UVCP, true positive and true negative for correlated connection pairs and
normal connection separately. The results are nearly the same as the results by fixed
delay, and the true positive also dropped significantly when the max jitter was bigger
than 1600ms, even though the dropping speed was slower than the fixed delay.
Because the average RTT difference for jitter is only around half of the RTT
difference for a fixed delay if the max jitter and fixed delay is the same. Therefore, the
true positive dropped relative slowly for jitter. However due to the similar max delay,
the dropping point for the fixed delay and random jitter was same.
0 500 1000 1500 2000 2500 3000 3500 4000 4500 50000
10
20
30
40
50
60
70
80
90
100
Max Jitter(ms)
Rat
e(%
)
CPUVCPTrue Negative
Figure 5.6. The impact to normal connection by jitters for APD
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
108
5.5.2.2 SAPD
In order to test APD, we first tested the accuracy with different monitoring times.
Figure 5.7 shows the accuracy for SAPD. We found that the accuracy increases and
when the monitoring time rises, it can reach 100% accuracy when the monitoring time
is 50s for the case of no jitter and chaff, and it can also reach 100% accuracy when
monitoring time is 100s with big jitter (1000ms) and a high chaff rate (0.4). These
results are coincident with APD.
Next we tested how UFCP, CP, true positive and true negative are affected by fixed
delay and random delay. Figure 5.8 and 5.9 show the results by fixed delay and Figure
5.10 shows the result compared with APD. From Figure 5.8 and 5.10, we found the
true positive for SAPD begins to drop significantly from a smaller dropping point than
10 20 30 40 50 60 70 80 90 100 110 1200
10
20
30
40
50
60
70
80
90
100
Monitoring Time(s)
Accu
racy
(%)
jitter=0 chaff=0jitter=1000 chaff=0jitter=1000 chaff=0.4
Figure 5.7. Accuracy for SAPD with monitoring time increasing
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
109
APD. The UFCP for SAPD rises slightly quicker than UVCP for APD, which is the
0 200 400 600 800 1000 1200 1400 1600 1800 20000
10
20
30
40
50
60
70
80
90
100
Fixed delay(ms)
Rat
e(%
)UFCPCPTrue Positive
Figure 5.8. The impact to correlated connections by fixed jitter for SAPD
0 200 400 600 800 1000 1200 1400 1600 1800 20000
10
20
30
40
50
60
70
80
90
100
Fixed delay(ms)
Rat
e(%
)
UFCPCPTrue Negative
Figure 5.9. The impact to normal connections by fixed delay for SAPD
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
110
reason why the true positive for SAPD starts to significantly drop from a smaller fixed
0 200 400 600 800 1000 1200 1400 1600 1800 20000
10
20
30
40
50
60
70
80
90
100
Fixed delay(ms)
Rat
e(%
)
UFCP for SAPDUVCP for APDTrue Positive for SAPDTrue Positive for APD
Figure 5.10. Comparing for APD and SAPD by fixed delay
0 500 1000 1500 2000 2500 30000
10
20
30
40
50
60
70
80
90
100
Max Jitter(ms)
Rate
(%)
UFCP for SAPDTrue Positive for SAPDUVCP for APDTrue Positive for APD
Figure 5.11. Comparing for APD and SAPD by jitter
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
111
delay than APD. From Figure 5.9, we found the true negative is 100%, as UFCP for
SAPD rises slightly quicker than UVCP for APD.
0 500 1000 1500 2000 2500 30000
10
20
30
40
50
60
70
80
90
100
Max Jitter(ms)
Rat
e(%
)
UFCPCPTrue Positive
Figure 5.12. Impact to correlated connections by jitter with SAPD
0 500 1000 1500 2000 2500 30000
10
20
30
40
50
60
70
80
90
100
Max jittter(ms)
Rat
e(%
)
UFCPCPTrue Negative
Figure 5.13. Impact to normal connections by jitter with SAPD
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
112
Figure 5.12 and Figure 5.13 shows the results by fixed delay. Figure 5.11 shows the
results compared with APD. We find the true positive for SAPD drops quicker than
APD.
As a result, we conclude the accuracy for SAPD starts to drop significantly from a
smaller dropping point than for APD, and its accuracy drops quicker than APD.
Therefore, APD is more suitable for detecting connections than SAPD if there are
relative big jitters.
5.5.2.3 Accuracy Comparison
We compared our methods and previous approaches from four perspectives:
1. The accuracy for identifying normal connections and correlated connections
2. The accuracy for identifying normal connections and correlated connections
with inserted chaffs
3. The accuracy for identifying normal connections and correlated connections
with added jitters
4. The accuracy for identifying normal connections and correlated connections
with both the insertion of chaffs and the addition of jitters
Table 5.5. Parameters values for sketching and S-III
Approach Parameters
Sketching slot=1500ms thresh=71
S-III max delay = 3000ms
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
113
For previous approaches, we selected and implemented sketching and S-III. S-III
was proposed by Zhang et al. [9], whose experiments demonstrated it is more
effective in detecting stepping stones with jitter and chaff than most other methods.
Sketching [35] is the latest approach which, to some extent, is resistant to both chaff
and packet jitters. During the experiments, we found the result of sketching and S-III
is largely affected by the different parameters, and with the parameters shown in Table
5.5, we can achieve the best results for them.
To reach the above four destinations, we ran the stepping stone detection
approaches on the original captured data or on the chaff inserting delay with the
addition of jitters or without the addition of jitters.
Figure 5.14 shows the accuracy of the original data for the different monitoring
times. We find both APD and SAPD have around 95% accuracy when monitoring
10 20 30 40 50 60 70 80 90 100 110 1200
10
20
30
40
50
60
70
80
90
100
Monitoring time(s)
Accu
racy
(%)
Max jitter=0ms Chaff rate=0
SAPDAPDsketchingS-III
Figure 5.14. Accuracy with no jitter and chaff
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
114
time is 10 seconds, and this increases to 100% accuracy when the monitoring time is
bigger than 50s. The accuracy for sketching is around 70%, when monitoring time is
10 seconds, and this increases to 100% accuracy when the monitoring time is larger
than 70s. The normal accuracy for SIII is only around 80%.
Figure 5.15 shows the accuracy for chaff inserting data of different chaff rates when
monitoring time is 60 seconds. We find that APD and SAPD is hardly affected by
chaffs, and sketching is only affected to a small degree by chaff packets, while the
accuracy of S-III drops significantly with the chaff rate rising.
The accuracy for original data with different jitter added with a monitoring time of
60 seconds is shown in Figure 5.16. Figure 5.16, which shows that APD, SAPD and
S-III are rarely affected by jitters, while the accuracy of sketching drops significantly
with the chaff rate rising.
0 0.2 0.4 0.6 0.80
10
20
30
40
50
60
70
80
90
100Monitoring time=60s Max jitter=0ms
Chaff rate
Accu
racy
(%)
APDSAPDsketchingS-III
0 0.2 0.4 0.6 0.8
50
60
70
80
90
100
Chaff rate
Accu
racy
(%)
APDSAPDSketchingS-III
Figure 5.15. Accuracy with chaff only
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
115
Figure 5.17 shows the accuracy for insertion of chaff data (chaff rate is 0.4) with
1000ms max jitter added. From Figure 5.17, we find the accuracy for SAPD and APD
0 200 400 600 800 10000
10
20
30
40
50
60
70
80
90
100
Max jitter(ms)
Accu
racy
(%)
Monitoring time=60s Chaff rate=0
APDSAPDSketchingS-III
Figure 5.16. Accuracy with jitter only
10 20 30 40 50 60 70 80 90 100 110 1200
10
20
30
40
50
60
70
80
90
100
Monitoring time(s)
Accu
racy
(%)
Max jitter = 1000ms chaff rate =0.4
APDSAPDSketchingS-III
Figure 5.17. Accuracy with chaff and jitter
Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections
116
is around or more than 90%, while other methods have an accuracy of around 65%
when the chaff rate is 0.4 and jitter is 1000ms. In addition, SAPD and APD will reach
around 100% accuracy if the monitoring time is long enough. Meanwhile, SAPD
demonstrates it is slightly more effective than APD in resisting to chaff and jitter.
