Detecting Stepping Stones in Internet...

Detecting Stepping Stones in Internet Environments

by

Ping Li B.Eng. (University of Electronic Science and Technology of China)

M.Eng. (University of Electronic Science and Technology of China)

Submitted in Fulfillment of the requirements for the degree of

Doctor of Philosophy

Deakin University

February, 2011

lswan

Redacted stamp

lswan

Redacted stamp

IV

IV

Acknowledgements

I would like to express my sincere gratitude and profound thanks to my supervisor

Professor Wanlei Zhou for his supportive supervision, helpful criticism, valuable

suggestions and endless patience. Without his inspiring enthusiasm and

encouragement, this work could not have been completed. He generously provided me

his time, effort, and insightful advice at all times, and guided me into the door leading

to a successful researcher.

I would like to thank many staff members in School of Information Technology,

Deakin University. They are Professor Lynn Batten, Professor Andrez Goscinski, Dr.

Robin Doss, Dr. Yang Xiang, Dr. Shang Gao, Dr. Gang Li, Dr. Ming Li, Dr. Shui Yu,

Mr. Jun Zhang and Dr. Shuyuan Jin etc. And I am also grateful to Ms. Georgina Cahill,

Mr. Nghia Dang and other staff in the school for their valuable help.

I would also like to thank my friends and colleagues for their wonderful help to my

research and life. They are Dr. Ke Li, Dr. Ashley Chonka, Dr. Leanne Ngo, Dr.

Yiqing Tu, Dr. Faye Ferial Khaddage, Miss Yini Wang, Mr. Theerasak Thapngam, Mr.

Alessio Bonti, Mr. Longxiang Gao, Mr. Yongli Ren, Ms. Wei Zhou, Mr. Sheng Wen,

Ms. Yanli Yu, Mr. Min Gan, Miss Jia Rong and so on.

I cannot end without thanking my family, which include my lovely parents, my dad

Zhongxin Li, and my mum Xianglian Wang for their continue support. Also a special

thanks to the love of my life Yu Deng for his encouragement, care and love and my

angels, Keyue and Kezhuo for their patience and understanding.

V

Publications

During my PhD Candidature, the following research papers were published or

accepted in fully refereed International Conference Proceedings and Journals.

� Yu, Y., Li, K., Zhou, W. and Li, P., Trust Mechanisms in Wireless Sensor

Networks: Attack Analysis and Countermeasures, Journal of Networking and

Computer Applications. Accepted: 12/12/2010 (ERA Rank A, Impact

Factor=1.111).

� Li, P., Zhou, W. and Wang, Y. (2010) Getting the Real-Time Precise Round-Trip

Time for Stepping Stone Detection, NSS 2010 Proceedings of the 3rd IEEE

International Conference on Network & System Security, IEEE Computer Society

Press, United States, pp. 377-382.

� Li, P., Zhou, W. and Yu, Y. (2010) A Quick-Response Real-Time Stepping Stone

Detection Scheme, HPCC 2010 Proceedings of the 12rd IEEE International

Conference on High Performance Computing and Communications, IEEE

Computer Society Press, United States, pp. 677-682.

� Li, K., Zhou, W., Li, P., Hai, J. and Liu, J. (2009) Distinguishing DDoS Attacks

from Flash Crowds Using Probability Metrics, NSS 2009 Proceedings of the 3rd

IEEE International Conference on Network & System Security, IEEE Computer

Society Press, United States, pp. 9-17.

� Li, K., Zhou, W. and Li, P. (2009) Reliable Downloading Algorithms for

BitTorrent-like Systems, NPC 2009 Proceedings of the 6th IFIP International

Conference on Network and Parallel Computing, IEEE Computer Society Press,

United States, pp. 167-173.

VI

VI

� Li, P., Zhou, W. and Li, K. (2008) An Operational Approach to Validate the Path

of BGP, Lecture Notes in Computer Science. Volume 5022/2008, pp. 133-143,

Springer Berlin / Heidelberg.

� Li, K., Zhou, W., Yu, S. and Li, P. (2007) Novel Data Management Algorithms in

Peer-to-Peer Content Distribution Networks, Lecture Notes in Computer Science,

Volume 4798/2007, pp. 538-543, Springer, Germany.

VII

VII

ABSTRACT

Although many countermeasures and legislation have been developed against Internet attacks, the number of attacks is still on the rise, causing devastating consequences such as disrupting critical infrastructure, significant financial loss, and endangering public life. One critical question that researchers and law enforcement agencies still cannot answer easily is where are the real source(s) of Internet attacks coming from? Attackers can easily hide their identities and evade punishment by relaying their attacks through a series of compromised systems or devices which are called stepping stones. Attackers also make detection more difficult by using evasive techniques such as the introduction of dummy packets into the stream, and introducing delay into the timing of the packet stream. The goal of this thesis is to develop an effective and efficient scheme along with a number of related algorithms to detect stepping stones in real Internet environments, even when evasion techniques are used by attackers.

This thesis is organized as follows. Chapter 1 presents an introduction about stepping stone attacks and important issues related to stepping stone detection. Chapter 2 provides a brief, but in-depth introduction to the major characteristics of stepping stone attacks and a detailed survey of the related work carried out in detecting stepping stones. Chapters 3 to 6 present our major contributions for detecting stepping stones. In Chapter 3, we propose a real-time Round Trip Time (RTT) getting algorithm for stepping stones, which can be employed by RTT based stepping stone detection approaches to detect stepping stones. Or it can be used by other stepping stone detection approaches to select the value of important parameters. A simple but effective stepping stone detection scheme which can be employed in Internet is proposed in Chapter 4. Two stepping stone detection algorithms that are highly resistant to evasion techniques are proposed in Chapter 5. In Chapter 6, we present a quantitative and comparative study on network-based passive stepping stone detection proposals based on a series of experiments. Finally, Chapter 7 summarizes the contributions of this thesis and discusses future work.

VIII

VIII

Table of Contents

Acknowledgements ............................................................................. IV

Publications ........................................................................................... V

ABSTRACT ....................................................................................... VII

Table of Contents ............................................................................. VIII

List of Figures .................................................................................... XII

List of Tables ...................................................................................... XV

Chapter 1 Introduction .......................................................................... 1

1.1 Motivation and Rationale ............................................................................ 1

1.2 Contributions of This Thesis ....................................................................... 4

1.3 Approaches of This Thesis .......................................................................... 6

1.4 Organization of This Thesis ........................................................................ 8

Chapter 2 Background ........................................................................ 10

2.1 Attacks Using Stepping Stone ................................................................... 10

2.2 Stepping Stone Detection .......................................................................... 13

2.2.1 Introduction to Stepping Stone Detection Systems ............................ 13

2.2.2 Evading Detection ............................................................................. 15

2.3 Network-Based Passive Stepping Stone Detection Systems ...................... 16

2.3.1 Content Correlation ........................................................................... 16

2.3.2 Count Correlation .............................................................................. 17

2.3.3 Timing Correlation ............................................................................ 20

2.3.4 RTT Correlation ................................................................................ 27

2.3.5 Others ............................................................................................... 28

2.4 Summary .................................................................................................. 29

IX

IX

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping

Stone Detection................................................................................ 30

3.1 Introduction .............................................................................................. 31

3.2 Motivation ................................................................................................ 33

3.3 Estimation-Based Algorithm (EBA) .......................................................... 37

3.3.1 The Estimating Module ..................................................................... 38

3.3.2 The Matching Module ....................................................................... 41

3.4 Evaluation ................................................................................................ 44

3.4.1 Matching Rate ................................................................................... 44

3.4.2 Accurate Rate.................................................................................... 46

3.5 Application ............................................................................................... 49

3.6 Summary .................................................................................................. 54

Chapter 4 Detecting Stepping Stones in Real Internet Environments

.......................................................................................................... 56

4.1 Introduction .............................................................................................. 56

4.2 Definitions and Property for Packet Delay ................................................ 58

4.2.1 Related Definitions ........................................................................... 58

4.2.2 Property of Packet Delay ................................................................... 60

4.3 Algorithm and Analysis ............................................................................ 64

4.3.1 PDBC Algorithm .............................................................................. 64

4.3.2 Analysis ............................................................................................ 65

4.4 Experiments .............................................................................................. 69

4.4.1 Data Source and Testing Method ....................................................... 69

4.4.2 Experimental Results ........................................................................ 72

X

X

4.5 Summary .................................................................................................. 79

Chapter 5 Detecting Chaffed and Jittered Stepping Stone

Connections ..................................................................................... 81