5.6 Summary
In this chapter, based on the two Poisson processing models, we formulated and
proved two separate upper bounds of probability that normal connections present with
the timing causality of correlated connections. In addition, based on the two upper
bounds of probability, we proposed APD and SAPD algorithms which can detect
stepping stones accurately even if there are large jitters and a high chaff rate.
Compared to APD, SAPD has lower less computation costs, but its accuracy drops
quicker than APD when jitters are relative big. Our experiments show that both APD
and SAPD are increasingly resistant to chaffs and jitters than sketching and S-III
which are shown having high resistance to chaffs and jitters in previous researches. At
the same time, both APD and SAPD maintain a high accuracy for the detection of data
with no chaffs or jitters.
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
117
Chapter 6
Experimental Analysis for Stepping Stone
Detection Approaches
Many network-based passive stepping stone detection approaches have been
suggested in this thesis. However, there are still two big issues for the previous
experimental design. One issue is the lack of application in Internet environments.
Another is the absence of high quantitative comparative studies. In this chapter, we
implement 13 stepping stone detection algorithms, exact the SSH data from public
traces that have millions of packets and obtain genuine stepping stone connection
chain data from the Internet. We establish a set of criteria and run these algorithms
through several scenarios with different datasets. Based on the experimental results
and analysis, we give our conclusion in real-time application of stepping stone
detection approaches, the accuracy of stepping stone detection approaches, the
impaction of assumption, chaffs and jitters. In addition, we give suggestions for
improving some stepping stone detection approaches.
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
118
6.1 Introduction
Since the problem of stepping stones was first discovered by Staniford-Chen and
Heberlein [1], many network-based passive approaches have been proposed to detect
encrypted stepping stones. However, there are still two big issues for the previous
experimental design.
Firstly, experiments should be conducted in Internet environments, which has been
addressed in the two stepping stone survey papers [15] and [100]. Currently, most
research has been conducted in a lab environment, such as running simulations on a
local area network (LAN), or by simulated data. While these present ideal situations,
when introduced to Internet queuing delays, packet dropping may occur which has
been proven in [44]. The question remains: can stepping stone approaches be suitable
for this situation, especially when some of the approaches assume there is no packet
drop?
Secondly, it needs high quantitative comparative studies. Currently most research
does not compare previous methods. In fact some only do the analysis in theory. Even
if certain approaches did compare the results using the insufficient criterion, they
would be are inconvincible. Zhang et al. in [9] compared his four algorithms with the
previous five algorithms, however their experiments were not based on genuine
stepping stone data. Although they use public SSH data, it cannot simulate genuine
stepping stone data, especially if there is no packet drop in their simulation.
In this chapter, our aim is to present high quantitative comparative experimental
results using various testing methods with multiple datasets, including a genuine
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
119
Internet stepping stone dataset. To achieve this, we implement a total of 13 algorithms,
exact the SSH data from the public traces that have millions of packets and obtain data
from the genuine stepping stone connection chains from the Internet. We also
establish a set of criteria and run these algorithms with different durations, different
drop rates, different chaff rates, different delays and different jitters. In addition, based
on the experimental results, we provide answers to the following questions:
1. Can the approaches, with the assumption of no packet drops, be applied in real
Internet environments?
2. Which approaches have high accuracy?
3. Which approaches have high accuracy during a short duration?
4. Which approaches can resist chaffs or jitters?
The rest of this chapter is organised as follows. In Section 6.2, we introduce the
design of our experiments, including the implementation of stepping stone detection
approaches, private dataset and public dataset. Section 6.3 provides an analysis of
comparative experimental results. Finally, in Section 6.4, we provide a summary of
this chapter.
6.2 Design of Experiments
6.2.1 The Implementation of Stepping Stone Detection Approaches
We implemented most of the network-based passive stepping stone detection
approaches, including ON/OFF [2], Deviation [3], IPD [4], DA [8], DMV [21], DM
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
120
[10], S-I [9], S-II [9], S-III [9], S-III [9], sketching [35], PDBC, APD and SAPD. The
essence of DM [10] is the same as S-I [9], therefore we only show the results of S-I
later in the analysis and experiments. The details for every algorithm can be found in
previous chapters. In this section, we only concentrate on the difference between our
implementation and the original algorithms, real-time application analysis and the
definition of parameters.
Most algorithms failed to indicate the length of connection streams or how many
packets they needed for the detection of stepping stones. Therefore, we added a
duration parameter to every algorithm. The duration parameter is the amount of time
connection streams last for every detection process. In real-time application, duration
means the monitoring time for stepping stone connections. For the same duration, the
algorithm with a higher accuracy is considered more accurate. A larger duration
means more processing and more monitoring time, i.e. slow responsiveness. Therefore,
for application in Internet environments, we prefer the algorithm with a higher
accuracy for the shortest duration.
Real-time application means less storage with lower one-off computing demands. If
an algorithm has a multiple layer circle from the beginning of the duration, it means
that it needs to store all packets during the duration and has to perform the detection
process when all packets are collected. Therefore, this kind of algorithm is not suited
for real-time application.
Before we introduce all algorithms, we list all the parameters for every algorithm in
Table. 6.1. PDBC, APD and SAPD are approaches proposed in Chapter 4 and Chapter
5, so we will not go into any further detail.
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
121
The ON/OFF approach proposed by Zhang et al. [2] is the first approach designed
to detect encrypted stepping stone data. In their approach, they calculated the
correlation of different connections by using each connection’s OFF periods. The
design is simple and the correlated OFF period can be calculated in real-time.
Table 6.1. Parameters of stepping stone detection approaches
Approach Parameter Denotation
ON/OFF idleT When there is no data traffic on a connection for more than idleT , the connection is considered to be in an OFF period
� Two OFF periods are correlated if their ending times differ by ��
� If the ratio of the number of correlated OFF periods to the smaller number of OFF periods in one of compared connection �� , then the two compared connections are correlated connections
Deviation dev If the deviations calculated from connection b to connection a dev� , a and b are correlated connections
IPD Window size
The number of packets used to calculate correlation points
CP� Maximum correlation points value � Correlation Value threshold
DA/DMV p� Maximum number of packets that may be sent in maximum tolerable delay bound
S-I(DM)/ S-III,
� Maximum tolerable delay bound
S-II/ SIV � Maximum tolerable delay bound
other Depend on the approach it used together
Sketching TSL The length of timeslots by forming the time axis
# If the sketches difference between two connections #� , the two connections are considered correlated connections
PDBC � Maximum packet delay difference on bidirection � Maximum correlated rate
APD/SAPD No No
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
122
However it does have several parameters, and these parameters should be adjusted for
different network situations, especially the � parameter, which determines if two OFF
periods are correlated. In application, � should be larger than the arrival time delay
for the same packet between two compared connections. For satellite links, it may be
of significant value, but for a LAN link it may be of insignificant value. The
inappropriate selection of � will lead ON/OFF to fail in detecting stepping stones.
But it is possible to automatically improve the ON/OFF by calculating � with the
EBA algorithm (as proposed in Chapter 3) according to the streams.
The deviation algorithm proposed by Yoda et al. [3] uses the idea that the sequence
number vs. the time curves of correlated connections should be close to each other.
This algorithm is not designed for real-time application, since the computation is very
complex and all packet timing and sequence number information needs to be stored
during the duration.