5.1 Introduction .............................................................................................. 82

5.2 Related Works .......................................................................................... 83

5.3 Probability Analysis .................................................................................. 84

5.3.1 Related Definitions ........................................................................... 85

5.3.2 Modelling Connection Streams ......................................................... 87

5.3.3 Probability Bound under Poisson Model with Varying Rate .............. 88

5.3.4 Probability Bound under Poisson Model with a Fixed Rate ............... 91

5.4 Algorithm and Analysis ............................................................................ 93

5.4.1 Abnormal Probability Detection Algorithm ....................................... 94

5.4.2 Speedy Abnormal Probability Detection Algorithm ........................... 98

5.4.3 Analysis and Improvement ................................................................ 98

5.5 Experiment and Results .......................................................................... 101

5.5.1 Experiment Design .......................................................................... 101

5.5.2 Experiment Results ......................................................................... 103

5.6 Summary ................................................................................................ 116

Chapter 6 Experimental Analysis for Stepping Stone Detection

Approaches .................................................................................... 117

6.1 Introduction ............................................................................................ 118

6.2 Design of Experiments ............................................................................ 119

6.2.1 The Implementation of Stepping Stone Detection Approaches ........ 119

6.2.2 Private Dataset ................................................................................ 124

XI

XI

6.2.3 Public Dataset ................................................................................. 126

6.3 Evaluation Results .................................................................................. 130

6.3.1 The Approaches having Maximum Delay Assumption .................... 130

6.3.2 Other Approaches ........................................................................... 135

6.3.3 Experimental Results Summary....................................................... 140

6.4 Summary ................................................................................................ 141

Chapter 7 Conclusions and Future Work ........................................ 142

7.1 Conclusions ............................................................................................ 142

7.1.1 Major Contributions ........................................................................ 142

7.1.2 Significance of this Thesis............................................................... 145

7.2 Future Work ........................................................................................... 146

Bibliography ....................................................................................... 149

XII

List of Figures

Figure 1.1. DDOS attack using stepping stones ......................................................... 2

Figure 2.1. Attacks using stepping stones ................................................................ 11

Figure 2.2. Steal secure data using stepping stones. Source [33] .............................. 12

Figure 3.1. Stepping stone chain between Attacker and Target ................................ 35

Figure 3.2. RTT distribution .................................................................................... 39

Figure 3.3. �RTT distribution.................................................................................. 40

Figure 3.4. Matching module processing ................................................................. 43

Figure 3.5. One connection with simple inputting commands by slow typing speed . 50

Figure 3.6. One connection with complex inputting commands by quick typing speed

................................................................................................................................. 51

Figure 3.7. One chain with simple inputting commands by slow typing speed ......... 52

Figure 3.8. One chain with complex inputting commands by quick typing speed ..... 53

Figure 4.1. Stepping stone packet delay ................................................................... 62

Figure 4.2. Experimental topology for data source ................................................... 69

Figure 4.3. False negative with different � .............................................................. 71

Figure 4.4. False positive with different � ............................................................... 71

Figure 4.5. False negative with different �. .............................................................. 73

Figure 4.6. False positive with different � ................................................................ 73

Figure 4.7. False negative for PDBC,sketching and IPD .......................................... 74

XIII

XIII

Figure 4.8. False positive for PDBC,sketching and IPD ........................................... 74

Figure 4.9. Accuracy for PDBC, sketching and IPD ................................................ 75

Figure 4.10. Accuracy for PDBC with different chaff rate ....................................... 77

Figure 4.11. Accuracy for sketching with different chaff rate................................... 78

Figure 4.12. Accuracy for IPD with different chaff rate ........................................... 78

Figure 5.1. The timing causality on a stepping stone chain ...................................... 85

Figure 5.2. Accuracy for APD with monitoring time rising .................................... 103

Figure 5.3. The impact of correlated connection by fixed delay for APD ............... 104

Figure 5.4. The impact to a normal connection by fixed delay for APD ................. 105

Figure 5.5. The impact to correlated connections by jitters for APD ...................... 106

Figure 5.6. The impact to normal connection by jitters for APD ............................ 107

Figure 5.7. Accuracy for SAPD with monitoring time increasing........................... 108

Figure 5.8. The impact to correlated connections by fixed jitter for SAPD ............. 109

Figure 5.9. The impact to normal connections by fixed delay for SAPD ................ 109

Figure 5.10. Comparing for APD and SAPD by fixed delay .................................. 110

Figure 5.11. Comparing for APD and SAPD by jitter ............................................ 110

Figure 5.12. Impact to correlated connections by jitter with SAPD ........................ 111

Figure 5.13. Impact to normal connections by jitter with SAPD ............................. 111

Figure 5.14. Accuracy with no jitter and chaff ....................................................... 113

Figure 5.15. Accuracy with chaff only ................................................................... 114

Figure 5.16. Accuracy with jitter only ................................................................... 115

Figure 5.17. Accuracy with chaff and jitter ............................................................ 115

Figure 6.1. True positive for DA and DMV by public dataset ................................ 128

Figure 6.2. Accuracy for DA and DMV by private dataset ..................................... 129

XIV

XIV

Figure 6.3. True positive and true negative for S-I and S-III by public dataset ....... 130

Figure 6.4. Accuracy for S-I and S-III by private dataset ....................................... 131

Figure 6.5. Accuracy for Deviation, S-II and S-III by private dataset ..................... 132

Figure 6.6. Accuracy for SI, S-II, SIII and S-IV by private dataset with different chaff

rate ......................................................................................................................... 133

Figure 6.7. Accuracy for SI, S-II, SIII and S-IV by private dataset with different jitter

............................................................................................................................... 134

Figure 6.8. Accuracy by public dataset with 600s duration .................................... 135

Figure 6.9. True positive and true negative by public dataset with 100s duration. . 136

Figure 6.10. Accuracy by private dataset with different durations ......................... 137

Figure 6.11. Accuracy by private dataset with different chaff rate ......................... 138

Figure 6.12. Accuracy by private dataset with different jitters............................... 138

XV

XV

List of Tables

Table 2.1. Network based passive stepping stone detection systems ......................... 17

Table 3.1. Standard deviation comparisons for RTT and �RTT distribution............. 41

Table 3.2. Matching rate examples for EBA ............................................................ 45

Table 4.1. Practical features comparison among the encrypted traffic stepping stone

detection approaches ................................................................................................ 59

Table 4.2. Real-time comparing processing in the PDBC algorithm ......................... 63

Table 4.3. Monitoring time expired processing in PDBC algorithm ......................... 65

Table 4.4. Parameters for PDBC, sketching and IPD ................................................ 76

Table 4.5. Execute time for PDBC, IPD and sketching ............................................ 79

Table 5.1. Real-time comparing processing in APD algorithm ................................. 95

Table 5.2. Monitoring time expired processing in APD algorithm ............................ 96

Table 5.3. Real-time comparing processing in SAPD algorithm ............................... 97

Table 5.4. Monitoring time expired processing in SAPD algorithm.......................... 99

Table 5.5. Parameters values for sketching and S-III .............................................. 112

Table 6.1. Parameters of stepping stone detection approaches ................................ 121

Table 6.2. Parameters values for stepping stone detection approaches .................... 139

Chapter 1 Introduction

1

1

Chapter 1

Introduction

In this Chapter we begin by introducing the motivation and rationale of this thesis. We

then describe the major contributions of our research, and the main approaches used in

our study. Finally, we describe the organization of this thesis.

1.1 Motivation and Rationale

Networks have dramatically altered aspects of our daily activities particularly in

how we communicate and how we learn and conduct business. Unfortunately, while

enjoying the convenience of the Internet, we also have to face network security

problems. Attackers from anywhere may attack a site at any time causing nearly

irreparable damage. Various defense systems have been proposed to detect these

attacks. However, attackers can always evade punishment and new attacks can be

launched again. One of the most important reasons why attackers can easily hide their

identities and evade the desired punishment is by relaying their attacks through a

series of compromised systems or devices which are called stepping stones [1].


2

2

For example, the DDoS (distributed denial of service) [89] attack is one of the

attacks notorious for causing tremendous destruction. Popular websites, such as

Yahoo, Amazon, CNN and eBay, were targeted by a DDoS attack. As shown in

Figure 1.1, the DDoS attack begins with an attacker, who may pass information on

through various stepping stone hosts to reach a controller node, which in turn might

control a number of zombie hosts. The stepping stones, controllers and zombies are all

compromised systems or devices. Upon a signal, these zombies may attack one or

more target machines to perform a DDoS attack. It’s possible for the DDoS defense

systems to detect such a DDoS attack, find the zombies and even find the controllers.

However, where is the real attacker? Without finding the real attackers hiding behind

various stepping stones, it is impossible to reduce such DDoS attacks.

Attacker

Stepping stone Stepping stone


Controller Controller

Zombie Zombie Zombie Zombie

Figure 1.1. DDOS attack using stepping stones


3

3

Only by finding stepping stones, is it possible to trace the real attackers hiding

behind the stepping stones. Therefore, the detection of stepping stones is one of the

foundations to reducing issues of security on the Internet.

To date, there has already been some stepping stone detection systems proposed.

However, few of these can be employed in real application. To begin with, in order to

trace-back and identify the source of an attack, real-time and quick-response is

necessary because attackers may have many excuses and techniques (such as a fake IP

address) to deny their attacking activity without spot evidence. In addition to this,

attackers normally launch their attacks in a very short time period to evade detection

plus most stepping stone detection systems don’t take responsiveness into

consideration. Secondly, some stepping stone detection systems assume there is no

packet loss during packet relaying by stepping stones, which is not true for Internet

traffic. Finally, to obtain accurate detection results, some stepping stone detection

systems use complex computations and consume too much storage, which is not

acceptable by real-time applications. Therefore, quick-responsiveness, few

assumptions, small computations and the cost of memory are still challenges to

developing a practical stepping stone detection system.

In addition, current stepping stone detection systems are generally based on a

similarity of the attack streams relayed by stepping stones. For example, the intervals

of packet arrival times are nearly consistent between the attack streams relayed by

stepping stones. However, attackers may evade identification of stepping stone

detection systems by introducing random jitter delays before packets are relayed from

stepping stones or inserting chaffs (chaffs are superfluous packets, which contain no


4

4

valuable information and are not relayed by stepping stones) into the attack flow by

stepping stones. These evasion techniques can completely break most of the similarity

features in attack streams, which may leave most stepping stone detection systems

useless. Therefore, to be resistant to evasion techniques is another challenge to

developing a stepping stone detection system.

In this thesis, our aim is to develop stepping stone detection systems, which can

provide effective and efficient stepping stone detection in real Internet environments, and

even evasive techniques used by attackers.

1.2 Contributions of This Thesis

In this thesis, we develop a Real-Time Round-Trip Time (RTT) getting algorithm

which provides accurate RTTs for stepping stone detection systems, and a simple but

effective stepping stone detection system which can be used in real Internet

environments. We also present two abnormal probability based stepping stone

detection systems that can effectively resist evasion techniques. We further present a

highly quantitative comparative experimental study on stepping stone detection

systems. The main contributions of our research in this thesis are listed as follows.

� We firstly study the RTTs of stepping stones. They are critical for detecting

stepping stones. The RTT based stepping stone detection systems need precise

RTTs in order to directly detect stepping stones, while other stepping stone

systems need RTTs indirectly to calculate some important parameters.

However the RTTs of stepping stones are different from the RTT of TCP, and

it’s not easy to get them with a high degree of precision. We propose the


5

5

Estimation Based Algorithm (EBA) that can achieve real-time RTT accurately.

The experiments show that our algorithm is far more precise than other real-

time RTT getting algorithms. We also present theory analysis from the

probability point, which shows that our algorithm has a high matching rate and

has a high accuracy rate as a complicated non real-time approach.

� We study the practical features of previous stepping stones detection systems.

Due to their demands of storage, computation and the excessive monitoring

time, previous stepping stone detection systems are hardly applicable in real

Internet environments. We propose a simple but effective stepping stone

detection scheme which can reduce some of these demands. Our experiments

show that the proposed approach can achieve more than 90% accuracy by

monitoring for 2 seconds and can achieve more than 95% accuracy by

monitoring for 10 seconds. This is in addition to low computation costs.

� We study the packet timing or frequency features of stepping stone attack

streams which are foundations commonly employed to detect stepping stones.

These features may be altered by attackers introducing jitters and chaffs into

stepping stone connections. However the one timing feature that the packet has

to arrive first before it can leave a node will not be changed. Based on two

Poisson processing models, we formulate and derive two separate upper bounds

of probability that normal streams present when this timing feature of stepping

stone attack streams is used. Based on the two upper bounds of probability, we

further propose two novel stepping stone detection systems which have no

parameter, yet can detect stepping stones accurately even if there are large

jitters and a high chaff rate. We compare the two proposed stepping stone


6

6

detection systems with some of the previous ones. The experiments show that

the two proposed systems are more resistant to chaffs and jitters than previous

ones, and also maintain a high rate of accuracy for detecting stepping stones

attack streams which have no chaffs or jitter perturbations.

� Finally, we study experimental designs of stepping stone detection systems.

There are still two big issues for previous experimental designs. One issue is

the insufficiency of Internet environment applications. Another is the absence

of a highly quantitative comparative experimental study. Based on the

implementation of 13 stepping stone detection systems, the exaction of SSH

[66] data from public traces that have millions of packets, and the capturing of

genuine stepping stone connection chain data from the Internet, we test these

stepping stone detection systems in several scenarios using uniform criteria.

According to the experimental results and analysis, we present the conclusion

in the real-time application of stepping stone detection systems, highlight the

accuracy of stepping stone detection systems, the impaction of assumption, and

the impaction of chaffs and jitters. In addition, we give suggestions for

improvement of some previous stepping stone detection systems.

1.3 Approaches of This Thesis

In this thesis, we use multiple approaches in our research, which are listed below.

� Probability theory. We use probability theory and Chebyshev inequality [88] to

analyze the accurate rate and matching rate of the proposed RTT getting

algorithm. We also use the probability theory to analyze network traffic models


7

7

and formulate the upper bounds of probability that normal streams present with

a timing feature of stepping stone attack streams.

� Queuing Theory. We use this powerful network analysis tool to analyze the

packet delay on the stepping stone attack streams and derive the proposed

Packet Delay Bidirectional Comparison scheme for stepping stone detection.

� Signal Processing. We use the first-order linear recursive filter to estimate the

RTTs of stepping stones in the proposed RTT getting algorithm.

� Private Datasets. We use KpyM [79], OpenSSH [75] and PuTTY[78] SSH

tools to install the SSH [66] client and sever services on some hosts, build

stepping stone topology on the Internet, and obtain the private dataset by using

the Wireshark [77] traffic capturing tool. This private dataset provides an ideal

source for testing and evaluating stepping stone detection systems.

� Public Datasets. We extract SSH data from the Auckland-VIX traces datasets

provided by WITS [52] as the complementary source for testing and evaluating

stepping stone detection approaches.

� Programming Language and Platform. We program and implement 3 of our

proposed stepping stone detection systems and the other 10 stepping stone

detection systems by C language. Furthermore, several scenarios are

implemented for every stepping stone detection system. The exacting and

processing of the dataset and result statistics are implemented by programming

as well. There are more than 30,000 lines of codes totally in our control. We

use cygwin [76] as the platform for program running.


8

8

1.4 Organization of This Thesis

The reminder of this thesis is organized as follows.

� Chapter 2 introduces the background and related work of our research in this

thesis. At first, it provides an introduction to the basic characteristic of attacks

using stepping stones. Then, it introduces the stepping stone detection systems,

the techniques to evade stepping stone detection and the classification of

stepping stone detection systems. Lastly, the chapter focuses on the previous

research related to network-based passive stepping stone detection systems.

� Chapter 3 deals with a real-time RTT getting algorithm for stepping stone

detection called Estimation Based Algorithm (EBA). This chapter begins to

present the motivation for this research. Then it presents detail of the two

modules composed of the EBA, the estimating module and the matching

module. Analysis of the accurate rate and the matching rate of the EBA from

probability theory follows, and finally, this chapter demonstrates the

application of several real-time RTT getting algorithms, including the EBA, to

one of the stepping stone detecting systems.

� Chapter 4 introduces a practical stepping stone detection system which is

efficient and quick-responsive for the purposes of stepping stone detection. This

chapter begins by covering some previous research on practical features

including response time, computation complexity and storage demand. After

this brief discussion of previous research, details of the Packet Delay

Bidirectional Comparison (PDBC) algorithm are introduced. This is followed


9

9

by a number of experiments and evaluations, highlighting the comparison of

previous stepping stone detection systems.