IPD, as proposed by Wang et al. [4] uses the inter-packet delay of packets to
correlate connections. While it was designed for quick responsiveness it is not suitable
for real-time application, since finding the correlated point consumes too much time
and all inter-packet delay information needs to be stored during the duration.
DA [8] and DMV [21] are packet number based algorithms. They assume there is
no packet drop during the relay of stepping stones, and all packets sent by the
upstream connection should arrive at the downstream connection in � (Maximum
tolerable delay bound). The accuracy of their real application is doubted due to this
unrealistic assumption, however their design is simple and can be used in real-time.
The original DMV algorithm has a packet number parameter which indicates the
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
123
packet number required. With our implementation, we replaced it with duration. In the
DA algorithm, there is a packet number upbound computed by the parameter p� ,
which is the maximum number of packets that may be sent in maximum tolerable
delay bound. If the packet number during the duration is smaller than the upbound, we
output the non correlated connections result.
S-I [9], S-II [9], S-III [9] and SIV [9] are timing based approaches which have
similar assumptions to DA and DMV, and therefore we doubt their accuracy in real
application as well. In addition, the maximum tolerable delay parameters � in these
algorithms will lose their meaning in real application because some packets sent by
the upstream connections may never appear on the downstream connections. On the
other hand, S-I is not suitable for real-time application because there is a multiple
layer circle from the beginning of the duration. S-II and SIV do the packet filtering
function first, but they have to be used together with other approaches. So, whether S-
II and SIV can be used in real-time application depends on the algorithms used with
them. During our implementation, we follow [9] and use the Deviation [3] approach in
SII and SIV.
The sketching approach proposed by Coskun et al. [35] is based on succinct packet-
timing sketches of network steams. Coskun et al. claim that it can be run efficiently in
real-time. However they failed to consider the value of timefor calculating sketches. In
our later experiments, we found the selection of time-slot length parameter TSL
significantly affected the accuracy of sketching. In addition, the correct selection of
TSL is related to the inter-packet delay on connections. Therefore, sketching
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
124
approaches can be improved by automatically calculating the TSL parameter according
to every actual connection stream.
From the above analysis, we conclude that the IPD, deviation and SI (DM) are not
suitable for real-time application.
6.2.2 Private Dataset
Genuine stepping stone data from the Internet is the best source of data for testing the
real application of stepping stone detection approaches. However, it is very difficult to
get a publicly available stepping stone dataset. Even if you do find one, it is very
difficult to prove it really is a stepping stone without TCP content.
Therefore, we used our captured genuine stepping stone dataset from the self-built
connection chains on the Internet from Chapter 4. This dataset includes two
connection chains which are composed of four connections respectively, with every
connection lasting three minutes. This dataset can be considered ideal data for testing
stepping stone detection approaches, in that:
1. It is genuine stepping stone data, and we know which connections are
correlated connections, and which connections are normal connections in
advance. There are a total of 16 normal connection pairs and 12 correlated
connection pairs. In addition, there are not only neighboured correlated
connections (connections relayed by one stepping stone), but also remote
correlated connections (connections relayed by multiple stepping stones).
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
125
2. There are more than 7% retransmission packets on some connections, which is
higher than the normal 1%-6% Internet retransmission rate [53], and the
packet number differences in some connection chains is more than 17%. This
means there are many packets drops and merges during the packet
transmission on connection chains.
Similar to the methods introduced in Chapter 4, we ran stepping stone detection
approaches with this dataset from a specified starting epoch for a specified duration,
and then output the results of every connection pair. In order to obtain more results,
every 500ms along the stream was selected as the starting epoch. For example, for
every connection pair or normal connection pair, was 240 results for 60 seconds
duration on the three minute captured dataset. This gave us a total of 240*(12+16)
results for 60 seconds duration. From these results we obtained our accuracy, which is
the ratio of the number of correct results to the number of total results.
Besides the natural packet drops, packet merge and packet retransmission during
packet transmission, chaffs and jitters may be added by attackers to evade detection.
To test the impaction of chaffs, we created chaff inserting data by introducing chaff
packets into the original captured data at random times with different chaff rates, the
ratio of the number of introduced chaff packets to the number of original send packets.
Then we were able to follow a similar method to the original dataset, by running the
stepping stone detection approaches with chaff inserting data to check the impact of
chaffs.
To test the impaction of jitters, we modified the stepping stone detection algorithms.
When we achieved the packet pairs by the RTT getting algorithm on the connection
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
126
with a bigger RTT for the APD and SAPD algorithm, we subtracted a random number
chosen from the interval [0, max Jitter] to the arrival epoch of the send packet in the
packet pair. For other stepping stone detection algorithms, because they only consider
data from one direction, we directly added a random delay chosen from the interval [0,
max Jitter] to the arrival epoch of each packet on one of the compared connections.
This means using the real stepping stone dataset, we can test:
1. How accurate a stepping stone detection approach can be for real internet
applications.
2. The impaction of chaffs to stepping stone detection approaches.
3. The impaction of jitters to stepping stone detection approaches.
6.2.3 Public Dataset
To prove and reinforce the experimental results by the private dataset, we extracted
separately one of the longest SSH connections from four different Auckland-VIX
traces [52] captured in 2008, with every extracted connection lasting for about 30
minutes. Since correlated connections must occur during the same time period, we
altered the start packet arrival time for every extracted connection to zero, and
changed the arrival time of later packets on this connection to the time delay with the
start packet of the connection. We refer to these four extracted connections as the
original connections.
Next, we created the correlated connections for the original connections by
subtracting a send delay from the send packets arrival epoch and adding an echo delay
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
127
to the echo packet arrival epoch. The send delay and the echo delay can be different,
and are the sum of a specified fixed delay and jitter, which is a random amount chosen
from the interval [0, maxDelay]. If the created arrival epoch for a send or echo packet
is earlier than the arrival epoch for a front send or echo packet, we add 1 micro-
seconds to the front arrival epoch as the created arrival epoch. This means we have
four correlated connection pairs. We refer to these four created connections as the
upstream connections.
Since every original connection is exacted from a different trace, they should be
uncorrelated, which is the same for upstream connections. Except for the above four
correlated connection pairs, every other connection pair among the four original
connections and four upstream connections is a normal connection pair.
For the four original connections and the four upstream connections, we follow the
procedure of the private dataset, obtain the stepping stone detection results and
calculate the accuracy. Since the difference between the number of correlated
connection pairs and the number of normal connection pairs is large, it is sometimes
the case that the accuracy cannot reflect the actual results. We also use the true
positive (the ratio that correlated connections are accurately judged as correlated
connections) and true negative (the ratio that normal connections accurately judged as
normal connections) to illuminate the accuracy.
The existence of packet drops is inevitable during packet relay on stepping stones.
To simulate this situation, we selectively deleted packets from the original
connections with a specified drop rate, the ratio of the number of deleted packets to
the number of original packets. It should be noted that the result is different for the
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
128
deletion of packets from upstream connections and the deletion of packets from
original connections. Deleting packets from upstream connections is similar to adding
chaffs. We refer to these four created connections as the drop connections. For the
four drop connections and four upstream connections, we follow the previous
procedure and achieve results based on accuracy.
During our experiments, we generated four group datasets, one group composed of
four original connections and four upstream connections with small delay (100ms)
and small jitter (20ms); one group composed of four original connections and four
upstream connections with big delay (200ms) and big jitter (50ms); one group
100 6000
50
100
Duration(s)
True
pos
itive
(%)
DA
100 6000
50
100
Duration(s)
True
pos
itive
(%)
DMV
delay=100ms;jitter=20ms;drop rate=0delay=200ms;jitter=50ms;drop rate=0delay=200ms;jitter=50ms;drop rate=0.2
delay=100ms;jitter=20ms;drop rate=0delay=200ms;jitter=50ms;drop rate=0delay=200ms;jitter=50ms;drop rate=0.2
Figure 6.1. True positive for DA and DMV by public dataset
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
129
composed of four original connections and four upstream connections with big jitter
(50ms) and asymmetrical delay (send delay is 200ms, echo delay is 50ms); and finally
the last group, composed of four drop connections with a drop rate of 0.2 and four
upstream connections with a larger delay (200ms) and larger jitter (50ms).
By using the public dataset, we can test:
1. The accuracy of a stepping stone detection approach if there is no packet drop.
2. The impaction of packet drops to a stepping stone detection approach.
3. The impaction of delays to a stepping stone detection approach.
20 40 60 80 100 120 14050
60
70
80
90
1
Duration(s)
Acc
urac
y(%
)
DADMV
Figure 6.2. Accuracy for DA and DMV by private dataset
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
130
6.3 Evaluation Results
6.3.1 The Approaches having Maximum Delay Assumption
6.3.1.1 Packet Number Based Approaches
DA [8] and DMV [21] are stepping stone detection approaches based on packet
numbers. Both of them assume there is no packet drop during the relay of stepping
stones, and all packets sent by the upstream connections should arrive at the
downstream connections in the maximum tolerable delay. We first tested them using
the public dataset, and set p� parameter to three. As shown in Figure 6.1, if there is
no packet drop, they can reach close to 100% true positive with a very large duration
100 6000
50
100S-I
Duration(s)
True
neg
ativ
e(%
)
100 6000
50
100S-III
Duration(s)
True
neg
ativ
e(%
)
100 6000
50
100
Duration(s)
True
pos
itive
(%)
S-I
100 6000
50
100
Duration(s)
True
pos
itive
(%)
S-III
droprate=0droprate=0.2
droprate=0droprate=0.2
Figure 6.3. True positive and true negative for S-I and S-III by public dataset
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
131
(600s), but their true positive is lower than 50% with a small duration (100s). Also, as
shown in Figure 6.1, their true positive is close to zero for a 200ms delay, 50ms jitter
and a 0.2 drop rate. By by changing p� and the duration to a larger value, they can
still achieve a high true positive when there is no packet drop. However when there
are packet drops, their true positive remains low even if we adjust p� and duration.
Figure 6.2 shows the accuracy by a private dataset. We still set the p� parameter to
three, because we achieve the highest accuracy. As shown in Figure 6.2, the accuracy
of both DA and DMV is not high, because there are packet drops in the private dataset.
6.3.1.2 Timing Based Approaches
S-I [9], S-II [9], S-III [9] and S-IV [9] have the same assumption as DA and DMV,
20 40 60 80 100 1200
10
20
30
40
50
60
70
80
90
100
Duration(s)
Acc
urac
y(%
)
S-I(Max delay = 6s)S-III((Max delay = 3s)
Figure 6.4. Accuracy for S-I and S-III by private dataset
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
132
but are timing based stepping stone detection approaches.
Figure 6.3 demonstrates the results by public dataset with a delay of 200ms, and
jitter of 50ms. Both S-I and S-III have a of max delay parameter set to 300ms. Both
can reach 100% accuracy if there is no packet drop and the duration is very large
(600m). However when the duration is small (100s), the true negative is lower than
50%. In addition, the true positive drops to nearly 0 for a 600s duration when the drop
rate is 0.2.
Figure 6.4 shows the results by private dataset with a 6s maximum delay parameter
(� ) for S-I and a 3ms maximum delay parameter (� ) for S-III. We can see S-I can
almost reach near 100% accuracy when the duration is larger than 110s. But the
abnormally large max delay parameter loses the meaning of its definitions. On the
20 40 60 80 100 120 1400
10
20
30
40
50
60
70
80
90
100
Duration(s)
Acc
urac
y(%
)
Deviation S-IIS-IV
Figure 6.5. Accuracy for Deviation, S-II and S-III by private dataset
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
133
other hand, the max accuracy for S-III is only 90% due to the fact there are packet
drops during the relay of stepping stones.
S-II and S-IV must be used together with other approaches, with the deviation
approach selected in our implementation. S-II and S-IV’s function is to filter packets
by their maximum delay constraints before other approaches run. Initially we tested if
their filtering can improve the accuracy of other approaches and if they can filter the
chaff and jitter. By a private dataset with 5000ms maximum delay parameter (� ) for
S-II and S-IV, 500 dev parameter for S-II and S-IV and deviation, we achieve the
accuracy as shown in Figure 6.5. We found they can improve the accuracy fractionally,
but not significantly, since the existence of packet drops destroy the maximum delay
0 0.2 0.4 0.6 0.850
60
70
80
90
100
Chaff rate
Acc
urac
y(%
)
S-IS-IIS-IIIS-IV
Figure 6.6. Accuracy for SI, S-II, SIII and S-IV by private dataset with
different chaff rate
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
134
constraint.
We also get the accuracy results with 60s duration, but with a different chaff rate
and different jitters by the private dataset, as shown in Figure 6.6 and 6.7. We first
discovered that S-II and S-IV were increasingly affected by chaffs and jitters, which
means they were unable to filter them. Then we discovered S-I and S-III was also
affected by lots of chaff, which is inconsistent with experimental results in [9]. [9],
only added chaffs to the downstream connections, but in our experiments, chaffs were
added to both upstream and downstream connections. By adding chaffs to downstream
connections maintains the assumption of no packet drops, so in [9], S-II, S-III and S-
IV maintain a high accuracy with chaffs. Lastly, S-I and S-III are not as affected by
jitters due to the abnormally large max delay parameter.
0 200 400 600 800 100040
50
60
70
80
90
100
Jitters(ms)
Acc
urac
y(%
)
S-IS-IIS-IIIS-IV
Figure 6.7. Accuracy for SI, S-II, SIII and S-IV by private dataset with
different jitter
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
135
Therefore, we conclude that the approaches with a max tolerable delay assumption
can reach achieve a high degree of accuracy when the duration is very large and there
are no packet drops. This means it is not suitable to be applied in real environments
due to the existence of packet drops.
6.3.2 Other Approaches
Initially, we ran every approach by the public dataset with a big duration of 600s, and
achieved the accuracy shown in Figure 6.8. We can see if there is no packet drop
nearly all of them can reach 100% accuracy except IPD, since some of the inter-
packet delay of the public dataset is in the order of 1s to 10s, which may mean IPD
fails to get some thresh points.
PDBC APD SAPD ON/OFFSketchingDeviation IPD0
10
20
30
40
50
60
70
80
90
100
Approach
Acc
urac
y(%
)
senddelay=100ms;echodelay=100ms;jitter=20ms;droprate=0
Figure 6.8. Accuracy by public dataset with 600s duration
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
136
Figure 6.9 shows the true positive and true negative by the public dataset with a
small duration of 100s. We can see that IPD and deviation have a relative low
accuracy, and are also affected to a large degree by packet drops. For sketching, the
true negative keeps the value low, since the precise sketches inevitably hide some
information of the packet streams when the duration is short.
When there is no drop, ON/OFF can still reach 100% accuracy for the small delay
and jitter. However, with big delay and jitter, its true positive drops to zero, since in
our experiments the value of parameter � is the same for a small delay and a big
delay. We attempted a bigger value for � , and found ON/OFF can still reach 100%
accuracy when there is no packet drop. Therefore, if the parameter can be calculated
according to the streams, the accuracy of ON/OFF will improve significantly.
0
20
40
60
80
100
True
pos
itive
(%)
PDBC APD SAPD ON/OFFSketchingDeviation IPD0
20
40
60
80
100
True
neg
ativ
e(%
)senddelay=100ms;echodelay=100ms;jitter=20ms;droprate=0senddelay=200ms;echodelay=200ms;jitter=50ms;droprate=0senddelay=200ms;echodelay=50ms;jitter=50ms;droprate=0senddelay=200ms;echodelay=200ms;jitter=50ms;droprate=0.2
Figure 6.9. True positive and true negative by public dataset with 100s
duration
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
137
PDBC, APD and SAPD maintain high accuracy, with or without packet drops, and
even with a big or small delay. But the true positive of PDBC largely decreases for
unsymmetrical delay.