� Chapter 5 deals with stepping stone detection systems which can be highly

resistant to evasion techniques such as chaffs and jitters. This chapter first

presents some previous stepping stone detection systems related to evasion

techniques. Then it introduces two mathematical models for normal streams,

and derives the upper bounds of probability based on the two mathematical

models. With the derived upper bounds, Abnormal Probability Detection

algorithm (APD) and Speedy Abnormal Probability Detection algorithm

(SAPD) are introduced. Lastly, a number of experiments and evaluations

demonstrate the accuracy of the upper bounds. Comparison with certain

stepping stone detection systems is also undertaken.

� Chapter 6 presents a comparative experimental analysis for stepping stone

detection systems. Initially it deals with the implementation of stepping stone

detection systems, the obtaining of datasets and a set of experimental criteria

and scenarios. After the introduction of the experimental designs, a number of

experiments and evaluations are conducted to show the accuracy of stepping

stone detection approaches, the impaction of assumption, and the impaction of

chaffs and jitters. Finally, some important questions on the comparison of

stepping stone detection systems are answered.

� Chapter 7 summarizes the main contributions and innovations of this thesis,

and points out some possible avenues for future work.

Chapter 2 Background

10

10

Chapter 2

Background

This chapter introduces background and other work related to our research in this

thesis. Firstly, it provides an introduction to the basic characteristics of attacks using

stepping stones. Then, it introduces the stepping stone detection system and the

techniques employed to evade stepping stone detection. Finally, focus turns to

previous research related to network-based passive stepping stone detection systems.

2.1 Attacks Using Stepping Stone

The Internet has become increasingly critical nowadays but at the same time, Internet

attacks have increased significantly. One of the most important reasons for this is that

attackers can very easily avoid the desired punishment by maintaining anonymity [1].

Stepping stones are one of the effective strategies adopted by network perpetrators to

maintain their anonymity during an attack.

Instead of using direct communication, an attacker uses a series of intermediate

nodes that have been previously compromised to relay his commands to a victim.


11

11

These intermediate nodes are called stepping stones [1]. By employing this technique,

attackers construct a connection chain of stepping-stones, which is a sequence of

logins where a person logs into one computer by interactive protocol like SSH and

Telnet, and then logs into another computer, and so on [1]. Attack commands or

programs are sent from the attacker’s machine, transferred by stepping stones, and

then transferred to the targeted machine via a connection chain constructed by the

attackers. Consequently, as shown in Figure 2.1, if the victim detects he is under

attack, he will only know the attack packets are coming from the closest intermediate

node, and the real attacker will be free from punishment.

Stepping stones are often used for launching Denial of Service (DoS) [89] attacks

or used to hack into systems to steal secure data by network perpetrators. We already

described a scenario of DoS attack in chapter 1. Now, let us consider a scenario where

an attacker seeks to penetrate a tightly secured server and retrieve top secret data from

a carefully monitored government network. The hacker first selects nodes with weak

security across geographically diverse locations as candidates to be stepping stones,

the controller, the receiver, the zombies and then he proceeds to compromise them.

Attacker

Stepping Stones

IP network IP network

IP network IP network

Victim

Who is the reaattacker?

Figure 2.1. Attacks using stepping stones


12

12

Following this, stealing commands are then sent by the hacker, which passes through

various stepping stone hosts to reach the controller node, which in turn controls a

series of zombies. When a signal from the controller is received, these zombies may

modify or exfiltrate information from the victim. Exfiltrated information may then go

to the receiver that, in turn, is separated from the hacker by a series of stepping stones.

This attack scenario, described in the Mitre workshop report [57], has been illustrated

in Figure 2.2. Even if forensic investigators manage to trace the attack path to the

controller, they may not get access to the system logs of the stepping stones. Thus, an

attack using stepping stones is the most favored attack mechanism that guarantees

anonymity to the attacker.

Attacker

Victim

Controller

Zombie

Zombie

Zombie

Receiver



Figure 2.2. Steal secure data using stepping stones. Source [33]


13

13

2.2 Stepping Stone Detection

2.2.1 Introduction to Stepping Stone Detection Systems

Since a stepping stone is just forwarding attack traffic along the stepping stone

connection chain, the traffic of connections in the same connection chain must have

similar characteristics. Therefore, the problem of detecting stepping stones comes

down to finding correlated connections with the same characteristics.

An intuitive approach to solve this problem would be to compare the contents of the

incoming and outgoing packets within a network to find packets with the same content.

However, the use of encrypted communication protocols like SSH have made this

approach ineffective. Therefore, we need to use other features of the traffic like timing

characteristics to detect stepping stones.

Besides the similarity, the stepping stone connections may have anomaly in some

characteristics as well. For example, the response time from a server for the stepping

stone connections may take longer than normal connections because the victim (the

server for stepping stone connection) is located many hops away. However, the

anomaly based methods only find the abnormal connections, and then identify the

stepping stones, they do not identify correlated connections, which means they can’t

be used for tracing attackers.

A stepping stone detection system is a system to analyse the connection traffic and

identify which connections are stepping stone connections or identify which

connection pair are correlated connections. Correlated connections are a pair of


14

14

connections which are in the same connection chain. The connection which is closest

to the attacker in the connection chain is called the upstream connection. The

connection which is closest to the victim in the connection chain is called the

downstream connection.

Depending on the location where the analysis takes place, the stepping stone

detection systems can be classified as host-based and network based. The host-based

approach [97] [98] requires some kind of monitoring software to be installed on each

participating host. This kind of approach is limited as the attacker can manipulate the

results of the monitoring software if he has control over the host machine. The

network-based approach requires tracing software to be installed in network routers

and switches. This ensures that the whole network comes under the purview of the

scan and the hosts do not need to individually participate.

Stepping stone detection systems can also be classified into passive methods and /

or active methods. Passive methods simply examine the data stream, while active

methods attempt to modify the transmission stream. One active method explored in

certain papers is the process of watermarking [6] [11] [17] [18] [34]. Watermarking is

a method where the packet or packet flow is modified to insert a signature which

needs to be encoded (inserted) at one point and decoded (recovered) at another point.

The active monitor may be more powerful in detecting stepping stones, but it needs to

modify the operation of the network at many points. This means the passive methods

are relative simple and more easily employed in practice.


15

15

2.2.2 Evading Detection

Attackers may attempt to evade detection by actively modifying connections so

they appear uncorrelated. Encrypting stepping stone connections makes the

approaches [1] based on content unavailable with the widespread application of SSH.

In addition, attackers may also introduce random jitter delays before packets depart

stepping stones or they may insert chaffs into the original attack flow on the stepping

stones. This can completely break the timing and count characteristics employed by

many stepping stone detection systems.

Introducing jitters and inserting chaffs on stepping stones is not a difficult task for

attackers. As a simple example, an attacker can add a number of characters followed

by the same number of DEL (delete) characters. In addition, M. Venkateshaiah et al.

[45] [47] propose a buffering technique to avoid detection by using jitters and chaffs,

along with selective dropping of packets on stepping stones.The SNEAK attack tool

[46] proposed by J.D. Padhye et al. can even can create constant rate streams by using

a buffer delay and chaffs.

Therefore, stepping stone detection systems should take the evasion techniques

used by attackers into consideration as well.


16

16

2.3 Network-Based Passive Stepping Stone Detection

Systems

Since host-based methods are easily controlled by attackers, and active methods are

hardly employed in practice, we focus our research on the network based passive

stepping stone detection systems. Depending on the characteristics of the system

analyses, characteristics can be classified as content characteristic, timing

characteristic, count characteristic, RTT characteristics and other characteristics. We

then introduce previous works on network based passive stepping stone detection

systems according to these characteristics. All work we surveyed has been listed in

Table 2.1.

2.3.1 Content Correlation

� Thumbprint

Staniford and Heberlein [1] initially explored steppingstone detection by considering a

chain of Telnet [65] connections, in which the content is transmitted in the clear and

therefore, it could be statistically analysed. Their approach was to create thumbprints

by tabulating character frequencies during set time intervals over all Telnet

connections into and out of a domain, and to compare them by looking for

suspiciously good matches. As a technical feature, they used statistical analysis tools

(principal components) to reduce the dimensionality of the feature vector, enabling

rapid comparisons of features of different connections. However, it cannot be used to

detect encrypted connections.