We then ran every approach by using the private dataset with a different duration.
We achieved the accuracy as shown in Figure 6.10. We can see PDBC, APD and
SAPD all maintain more than 95% accuracy when the duration is bigger than 10s, and
PDBC has higher accuracy than APD and SAPD when the duration is small.
Sketching and ON/OFF can reach 95% accuracy when the duration is bigger than 60s.
IPD and deviation generally keeps an accuracy lower than 90% with a different
duration, although IPD can reach 95% accuracy when duration is very small. These
results are almost consistent with the result of the public dataset, except the accuracy
10 20 30 40 50 60 70 80 90 100 110 12060
65
70
75
80
85
90
95
100
Duration(s)
Acc
urac
y(%
)
PDBCAPDSAPDON/OFFSketchingIPDDeviation
Figure 6.10. Accuracy by private dataset with different durations
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
138
of sketching in the private dataset is much higher than the one in the public dataset.
0 0.2 0.4 0.6 0.850
55
60
65
70
75
80
85
90
95
100
Chaff rate
Acc
urac
y(%
)
PDBCAPDSAPDON/OFFSketchingIPDDeviation
Figure 6.11. Accuracy by private dataset with different chaff rate
0 200 400 600 800 100050
55
60
65
70
75
80
85
90
95
100
Jitter(ms)
Acc
urac
y(%
)
PDBCAPDSAPDON/OFFSketchingIPDDeviation
Figure 6.12. Accuracy by private dataset with different jitters
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
139
This is due to the inter-packet delays in the public dataset being much bigger than the
ones in the private dataset. So in the public dataset, sketching needs a very large
duration to achieve high accuracy.
Finally, we ran every approach using the private dataset with 60s duration and a
different chaff rate and jitter rate. We achieve accuracy as shown in Figure 6.11 and
6.12. We can see that PDBC, APD and SAPD are hardly affected by chaffs, and
sketching is slightly affected by chaffs, while others are significantly affected by
chaffs, as can be seen in Figure 6.11. Figure 6.12 shows APD and SAPD are the only
ones hardly affected by jitter.
The values of parameters for every approach in Figure 6.8 to Figure 6.13 are listed
in Table 6.2.
Table 6.2. Parameters values for stepping stone detection approaches
Approach Parameter Figure 6.8
Figure 6.9
Figure 6.10
Figure 6.11
Figure 6.12
ON/OFF idleT (ms) 700 700 700 700 700 � (ms) 120 120 120 120 120 � 0.5 0.5 0.4 0.4 0.4
Deviation dev 1700 1700 500 500 500 IPD Window
size 10 10 10 10 10
CP� 0.8 0.8 0.8 0.8 0.8 � 0.7 0.7 0.7 0.7 0.7
Sketching TSL (ms) 3000 3000 1500 1500 1500
# 200 200 70 70 70
PDBC � (ms) 100 100 50 50 50 � 0.3 0.3 0.2 0.2 0.2
APD/SAPD No No No No No No
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
140
6.3.3 Experimental Results Summary
By examining the experimental results and previous analysis, we can make the
following conclusions.
1. IPD, deviation and SI (DM) are not suitable for real-time application.
2. Approaches with the assumption of no packet drops are not suitable for use in real
Internet environments.
3. When there are no packet drops, nearly all approaches, except IPD, can achieve
100% accuracy if the duration is large enough.
4. In real Internet environments, PDBC, APD, SAPD, ON/OFF and sketching can
achieve high accuracy if the duration is big enough.
5. In real Internet environments, PDBC, APD, SAPD can achieve high accuracy if
the duration is small. PDBC is more accurate than APD or SAPD in very small
durations.
6. PDBC, APD and SAPD are hardly affected by chaffs.
7. APD and SAPD are hardly affected by jitters.
Therefore, if we want to apply a stepping stone detection approach in Internet
environments with quick responsiveness, we would select PDBC; if we want a
stepping stone detection approach to have high accuracy, even with chaff and jitter
perturbations, we would select APD or SAPD.
In addition, during experiments, for nearly all approaches except APD and SAPD,
we attempted to use different parameters for different datasets. The accuracy is
occasionally low because we didn’t find the appropriate value for the parameters,
especially the TSL parameter for the sketching approach and the � parameter for
Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches
141
ON/OFF. From this point, APD and SAPD have no parameter, and can be easily
suited to any dataset. As we mentioned before, the ON/OFF can be improved by
calculating the � parameter, and the sketching approach can be improved by
calculating the TSL parameter according to steams.
6.4 Summary
The insufficient application of stepping stone detection approaches in real Internet
environments, and the absence of high quantitative comparative studies using stepping
stone detection approaches are still current issues for stepping stone research. In this
chapter, we implemented a total of 13 stepping stone detection algorithms, exacted
SSH data from public traces that have millions of packets and obtained genuine
stepping stone connection chain data from the Internet. We established a set of criteria
and ran these algorithms in several scenarios with different dataset. Based on the
experimental results and analysis, we give the conclusion about the real-time
application of stepping stone detection approaches, the accuracy of stepping stone
detection approaches, the impaction of assumption, chaffs and jitters. In addition, we
also provided suggestions for improving stepping stone detection approaches.
Chapter 7 Conclusions and Future Work
142
Chapter 7
Conclusions and Future Work
This chapter summarises the main contributions of this thesis on detecting stepping
stone in real Internet environments, and presents the significance of this research.
Finally, we make suggestions for improving our research in the future.
7.1 Conclusions
7.1.1 Major Contributions
The Internet has become increasingly critical, but at the same time, Internet attacks
have increased significantly. One of the most important reasons for this is that
attackers are able to easily hide their identities and evade punishment by relaying their
attacks through stepping stones. To date, stepping stone detection systems have
already been proposed, however challenges still remain when applied in Internet
environments and whether they will resist evasion. The aim of the research in this
thesis has been to develop stepping stone detection systems, which can provide
Chapter 7 Conclusions and Future Work
143
effective and efficient stepping stone detection in real Internet environments, and identify
evasion techniques used by attackers. We have achieved these aims, and the main
contributions of our research can be summarised as follows.
� We proposed a real-time RTT getting algorithm for stepping stone detection.
The proposed Estimation Based Algorithm (EBA) can provide RTTs for RTT
based stepping stone detection systems to identify correlated connections, and
it also can provide RTTs for non-RTT based stepping stone detection systems
to calculate important parameters. The experiments show that our algorithm is
far more precise than other real-time RTT getting algorithms. We also present
theory analysis from the probability point, which shows that our algorithm has
a high matching rate and has a high accuracy rate similar to the complicated
non real-time SDBA [51] approach. By proposing the EBA, the stepping stone
detection systems [48] which cannot be applied in practice and those [2] which
are hard to select parameters for, may become practical.
� We proposed the Packet Delay Bidirectional Comparison (PDBC) scheme,
which is a simple but practical stepping stone detection system. It has no
assumption of no-packet-dropping, and it is designed with high efficiency. Our
experiments show that the proposed scheme can achieve more than 90%
accuracy by monitoring for 2 seconds and can achieve more than 95% accuracy
by monitoring for 10 seconds. This is in addition to low computation cost.
Chapter 7 Conclusions and Future Work
144
Compared to most stepping stone detection systems, it has the quickest
responsiveness when applied in Internet environments.
� We initially proposed the upper bounds of probability that normal streams
present with the timing feature of stepping stone attack streams, and applied
them first to stepping stone detection. We also designed the Abnormal
Probability Detection algorithm (APD) and the Speedy Abnormal Probability
Detection algorithm (SAPD) which can accurately detect stepping stones even
if there is big jitter and a high chaff rate. We compare the two proposed
stepping stone detection systems with many previous ones and the experiments
show that the two proposed systems are more resistant to chaffs and jitters than
previous ones. These two stepping stone detection systems also maintain high
accuracy for detecting stepping stone attack streams with no chaffs and jitter
perturbations. In addition, no parameters need to be adjusted in the APD and
SAPD algorithms, therefore it is suitable for application in practice.
� We presented high quantitative comparative experimental analysis of network
based passive stepping stone detection systems. Based on the implementation
of the 13 stepping stone detection systems, the exaction of SSH data from
public traces with millions of packets, and the capturing of genuine stepping
stone connection chains data from the Internet, we tested these stepping stone
detection systems in several scenarios using uniform criteria. According to the
experimental results and analysis, we give the conclusion about the real-time
application of stepping stone detection systems, the accuracy of stepping stone
Chapter 7 Conclusions and Future Work
145
detection systems, the impaction of assumption, the impaction of chaffs and
jitters. In addition, we presented some suggestions improvement suggestion for
previous stepping stone detection systems.
7.1.2 Significance of this Thesis
The proposed RTT getting algorithm for stepping stones, and the stepping stone
detection schemes described in this thesis can bring significant benefits to both
academia and industry. The significance of this thesis may be summarized as follows:
� Networks have dramatically changed the daily activities of people, particularly
in how we communicate and how we learn and conduct business.
Unfortunately, while enjoying the convenience of the Internet, we also have to
deal with network security problems. Attackers from anywhere may attack a
site at any time causing near irreparable damage. One of the reasons for this is
that attackers can very easily hide their identities and evade the desired
punishment by relaying their attacks through stepping stones. Therefore, this
research into stepping stone detection systems in Internet environments is very
important and highly practical.
� The RTT getting algorithm is critical for stepping stone detection. Due to the
absence of a real-time precise RTT getting algorithm, some stepping stone
detection systems [48] cannot be applied in practice, and some of them can’t be
Chapter 7 Conclusions and Future Work
146
easily employed [2]. Therefore, the proposed RTT getting algorithm will
accelerate the application of stepping stone detection systems in industry and
also improve the research of stepping stone detection systems in academia.
� The profound analysis presented in the comparative experimental study on
network based passive stepping stones can provide advantages to further research
in this area. At the same time, it provides a sound reference for the application of
stepping stone detection systems in industry.
� Since we focus our research on real application, the proposed stepping stone
detection schemes and RTT getting algorithm described in this thesis can be
directly adopted by industry, which has the potential to change the current
stagnant application of stepping stone detection systems in industry.
7.2 Future Work
This thesis has developed several stepping stone detection systems and compared
most network based passive stepping stone detection systems. However, there is room
for further improvement. Below, we outline some issues that have arisen from this
thesis and future directions for this work. This list is intended to be neither detailed
nor comprehensive, but merely suggests some possible ideas for developing future
work explored in this thesis first.
Chapter 7 Conclusions and Future Work
147
� Improve some aspects of the experiments conducted. Experiments about chaffs
and jitters were based on simulation. So in future work, we would like to use
real-life SSH data with chaffs and jitters using the SNEAK tool [46], or by
directly modifying the SSH client and server software. Secondly, the scale of
data in our experiments was not large enough, so we would like to collect more
private or public data to conduct a scalable experiment in the future.
� Improve some aspects of the algorithms. When there were very large jitters, the
EBA RTT getting algorithm does not work well. In this scenario, we would like
to consider the RTT with big fluctuation as an anomaly, and be able to notify
the stepping stone detection system. Secondly, while we presented some
improvements for other approaches, in the future work, we would like to
implement and evaluate these.
� Detect non-interactive connections. In this thesis, our research focuses on
interactive connections. Although attackers normally launch attacks via
interactive connections, one-way communication is still possible. In future
work, we will consider applying the probability bounds to one-way
communication.
� Develop a stepping stone detection device. In this thesis, all of our proposed
algorithms can be run in real-time, however in our experiments we ran them
Chapter 7 Conclusions and Future Work
148
off-line. In future work, we will consider the development of a real stepping
stone detection device which can be run on the Internet.
� Identify legal stepping stone connections. In this thesis, our aim is to detect
connections in the same connection chain. But some of them may not be attack
traffic, as normal users may also construct a connection chain. While this may
be so, the traffic mode is usually different for normal users and attackers. In
future work, we will consider a system to identify between legal connections
and stepping stone connections.
Bibliography
149
Bibliography
[1] S. Staniford-Chen and L.T. Herberlein: “Holding Intruders Accountable on the Internet”, Proc. 1995 IEEE Symposium on Security and Privacy, 1995, pp. 39-49. [2] Y. Zhang and V. Paxson: “Detecting Stepping-Stones”, Proc. 9th USENIX Security Symposium, 2000, pp. 67-81. [3] K. Yoda and H. Etoh: “Finding a Connection Chain for Tracing Intruders”, Proc. 6th European Symposium on Research in Computer Security (LNCS 1985), 2000, pp. 31-42. [4] X. Wang, D.S. Reeves, and S.F. Wu: “Inter-packet delay based correlation for tracing encrypted connection through Stepping-Stone”, Proc. 7th European Symposium on Research in Computer Security (ESORICS 2002), 2002, pp. 244-263. [5] D.L. Donoho, A.G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford: “Multiscale Stepping-Stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay”, Proc. 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), 2002, pp. 49-64 [6] X. Wang and D.S. Reeves: “Robust correlation of encrypted attack traffic through Stepping-Stones by manipulation of interpacket delays”, Proc. 10th ACM Conference on Computer and Communication Security (CCS 2003), 2003, pp. 20-29. [7] W.T. Strayer, C.E. Jones, I. Castineyra, J.B. Levin, and R.R. Hain: “An integrated architecture for attack attribution”, BBN Technologies, Tech. Rep. BBN REPORT-8384, 2003. [8] A. Blum, D. Song, and S. Venkataraman: “Detection of interactive Stepping-Stones: Algorithm and confidence bounds”, The 7th International Symposium on Recent Advances in Intrusion Detection (RAID 2004), 2004. [9] L. Zhang, A. G. Persaud, A. Johson, Y. Guan: “Stepping- Stone Attack Attribution in Non-Cooperative IP Networks”, in Proc. Of the 25th IEEE International Performance Computing and Conference (IPCCC 2006), 2006.
Bibliography
150
[10] T. He and L. Tong: “A Signal Processing Perspective to Stepping-Stone Detection”, in Proc. 2006 Conference on Information Sciences and Systems, (Princeton, NJ), March 2006. [11] P. Peng, P. Ning, and D. S. Reeves: “On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques”, in Proc. of the 2006 IEEE Symposium on Security and Privacy (S&P), May 2006, pp. 334–349. [12] K. H. Yung: “Detecting long connection chains of interactive terminal sessions”, in RAID 2002, Lecture Notes in Computer Science, vol. 2516, Jan 2002, pp. 1–16. [13] J. Yang and S. Huang: “A Real-Time algorithm to Detect Long Connection Chains of Interactive Terminal Sessions”, Proceedings of InfoSecu04, Shanghai, China, 2004, pp.198-203. [14] J. Yang and S.-H. Huang: “Matching tcp packets and its application to the detection of long connection chains on the internet”, in AINA 2005 19th International Conference on Advanced Information Networking and Applications, March 2005, pp. 1005–1010. [15] A. Almulhem and I. Traore: “A Survey of Connection-Chains Detection Techniques”, 2007 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, (2007) [16] J. Yang, and S-H. .S. Huang: “Matching TCP/IP packets to Detect Stepping-Stone Intrusion”, International Journal of Computer Science and Network Security (IJCSNS), vol. 6, no. 10, Oct. 2006, pp. 269-276. [17] P. Peng, P. Ning, D. S. Reeve, and X. Wang: “Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets”, in Proc. Of the 2nd International Workshop on Security in Distributed Computing Systems (SDCS), Jun. 2005, pp. 107–113. [18] X. Wang, D. S. Reeves, S. F. Wu, and J. Yuill: “Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework”, in Proc. of the 16th International Conference on Information Security (IFIP/Sec), Jun. 2001, pp. 369–384. [19] X. Wang, D. S. Reeves, P. Ning, and F. Feng: “Robust network-based attack attribution through probabilistic watermarking of packet flows”, Technical Report TR-2005-10, Department of Computer Science, NC State Univ., 2005. [20] T. He and L. Tong: “Detecting Encrypted Stepping-Stone Connections”, Tech. Rep. ACSPTR- 01-06-02, Cornell University, January 2006.