17

17

2.3.2 Count Correlation

� Multiscale

Table 2.1. Network based passive stepping stone detection systems

System Characteris-tic

Function Author Year

Thumbprints Content Identify correlated connections

S. Staniford Chen and L.T.Herberlein

1995[1]

Multiscale Character Count

Identify correlated connections

D. L. Donoho, et al.

2002[5]

DA Packet Count


A. Blum, et al. 2004[8]

DMV Packet Count


T. He and L. Tong

2006[21]

Request-Response

Packet Count


Huang et al. 2007[33]

ON/OFF Timing Identify correlated connections

Y. Zhang, V. Paxson

2000[2]

Deviation Timing Identify correlated connections

K. Yoda and H. Etoh

2000[3]

IPD Timing Identify correlated connections

X. Wang, et al. 2002[4]

DM Timing Identify correlated connections

T. He and L. Tong

2006[10]

S-I, S-II, S-III and S-IV

Timing Identify correlated connections

L. Zhang, et al.

2006[9]

Sketching Timing Identify correlated connections

B. Coskun and N. Memon

2009[35]

Send-Ack/ Send-Echo

RTT Identify abnormal connections

K. H. Yung 2002[12]

RTT-Thumbprints

RTT Identify correlated connections

Yang, and Huang

2005[48]

Step-Function

RTT Identify abnormal connections

Yang, and Huang

2006[16]

Anomaly Other Identify abnormal connections

Kampasi et al. 2007[49]


18

18

“Multiscale” proposed by Donoho et al. [5] uses character count to detect stepping

stones. This method uses wavelets and similar multiscale methods to separate the

short-term behavior of the streams (the jittering or chaff) from the long-term behavior

of the streams (the remaining correlation). This method requires the connections to

remain for long periods however the authors never implemented it in a scalable

system. Despite this, it is the first method to address robustness to added delay jitter

and introduction of chaff. It was also the first method to introduce two constraints,

with many methods following. One constraint, the causality constraint, requires a

packet to arrive first before it can leave a node. Another constraint is the maximum

tolerable delay constraint, where packets have a limit on the length a packet can be

delayed at a stepping stone. Assume 2C is downstream connection of 1C , and 1( )N t

= # of symbols in 1C on [0, t) and similarly for 2 ( )N t , there are below conclusions for

the two constraints.

1) Causality constraint: 2 1( ) ( )N t N t�

2) Maximum tolerable delay constraint: 2 1( ) ( )N t N t��

� DA

Following the two constraints in the “multiscale” method, Blum et al. [8] proposed

the DA (Detect-Attacks) method which is based on packet count. Using ideas from

Computational Learning Theory and the analysis of random walks, Blum et al.

achieve provable (polynomial) upper bounds on the number of packets needed to

confidently detect and identify stepping stone streams with proven guarantees on the

false positives. In addition, Blum et al. also proposed the DAC (Detect-Attacks-Chaffs)


19

19

method, which is able to detect connections with chaffs. DA and DAC are nearly same

except the computing of upper bounds is different. The upper bounds for DAC are

much bigger than the upper bounds for DA.

In DA and DAC, when a packet arrives at a connection, the connections obtain the

difference of packet numbers between the compared connections. If the difference is

bigger than specified number p� , then return normal connections; if the total number

of packets observed on two compared connections is bigger than the upper bound

which can be calculated by p� , then return correlated connections.

These methods are simple. However, their upper bounds on the number of packets

required is large, and Blum et al. do not discuss how to detect stepping stones when

the number of packets is inadequate or when there is large amounts of chaff.

� DMV

Based on Blum’s et al. work [8], He et al. [20, 21] proposed DMV (Detect-

Maximum-Variation) method which is also based on packet counts. Compared with

DA, DMV records a maximum and minimum difference of packet numbers between

two compared connections. If the difference between the maximum value and

minimum value is larger than the specified number, then return normal connections.

He et al. proves that DMV always outperforms DA. He also claimed that the DMV

algorithm has a time complexity of ( )O n and uses only constant memory

( (log( ))O p� , to be precise), where n is the monitored packet number, and p� is

the largest number of packets the attacker can send within maximum tolerable delay.

But similar to DA, DMV needs a large number of packets to detect stepping stones.


20

20

� Request-Response

Huang et al. [33] developed a method to detect stepping stones by comparing the

bidirectional packet counts. Their method is based on their observation that if the

frequency of the send stream is linearly related to the frequency of the echo stream,

then the stepping stone is identified. This method works well in Huang’s et al.

simulation when multiple connection streams pass through the same stepping stone

node and the operations performed by users are similar.

However, the packet count needs for this method are large, and in their simulation

the packet count is based on a scale of a thousand. In addition to their paper, as stated

in their conclusion, their work is incomplete. For example, they not did prove via

experimentation that steams with chaff could be detected, and for other traffic,

additional constraints may be required.

2.3.3 Timing Correlation

� ON/OFF

The ON/OFF based approach proposed by Zhang et al. [2] is the first timing-based

method which can trace stepping stones even if the traffic were to be encrypted. In

their approach, they calculate the correlation of different connections by using each

connection’s OFF periods. A connection is considered to be in an OFF period when

there is no data traffic on a connection for more than idleT . When a packet with a non-


21

21

empty payload appears, the connection ends its OFF period and begins an ON period.

Two OFF periods are considered correlated if their ending times differ by �� .

For two connections 1C and 2C , let 1OFF and 2OFF be the number of OFF periods

in each, and 1,2OFF be the number of these which are correlated. They consider 1C and

2C are correlated connections if 1,2

1 2min( , )OFF

OFF OFF�� .

This method is simple, but is easily affected by chaffs and jitters.

� Deviation

Deviation is another timing-based measure proposed by Yoda et al. [3]. The

measure relies on the idea that as packets flow through a connection, the total size of

transferred bytes tends to increase monotonically in time. Therefore, if two

connections belong to the same connection chain, the total size of transferred bytes

should grow at a similar rate.

Assume connection 1C is an upstream connection from 2C . The deviation between

connections 1C and 2C is calculated as follows. For each connection, the algorithm

constructs a graph with the timestamp value in the x axis and the TCP connection

sequence number in the y axis, while ignoring retransmitted packets. The graphs are

conceptually superposed and the graph of 2C is repositioned along both x and y axis

until the average horizontal distance between the two graphs is minimized. Based on

the graphs, the authors’ present the method to calculate the deviation between two

connections. Then, the connections with small deviations are thought to be correlated

connections.


22

22

Obviously, this measure only works if the packet sizes are not altered at the

stepping stones, and thus it is unable to correlate connections where padding is added

to the payload, e.g. when certain types of encryption are used.

� IPD

Wang et al. [4] propose a two-phased stepping stone detection system by using

Inter-Packet Delay (IPD) timing characteristics. The first phase finds “correlation

points” between two packet streams. The second phase obtains the correlation value of

the two connections from the set of correlation points. Considering the correlation

metric for true real-time correlation cannot be defined over the entire duration of a

connection, and therefore they introduce window size, which means the packet

number base calculates correlation points. In other words, IPD is designed for a quick

response.

Correlation points are found by the following algorithm. Let it represent the

timestamp of the thi packet on a connection. The IPD is defined as

1i i id t t� �

The IPD vector, then, is 1( , , )nd d, )nd, . A window of this vector is defined as

, 1 1( , , ) ( , , )j s n j j sW d d d d � � 1)1d) () (

Given two connections X and Y whose IPD vectors are 1( , , )mx x, )m, and

1( , , )ny y, )ny, respectively, for a given window size s, the tuple (j, j+k) – i.e., the values

of the start of the windows — is defined as a correlation point if the maximum taken


23

23

over the offset value k of the similarity measure of () is greater than a given

correlation point threshold CP� . That is,

, ,max ( ( ), ( ))j s j k s CPkW X W Y ��

Four similarity measures of () are defined, and a particularly successful one is the

Min/Max Sum ratio. That is,

1

, , 1

min( , )( ( ), ( ))

max( , )

j si i ki j

j s j k s j si i ki j

x yW X W Y

x y

� �

��

�

��

The second phase of the process uses the Correlation Value Function (CVF) to

decide if two streams are correlated. After obtaining a set of correlation points – i.e.,

1 1 1( , ) ( , )n n nj j k j j k� �( ,,n n,,(( , – they are represented as two n-dimensional vectors

1( , , )x nC j j , )n, n, and 1 1( , , )y n nC j k j k � �,,,, , then if the value of CVF is bigger than a

given correlation value threshold � , the compared connections are considered

correlated connections. The CVF is defined below.

1

2 21 1

( ( )) ( ( ))( , )

( ( )) ( ( ))

ni x i i yi

x y n ni x i i yi i

j E C j k E CCVF C C

j E C j k E C

� � � �

� ��

��

Although IPD is designed for a quick response, as described, it is very complex.