Bibliography
151
[21] T. He and L. Tong: “Detecting Encrypted Interactive Stepping-Stone Connections”, in Proc. 2006 IEEE International Conference on Acoustics, Speech, and Signal Processing, (Toulouse, France), May 2006. [22] L. Zhang, A. G. Persaud, A. Johnson, and Y. Guan: “Detection of Stepping-Stone attack under delay and chaff perturbations”, presented at the 25th IEEE Int. Perform. Comput. Commun. Conf. (IPCCC), Phoenix, AZ, 2006. [23] T. He, P. Venkitasubramaniam, and L. Tong: “Packet Scheduling Against Stepping-Stone Attacks with Chaff”, Proceedings of IEEE MILCOM, Cornell University, October, 2006 [24] T. He and L. Tong: “Detecting Information Flows: “Improving Chaff Tolerance by Joint Detection”, CISS 2007: 51-56 [25] Y.J. Pyun and D. S. Reeves: "Strategic Deployment of Network Monitors for Attack Attribution", to appear in Proc. of the 4th Intl. Conf. on Broadband Communications, Networks, and Systems (IEEE Broadnets 2007), September 2007 [26] J. Yang, S-H. S. Huang, and M. D. Wan: “A clustering partitioning algorithm to find TCP packet round-trip time for intrusion detection”, Advanced Information Networking and Applications, 2006. AINA 2006. 20th International Conference on Volume 1, Issue , 18-20 April 2006 Page(s): 6 pp [27] M.N. Omar, M.A. Maarof, A. Zainal: “Solving time gap problems through the optimization of detecting Stepping-Stone algorithm”, Computer and Information Technology, 2004. CIT '04. The Fourth International Conference on Date: 14-16 Sept. 2004, Pages: 391 – 396 [28] J. Yang and S-H. S. Huang: “Correlating Temporal Thumbprints for Tracing Intruders”, To appear in Proceedings of 3rd International Conference on Computing, Communications and Control Technologies (CCCT’05), Austin, TX, July (2005). [29] W.T. Strayer, C. Jones, B. Schwartz, S. Edwards, W. Milliken, and A. Jackson: “Efficient Multi-Dimensional Flow Correlation”, In Proceedings of the 32nd IEEE Conference on Local Computer Networks (October 15 - 18, 2007). IEEE Computer Society, Washington, DC, 531-538 [30] W.T. Strayer, C.E. Jones, B.I. Schwartz,J. Mikkelson, and C. Livadas: “Architecture for multi-stage network attack traceback” In Proceedings of the the IEEE Conference on Local Computer Networks 30th Anniversary (November 15 - 17, 2005). IEEE Computer Society, Washington, DC, 776-785 [31] M.N. Omar, M.A. Maarof and A. Zainal: “The Optimization of Stepping-Stone Detection: Packet Capture Steps”, Jurnal Teknologi, vol. 44, no. (D), Jun 2006, pp. 1-14.
Bibliography
152
[32] Y. Tang, Y. Liverpool and T.E. Daniels: “Monitor placement for Stepping-Stone analysis”, Performance, Computing, and Communications Conference, 2006. IPCCC 2006. 25th IEEE International Date: 10-12 April 2006, Pages: 8 pp. 509-512 [33] S-H. S. Huang, R. Lychev and J. Yang: “Stepping-Stone Detection Via Request-Response Traffic Analysis”, ATC 2007: 276-285 [34] Y. J. Pyun, Y. H. Park, X. Y. Wang, D. S. Reeves, and P. Ning: "Tracing Traffic Through Intermediate Hosts that Repacketize Flows", in Proc. of the 26th Annual IEEE Conf. on Computer Communications (Infocom 2007), May 2007 [35] B. Coskun and N. Memon,: “Efficient Detection of Delay-Constrained Relay Nodes”, Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual Date: 10-14 Dec. 2007, Pages: 353 – 362 [36] A. Chantler and R. Broadhurst: “Social Engineering and Crime Prevention in Cyberspace“, Technical Report, Justice, Queensland University of Technology, 2006 [37] E. Messmer: “Cyber Espionage: A growing Threat to Business”, PC World, January 21, 2008 [38] B. Coskun and N. Memon: “Online Sketching of Network Flows for Real-Time Stepping-Stone Detection”, in Proc. of the Annual Computer Security Applications Conference, pp 473-483, 2009 [39] P. Li, W. Zhou and Y. Wang: “Getting the Real-Time Precise Round-Trip Time for Stepping Stone Detection”, in Proc 4th International Network and System Security(NSS), Melbourne, Australia, 2010 [40] G. Gu, J. Zhang, and W. Lee: “BotSniffer: Detecting botnet command and control channels in network traffic”. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), 2008. [41] G. Gu, R. Perdisci, J. Zhang, and W. Lee. “Botminer: Clustering analysis of network traffic for protocol and structure independent botnet detection”. In USENIX Security, 2008. [42] S. Kent and R. Atkinson: “RFC 2401: Security Architecture for the Internet Protocol”, IETF, September 1998. draft-ietfipsec-arch-sec [43] T. Ylonen.: “IETF Internet Draft: SSH Protocol Architecture”, IETF, March 2005. draft-ietf-secsharchitecture-22 [44] M. N. Omar, L. Siregar, and R. Budiart: “Dropped Packet Problems in Stepping-Stone Detection”, IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.2, February 2008
Bibliography
153
[45] M. Venkateshaiah and M. Wright: “Evading Stepping-Stone Detection Under the Cloak of Streaming Media”, Tech. Report, Department of Computer Science and Engineering, University of Texas at Arlington, Arlington, TX 76019, 2007. [46] J. D. Padhye and M. Wright: “Stepping-Stone Network Attack Kit (SNEAK) For Evading Timing-based Detection Methods Under The Cloak Of Constant Rate Multimedia Streams”, Computer Science & Engineering, 17-Sep-2008 [47] M. Venkateshaiah and M. Wright: “Evading Existing Stepping-Stone Detection Methods Using Buffering”, Computer Science & Engineering, 23-Aug-2007 [48] J. Yang and S-H. S. Huang, "Improved Thumbprint and Its Application for Intrusion Detection," Proceedings of the Third International Conference on Computer Network and Mobile Computing (ICCNMC), Zhangjiajie, China, August 2-4, 2005, pp. 433-442 [49] A. Kampasi, Y. Zhang, G. Di Crescenzo, A. Ghosh, and R.Talpade: "Improving Stepping-Stone Detection Algorithms using Anomaly Detection Techniques". The University of Texas at Austin, Department of Computer Sciences. Report# TR-07-28 (regular report). May 21, 2007. 8 pages. [50] S. C. Lee and C. Shields: “Tracing the Source of Network Attack: A Technical, Legal, and Societal Problem”. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, West Point, NY, June 2001. [51] J. Yang and S. Huang: “Probabilistic Analysis of an Algorithm to Compute TCP Packet Round-Trip Time for Intrusion Detection”, Journal of Computers and Security, Elsevier Ltd., 2007, pp137-144, Vol. 26 [52] http://www.wand.net.nz/wits/auck/9/ [53] C. Chen, M. Mangrulkar, N. Ramos and M. Sarkar: “Trends in TCP/IP Retransmissions and Resets”, Technical Report, URL: http://cseweb.ucsd.edu/classes/wi01/cse222/projects/reports/tcp-flags-13.pdf [54] H.-C. Wu and S.-H. S. Huang: “Detecting steppingstone with chaff perturbations,” in AINAW ’07: Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops, 2007, pp. 85–90. [55] D. Knuth: "The Art of Computer Programming", 3rd ed., vol. 1, 1997, p.98 [56] D.L., Mills: Internet Delay Experiments. IETF document, http://www.ietf.org/rfc/rfc889.txt (1983) [57] Department of the Air Force and Air Force Materiel Command: “Network attack traceback,” April 2005.