And all IPD information should be stored during the monitored time and the

computation time is normally large because it compares packets with the number of

window sizes for every packet.


24

24

� DM

He et al. [10] proposed a timing-based detection algorithm “DETECT-MATCH”

(DM) to detect stepping stones. They applied the causality constraint and maximum

tolerable delay constraint proposed by Donoho et al. [5] to the timing characteristic,

which means a packet delay on the correlated connections must be in the range of [0,

�), where � is the maximum tolerable delay.

They map the packet’s arrivals on the compared connections by the causality

constraint and maximum tolerable delay constraint. For two connections, A and B, the

delay between a packet arrival on A and a packet arrival on B is in the range [0, �),

and if it’s similar to all the following packet arrivals on A, and all the following

packet arrivals on B, then the two compared connections are considered correlated

connections.

However, there are packet drops [44] during the packet relay of stepping stones in

real application which can break the maximum tolerable delay constraint. So whether

it can be applied in practice should be doubted.

� S-I, S-II, S-III and S-IV

Zhang et al. [9] provide four timing methods with the intention of detecting

stepping stones effectively even under jitter and chaff perturbations. Similar to DM

[10], they are also based on the causality constraint and bounded by the delay

constraint. S-I is the same with DM. In S-III, if every packet arrival in one connection

has a non-repeated map in the other connection’s packet arrivals, which possess a

delay in the range of [0, �), then the two compared connections are considered

correlated connections.


25

25

Differing from S-I and S-III, S-II and S-IV initially performs the packet filtering

function, and then applies any other stepping stone detection method. For every packet

arrival iu on connection A, S-II selects the packet arrival on the other connection B

which is first after iu as the mapping packet arrival. If the mapping packet arrival

can’t be found, then A and B are normal connections; otherwise other stepping stone

detection methods are used for detection between the original packet arrival on A and

the mapping packet arrival on B. S-IV is different from S-II in that it selects the

packet arrival on connection B which has a delay in the range of [0, �) as the mapping

packet arrival.

However the schemes of Zhang et al. can detect stepping stone traffic if chaff is

inserted only in the departing stream. And, if chaff is inserted in the incoming stream,

one chaff packet can to evade their schemes. This is similar to DM, which also has the

assumption of a “no packet drop”.

� Sketching

The sketching method proposed by Coskun et al. [35] identifies correlated

connections with the similar packet-timing sketches characteristic. A packet-timing

sketch is a short, constant-length integer array, which summarizes the connection’s

packet-timing information. It is calculated following the three steps below.

It first computes the packet-count vector FV of connection F. Let TSL denote the

length of these timeslots forming the time axis. Then time slot t is defined as the tht

time interval after an epoch ( epochT ) such that [ ( 1) , ( ) ]epoch TS epoch TST t L T t L� � � . Based


26

26

on these time-slots, then it is able to obtain ( )FV t , which is the number of packets that

flow F transmits during time-slot t.

Secondly, it applies a random linear transformation to obtain the integer-array

sketch by projecting the packet-count vector FV onto the k random basis vectors

1,2,i kB , k, as follows:

( ) ( ) ( )F i Ft

C i B t V t�

��

� and 1Pr( ( ) 1) Pr( ( ) 1)2i iB t B t �

Thirdly, it binarizes the integer-array sketch by

1 ( ) 0( )

0 ( ) 0F

FF

C iS i

C i��

� ��

After finding the binary sketches for compared connections, it then calculates the

Hamming Distance between the binary sketches. If the Hamming Distance is smaller

than the specified threshold, the compared connections are considered correlated

connections.

Coskun et al. also presented a method to efficiently search for correlated

connections. They claimed that the computation time is ( )O n nm� , where m is

the number of ingress connections and n is egress connections. However, they failed

to mention the computing costs to achieve the binary sketches. In addition, when the

array of binary sketches is larger than the number of slots, it will not be more efficient

than direct comparison.


27

27

2.3.4 RTT Correlation

Since the packets sent are always echoed back on the interactive connections, the

Round-Trip Time (RTT) between the send packet and the corresponding echo packet,

which provides information on how many downstream hops the final victim is located,

is also used to detect stepping stones.

� Send-Ack/Send-Echo

Yung [12] was the first to propose a method detecting stepping stones by RTT. The

basic idea is to estimate the length of a downstream connection chain by computing

the ratio between Send-Ack delay and Send-Echo delay. Send-Ack delay is the time

taken by a send packet travelling to the next host (i.e. stepping stone) and get

acknowledged. Send-Echo delay is the time-delay for a send packet to reach the server

side (in a stepping stone mechanism, the server is the victim) and get echoed back. In

a direct connection, the Send-Ack and Send-Echo are expected to be similar. In an

indirect connection (connection-chain), however, the Send-Echo time is expected to

be larger than the Send-Ack time.

This method can detect connections which have more than two hops downstream,

however it cannot identify correlated connections.

� RTT-Thumbprint

Yang et al. [48] proposed a method to detect stepping stones by RTT-thumbprint,

which is a sequence of timestamp pairs between each send packet and its

corresponding echo packets. Two different algorithms are presented, one exhaustive


28

28

and the other heuristic, with the heuristic algorithm actually performing as well as the

exhaustive algorithm, but with more efficiency.

However this method is based on the assumption that the inter-packet delays are

larger than RTT, so there is one-to-one mapping between send packets and echo

packets. In practice, many actions can throw this process off, including dropped and

retransmitted packets.

� Step-Function

Yang et al. [16] proposed a method of detecting stepping stones using the feature

that RTT changes small for normal connections but increases proportionally with the

number of stepping-stones in the chain. The steps involved with RTT changes reflect

the number of hosts in the connections and if the number of steps for a connection is

more than a specified number, this connection may be considered stepping stone

connection.

Similar to the “Send-Ack/Send-Echo” method, it can identify stepping stone

connections, however it cannot identify correlated connections. In addition, it has to

keep monitoring the traffic on the connections.

2.3.5 Others

� Anomaly

Kampasi et al. [49] provide three algorithms to detect stepping stone connections

with either jitter, chaff or both. The algorithms can be used together with other timing

based stepping stone detection methods to improve stepping stone detection when


29

29

either jitter, chaff or both are introduced into a packet stream. The main premise of the

design is that if an attacker adds jitter or chaff, then the traffic will appear anomalous,

and that will be when the three specialized algorithms take effect.

However, the three algorithms are unable to identify correlated connections.

2.4 Summary

Stepping stones are one of the effective strategies adopted by network perpetrators

to maintain anonymity of an attack. Attackers may further attempt to evade detection

by actively modifying connections so they appear uncorrelated. As a mode to be easily

employed and hardly controlled by an attacker, many network based passive stepping

stone detection systems have been proposed to identify correlated connections or just

identify stepping stones.

Chapter 3 Getting the Real-Time Round-Trip Time for Stepping Stone Detection

30

30

Chapter 3

Getting the Real-Time Round-Trip Time

for Stepping Stone Detection

Stepping stone attacks are often used by network intruders to hide their identities. The

Round Trip Times (RTT) between the send packets and corresponding echo packets

for the connection chains of stepping stones are critical for detecting such attacks.

However previous real-time RTT getting approaches cannot precisely obtain RTTs. In

this chapter, we propose a novel real-time RTT getting algorithm which can be used at

all times by RTT based stepping stone detection approaches to identify stepping

stones, and be used sparsely to obtain the value of parameters by other non-RTT based

stepping stone detection approaches. Our experiments show that it is far more accurate

than the previous real-time RTT getting algorithms. We also present the probability

analysis which shows that our algorithm has a high matching rate and accuracy rate.


31

31

3.1 Introduction

Depending on the characteristics of the system analyses, Stepping stone detection

systems can be mainly classified as timing correlation[2, 3, 4, 9, 10, 35], count

correlation[8, 21] and RTT correlation[12, 16]. Whichever stepping stone detection

approach is used, RTTs will be either directly or indirectly involved. In the ON/OFF

approach [2], Zhang and Paxson suggested the selection of the control parameter �

should be based on the RTT of a connection. Donoho et al. [5] argued that there

should be a maximum tolerable delay that a packet can be delayed at a stepping stone.

Based on this argument, some packet number based approaches [8, 21] and timing

based approaches [9, 10] have been proposed. The maximum tolerable delay in all of

these approaches is a supposed inputting parameter, but no approaches indicate what

value it should be. In fact, the RTT is just the representation of the maximum tolerable

delay.

Unlike other types of approaches, RTT based approaches use RTT directly. Since

RTT is computed by both send and echo packets, one of the benefits of RTT based

approaches is that they can filter unsymmetrical Internet packets and chaff packets,

and can be more resistant to network imperfections and intruder evasion than any

other type of approaches. “Send-Ack/Send-Echo” [12] is the first approach proposed

to detect stepping stones by RTT. The basic idea is to estimate the length of a

downstream connection chain by computing the ration between packet Send-Ack

delay and Send-Echo delay (i.e. RTT). In this approach, if the length of a downstream

connection chain is more than a specified number, the connection may be considered a


32

32

stepping stone connection. However, Yung’s method only gives good results when

network traffic is relatively uniform. “Step-Function” approach [16] then was

proposed, by using the feature that RTT changes small for normal connections but

increases proportionally with the number of stepping stones in the chain. The steps of

RTT changes reflect the number of hosts in the connections. If the step of RTT

changes for an interactive connection is more than a specified number, this connection

may be considered a stepping stone connection. This approach can detect stepping

stones correctly if the RTTs can be obtained precisely.

However, it is not easy to get the RTT with high precision, as echo packets have no

obvious characteristic to identify correlated send packets. “Send-Ack/Send-Echo”

approach [12] used a statistical method to match TCP send and echo packets. This can

result in a correct match only when the echo packet is received before the next send

packet is sent. In addition to this, it cannot be used in real-time. In “Step-Function”

approach, Yang and Huang [16] proposed Conservative and Greedy algorithms to

obtain RTT. But these two algorithms are based on the assumption that every send

packet exactly matches one echo packet. Yang [51] proposed a standard deviation-

based clustering approach (SDBA) which calculates time delay between all send

packets and echo packets, and finds the cluster with the smallest standard deviation.

Although it can achieve high accuracy, it is inefficient and cannot be used in real-time.

To block or trace attacks, a stepping stone detection approach should be able to

identify stepping stone connections as soon as possible. Therefore, obtaining accurate

RTTs in real-time remains a challenge.


33

33

In this chapter, we propose an Estimation-Based Algorithm (EBA) to discover RTT

in real-time. As a RTT getting approach, the EBA algorithm can be used at all times

by RTT based stepping stone detection approaches, such as “Step-Function” [16]. It

can also be used sparingly to find the value of parameters by other non-RTT based

stepping stone detection approaches. The experiments show that our algorithm is far

more accurate than other real-time RTT getting algorithms. We also present the theory

analysis from the probability point, which shows that our algorithm has a high

matching rate and also a high accuracy rate similar to the complicated non real-time

SDBA [51] approach.

The rest of the chapter is organized as follows. In Section 3.2 we introduce the

motivation of our algorithm. The detail of our Estimation-Based RTT algorithm is

presented in Section 3.3. Section 3.4 gives the probability analysis. Some

experimental application results are given in Section 3.5. Finally, we summarize this

chapter in Section 3.6.

3.2 Motivation

RTT estimation is one of the key characteristics of the current TCP mechanism. In

order to find a suitable value for the retransmission time-out, all TCP implementations

attempt to estimate the current RTT of every active connection by observing the

pattern of delay for recent segments. Our estimation-based RTT algorithm is

motivated by this observation.


34

34

However the RTT for stepping stone is different from the RTT for TCP. We here

formally give definitions of RTT and related terms.

Send packet: The packets sent in interactive connections from attacker (client) to

target (server), having both ‘Push (P)’ and ‘Acknowledgement (A)’ flags or only a ‘P’

flag[61].

Echo packet: The packets sent in interactive connections from target (server) to

attacker (client), having both ‘Push (P)’ and ‘Acknowledgement (A)’ flags or only a

‘P’ flag.

Ack packet: The packets, having flag ‘A’ only.

RTT for TCP: The time delay between the send packet and the corresponding ack

packet or echo packet on an interactive connection is called Round-Trip Time (RTT)

for TCP on this interactive connection. Here, the corresponding ack packet or echo

packet can be identified by the sequence number.

RTT for stepping stone: The time delay between the send packet and the

corresponding echo packet on an interactive connection is called Round-Trip Time

(RTT) for a stepping stone on this interactive connection. Because the data sent is

normally echoed back for interactive connections, we call the echo packet triggered by

a send packet as the corresponding echo packet for this send packet. If not specified,

all the RTT in this thesis is considered as the RTT for the stepping stone.

Connection number: We call the number of relay hosts from the specified

connection to the target machine as the connection number on its downstream

connection.


35

35

See Figure 3.1 for an illustration of the above definition. From this illustration, we

see that an attacker establishes a connection chain to the targeted machine by a series

of stepping stones. Commands typed by the attacker are relayed to the target by a

series of stepping stones, executed on target and then echoed back to the attacker by a

series of stepping stones. The RTT for stepping stone on connection i is the time delay

of the send command (packet) and the corresponding echoed back command (packet)

on connection i.

Normally, to achieve the RTT for a stepping stone, we must find the corresponding

echo packets for the send packets first. However it is not so easy to find the

corresponding echo packet as it is to find the ack packets which can be identified by

their sequence number in the TCP head. The reasons for this are explained below.

The information we get from the packet content is just TCP packet head

information such as packet length, and sequence number, etc. Since intruders normally

Attacker Stepping

stone 1

Stepping

stone i-1

Stepping

stone i Target

Echo

i

RTT for stepping stone

Send

RTT for TCP

Ack

Figure 3.1. Stepping stone chain between Attacker and Target


36

36

select encrypted connections, such as SSH instead of normal telnet connections, we

are unable to see the data content of the packet. Nor can we benefit from the head

information. For encrypted connections, even the packet length fails to represent the

real TCP data length. TCP’s sequence number and acknowledgement number are used

by the Conservative algorithm [16] to match packet. But the sequence number and

acknowledgement number are only meaningful for one neighbouring TCP connection

and are not that helpful for matching packets in a TCP connection chain, which leads

to only a few send packets being matched in the Conservative algorithm.

The packet mapping information has no order, since packets transmitted on the

Internet are complex and one send packet may correspond with several echo packets.

For example, when a command is executed at the target host, the result may be sent

back with several packets. Plus, one send packet may have no corresponding packet.

For example, the password won’t be sent back by the target host. In addition to this,

due to the packet re-transmission and cumulative acknowledgement, several send

packets may correspond with one echo packet. Therefore, we cannot assume that each

send packet is answered exactly by one echo packet (i.e. one-to-one mapping), which

is the strategy used by the Greedy algorithm [16]. The Greedy algorithm has a low

accuracy rate because most probably the packets are not using one-to-one mapping.

Time interval information between two consecutive send packets is not always

large enough. We can assume some time intervals are bigger than the RTT. However

we can’t assume that on every occasion an interval is larger than the RTT because

users (including intruders) when connecting to a host, may need to pause in order to

read, think, or respond to the previous operation. However they do not need to pause


37

37

for every operation. So normally there are overlaps of RTT, i.e. the next send packets

may be sent prior to the corresponding echo packets having been received. One

deficiency of Yung’s proposal [12] is that it cannot deal with this case of RTT overlap.

Our Estimation-Based Algorithm is different from the above methods, in that it

calculates RTT estimation (ERTT) value first, instead of finding corresponding echo

packet directly. If the ERTT is accurate enough, and the send packet has the

corresponding echo packet, the corresponding echo packet should arrive around ERTT

later than the send packet. This makes it easy to find the corresponding echo packet by

our algorithm and we don’t even need to consider if it’s one-to-one mapping or if

there is RTT overlap.

3.3 Estimation-Based Algorithm (EBA)

Before presenting the Algorithm, we present some definitions related to the algorithm

first.

RTT sequence: A RTT sequence 1 2{ , , , }iRTT RTT RTT, }, is a series of real

RTTs in chronological order calculated by the time delay between arrival epoch of the

send packet and arrival corresponding echo packet on an interactive connection.

ERTT: The estimation value for RTT.

ERTT sequence: A ERTT sequence 1 2{ , , , }iERTT ERTT ERTT, }, is a series

of ERTTs in chronological order calculated by the EBA algorithm.

�RTT: The deviation that RTT from ERTT.


38

38

�RTT sequence: A �RTT sequence 1 2{ , , , }iRTT RTT RTT� � �, }, is a series

of �RTTs in chronological order, and i i iRTT RTT ERTT� �

FR (fluctuate range): The maximum value that iRTT can deviate from iERTT .