Bibliography
154
[58] H-C. Wu and S-H. S. Huang: “Performance of Neural Networks in Stepping-Stone Intrusion Detection”, Networking, Sensing and Control, 2008. ICNSC 2008. IEEE International Conference on Date: 6-8 April 2008, Pages: 608 – 613 [59] X. Wang: “The loop fallacy and serialization in tracing intrusion connections through Stepping-Stones.”, SAC 2004: 404-411 [60] X. Wang: "The Loop Fallacy and Deterministic Serialization in Tracing Intrusion Connections Through Stepping-Stones", in International Journal of Security and Networks, Vol. 1, No. 3/4, 2006 [61] J. Postel: “RFC793 - Transmission Control Protocol”, September 1981, http://www.faqs.org/rfcs/rfc793.html [62] J. Postel: “RFC 768 - User Datagram Protocol”, August 1980, http://www.faqs.org/rfcs/rfc768.html [63] J. Postel: “RFC 792 - Internet Control Message Protocol”, September 1981, http://www.faqs.org/rfcs/rfc792.html [64] Z. Trabelsi, W. El-Hajj, S. Hamdy: “Implementation of an ICMP-based covert channel for file and message transfer”, Electronics, Circuits and Systems, 2008. ICECS 2008. 15th IEEE International Conference on Date: Aug. 31 2008-Sept. 3 2008, Pages: 894 – 897 [65] J. Postel and J. Reynolds : “RFC 854 - Telnet Protocol Specification”, May 1983, http://www.faqs.org/rfcs/rfc854.html [66] T. Ylonen and C. Lonvick : “RFC 4251 - The Secure Shell (SSH) Protocol Architecture”, January 2006, http://www.ietf.org/rfc/rfc4251.txt [67] J. Oikarinen and D. Reed: “RFC 1459 - Internet Relay Chat Protocol”, May 1993, http://www.ietf.org/rfc/rfc1459.txt [68] J. Yang and S. Huang: “Mining TCP/IP Packets to Detect Stepping-Stone Intrusion”, Journal of Computers and Security, Elsevier Ltd., pp 479-484, Vol. 26 (2007) [69] Q. Li and D.L. Mills: “On the long-range dependence of packet round-trip delays in Internet”, In: Proc. international conference on communications (ICC’98), Atlanta, USA, No. 1, pp 1185–92 (1998) [70] T. Elteto and S. Molna.: “On the Distribution of Round-Trip Delays in TCP/IP Networks”, In: Proc. the 24th Annual IEEE Conference on Local Computer Networks, p172 (1999)
Bibliography
155
[71] J. Yang and S. Huang: “Probabilistic Analysis of an Algorithm to Compute TCP Packet Round-Trip Time for Intrusion Detection”, Journal of Computers and Security, Elsevier Ltd., 2007, pp137-144, Vol. 26. [72] Y. Zhang, J. Yang and C. Ye, “ Modeling and Detecting Stepping-Stone Intrusion”, IJCSNS International Journal of Computer Science and Network Security, VOL.9 No.7, July 2009 [73] W. Feller.: Probability Theory and its Applications. Volume 1. John Wiley and Sons, Inc. (1968) [74] V. Paxson and S. Floyd: Wide-area tra_c: The failure of poisson modeling. IEEE/ACM Transactions on Networking 3 (1995) 226-244 [75] OpenSSH, http://www.openssh.com. [76] Cygwin,http://www.cygwin.com/ [77] Wireshark, http://www.wireshark.org/ [78] Putty, http://www.chiark.greenend.org.uk/~sgtatham/putty/ [79] KpyM, http://www.kpym.com/2/kpym/index.htm [80] Jackson network, http://en.wikipedia.org/wiki/Jackson_network [81] Little’s law, http://en.wikipedia.org/wiki/Little's_law [82] Poisson distribution, http://en.wikipedia.org/wiki/Poisson_distribution [83] Expected value, http://en.wikipedia.org/wiki/Expected_value [84] Probability theory, http://en.wikipedia.org/wiki/Probability_theory [85] Normal distribution, http://en.wikipedia.org/wiki/Normal_distribution [86] Exponential distribution, http://en.wikipedia.org/wiki/Exponential_distribution [87] Jensen’s inequality, http://en.wikipedia.org/wiki/Jensen's_inequality [88] Chebyshev’s inequality, http://en.wikipedia.org/wiki/Chebyshev's_inequality [89] DDoS, http://en.wikipedia.org/wiki/Denial-of-service_attack [90] Queueing theory, http://en.wikipedia.org/wiki/Queueing_theory
Bibliography
156
[91] M. N. Omar and R. Budiarto: “Hybriding Intelligent Host-Based and Network-Based Stepping Stone Detections”, Machine Learning and Systems Engineering, Lecture Notes in Electrical Engineering, 2010, Volume 68, 83-95 [92] J. Xin, L. Zhang, B.Aswegan, J. Dickerson, T. Daniels and Y. Guan: “A Testbed for Evaluation and Analysis of Stepping Stone Attack Attribution Techniques”, Testbeds and Research Infrastructures for the Development of Networks and Communities, 2006. TRIDENTCOM 2006. 2nd International Conference 9 pp. – 378 [93] J. Aikat, J. Kaur, F.D. Smith and K. Jeffay: “Variability in TCP round-trip times”, Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2003, IMC, pp. 279-284. [94] P. Karn and C. Partridge: “Improving round-trip time estimates in reliable transport protocols”, Proceedings of the ACM workshop on Frontiers in computer communications technology, p.2-7, August 11-13, 1987, Stowe, Vermont, United States [95] F. Leu: “Intrusion Detection, Forecast and Traceback Against DDoS Attacks”,2009, http://jitas.im.cpu.edu.tw/2009/2.pdf [96] W. Zhou. Keynote III: Detection and traceback of DDoS attacks. in Computer and Information Technology, 2008. CIT 2008. 8th IEEE International Conference on. 2008. [97] H. Jung, H. Kim, Y. Seo, G. Choe, S. Min, C. Kim and K. Koh: “Caller Identification System in the Internet Environment,” Proceedings of 4th USENIX Security Symposium, vol. 246, 1993. [98] S. Snapp, J. Brentano, G. Dias, T. Goan, L. Heberlein, C. Ho, K. Levitt, B. Mukher-jee, S. Smaha, T. Grance, et al.: “DIDS (Distributed Intrusion Detection System)-Motivation, Architecture, and an Early Prototype,” Proceedings of the 14th National Computer Security Conference, pp. 167–176, 1991. [99] T. Yan M. Veeraraghavan: “Networks of Queues”, 2004, http://www.ece.virginia.edu/mv/edu/715/lectures/QNet.pdf [100] R. Shullich, J. Chu, P. Ji, and W. Chen: “A Survey of Research in Stepping-Stone Detection”, Proceedings of International Conference on Internet Studies (NETs2010), Taiwan, 2010