Our algorithm is composed of two modules: the estimating module and the

matching module. Next we will present the detailed algorithm description for each

module and include some improvements.

3.3.1 The Estimating Module

The Estimating Module is responsible for calculating the ERTT. We use the first-

order linear recursive filter to estimate the RTT, which is also being used in current

TCP RTT estimation mechanisms. For the RTT sequence

1 2{ , , , }iRTT RTT RTT, }, and ERTT sequence 1 2{ , , , }iERTT ERTT ERTT, },

on an interactive connection, ERTT can be calculated by the last ERTT and RTT, as

shown in equations (1) and (2)

1 1* (1 )*i i iERTT a ERTT a RTT� � � � (1)

1 1ERTT RTT (2)

In (1), a is the weighting factor, used to adjust how quickly the estimation value

responds to the real value. The weighting factor in TCP RTT estimation mechanism

by current TCP/IP implementation normally, is set to 0.875, which has been used for

many years and is seen as being reasonable up until now over the Internet [56]. We

also tested parameter a using different values in our algorithm, and we found that we


39

39

can obtain the smallest standard deviations for �RTT, when a equals 0.875. The

smaller the �RTT, the more precise the estimation. Therefore, we set parameter a

0.875 in our applications.

To calculate ERTT, the key is how to obtain the first real RTT (i.e. 1RTT ). From

the previous analysis in this section, we know it is inevitable that there are some time

intervals between two consecutive send packets which are considerably larger than the

RTT of a network during an interactive terminal session. This means it is reasonable

to begin or resume our estimation from these large time intervals. If two consecutive

send packets have a timestamp difference of more than TI (a predefined time interval

threshold), we will assume the existence of a large gap and then get the 1RTT .

130 140 150 160 170 180 190 2000

0.05

0.1

0.15

0.2

0.25

RTT(microsecond)

Pro

babi

lity

Figure 3.2. RTT distribution


40

40

Normally, we can consider the first echo packet is matched with the first send

packet after the large interval. So we calculate 1RTT as the time delay between the

first echo packet and the first send packet.

To evaluate the accuracy of our estimating algorithm, we built a connection chain

with three connections. We then input simple characters with big intervals so the send

packets with echo packets are one-to-one mapping and there is no overlap of RTT and

we easily get the real RTTs by one-to-one matching. Figure 3.2 shows the RTT

distribution using the real RTTs we achieved, where Y-axis stands for the probability

that each RTT occurred, and X-axis stands for the RTT value in unit microseconds.

From Figure 3.2, we found that the RTT distribution is more-or-less a Poisson

distribution with a relatively narrow range.

-30 -20 -10 0 10 20 30 400

0.05

0.1

0.15

0.2

0.25

Pro

babi

lity

�RTT(microsecond)

Figure 3.3. �RTT distribution


41

41

At the same time, we calculated ERTT by equation (1) and (2) with the real RTT

data we obtained. Then we compared the ERTT with the real RTT, obtained the

�RTT distribution as shown in Figure 3.3, which is near normal distribution, and

discovered that more than 97% of the |�RTTs| are smaller than 17 ms.

We also found that the standard deviation for the �RTT distribution is nearly the

same as the standard deviation for the �RTT distribution. The standard deviation in

Figure 3.2 is 9.31ms and the standard deviation in Figure 3.3 is 9.38ms. Table 3.1

shows other standard deviation examples we experimented with in our tests.

3.3.2 The Matching Module

Since most iRTT fluctuates around iERTT with a relatively narrow range, we

consider a time delay is the iRTT if the time delay between an echo packet and the

Table 3.1. Standard deviation comparisons for RTT and �RTT distribution

Examples Standard deviation for RTT(ms)

Standard deviation for �RTT(ms)

1 1.735 1.771

2 2.841 2.827

3 3.663 3.722

4 5.312 5.538

5 6.469 6.651

6 9.016 9.043


42

42

send packet is in the range of iERTT FR� and iERTT FR� . This is the basic idea

of the matching process.

We found that the �RTT distribution is near normal distribution. So the maximum

�RTT (i.e. FR) is infinite in theory. But our destination is to achieve real RTTs which

are used to detect stepping stones by using the “Step-Function” stepping stone

detection approach [16]. The few real RTTs that are too small or too big, and of no

benefit to us, are filtered by selecting an appropriate FR. When the value of FR

becomes bigger, more packets will be in the range of iERTT FR� and

iERTT FR� , and the probability to find matched packets will be higher, but the

incorrect probability will also be higher. So the value of FR is critical for our

algorithm. We will discuss the value of FR further in Section 3.4.

In our algorithm, we have a queue called SendQ, which stores the send packets in

time order. When the time interval between two consecutive send packets is bigger

than the TI, we will reset the SendQ. If we find the corresponding echo packet for one

send packet, or if we are sure there is no corresponding echo packet for that send

packet, we will delete that send packet from the SendQ queue.

By the estimating algorithm we can achieve the ERTT. Now, when we capture an

echo packet, we will get the first send packet from SendQ and calculate the time delay

delayT between the echo packet and the send packet. If the delayT is smaller than

iERTT FR� , we consider there is no send packet to match this echo packet; if the

delayT is in the range between iERTT FR� and iERTT FR� , we consider they


43

43

match each other, and the iRTT is delayT ; if the delayT is larger than iERTT FR� ,

we consider there is no echo packet to match this send packet, and we will get the next

send packet to repeat the above process. Figure 3.4 describes the matching process.

Capture the next packet P

Is P a Send packet

Compute Time Intervals TI since last Send

TI > Threshold

E S T I M A T I N G M O D U L E

Is P an Echo packet

Compute the Time Delay

SendQ

Tdelay > ERTTi + FR

Tdelay < ERTTi - FR

No No

Yes

No

No

Yes

No Yes

RTTi = Tdelay

Reset SendQ

Put P in SendQ

Get first packet Ps from SendQ

Yes

Yes

RTTi

ERTT

Figure 3.4. Matching module processing


44

44

Through this matching process, we can obtain RTT, and store every RTT. At the

same time, we input the RTT to the estimating process, and find the new ERTT for

continuous processing. The stored RTTs can be used to judge if the monitored host is

a stepping stone by the RTT based stepping stone detection approaches, or be used to

calculate the parameters of non- RTT based stepping stone detection approaches.

3.4 Evaluation

3.4.1 Matching Rate

The matching rate is defined as the ratio between the number of matched packet pairs

and the number of send packets having corresponding echo packets. According to our

algorithm, only the RTT whose difference with ERTT is smaller than FR can be

matched. So FR is critical to our algorithm. The bigger the FR, the higher the

matching rate will be but the incorrect probability will be higher as well. In addition,

our main destination is to achieve the real RTTs which are used to detect stepping

stones. The few too small or too big real RTTs cannot benefit us, therefore our

algorithm also has the filter’s function.

Assume echo packet eiP is the corresponding echo packet to send packet siP , the

timestamps for eiP and siP are eit and sit , respectively. If eiP is selected to match siP ,

the time delay between them is iRTT . We then assume we also had known iERTT .

Then we can get:

si i ei si it ERTT FR t t ERTT FR� � � � � �


45

45

i ei si iERTT FR t t ERTT FR� � � � �

i i iERTT FR RTT ERTT FR� � � �

| |i iRTT ERTT FR� �

We assume �RTT has standard deviation � , and FRu�

. We evaluate the

matching rate, which is the probability that siP has a corresponding packet being

found, i.e., the probability that eiP is selected to match siP by using Chebyshev

inequality [88] is the following:

2

Matching rate= P ( has corresponding packet being found)

P(| | )11

i iRTT ERTT FR

u

� �

� �

The matching rate is related to the value of u which is the ratio between FR and

Table 3.2. Matching rate examples for EBA

Examples Standard deviation for �RTT(ms)

u Matching Rate (%)

1 1.771 16.940 99.651

2 2.827 10.612 99.112

3 3.722 8.060 98.461

4 5.538 5.417 96.592

5 6.651 4.510 95.086

6 9.043 3.317 90.802


46

46

standard deviation of �RTT. In our experiments, FR was set to 30ms, which worked

well. We calculated using the previous standard deviation examples for �RTT we had

obtained, and achieved the u and matching rate as shown in Table 3.2. We know that

matching rates for all the standard deviation examples are higher than 90% which is

high enough to detect stepping stones.

3.4.2 Accurate Rate

We firstly estimated the probability of making an incorrect choice of echo packet eiP

for send packet siP . There are two reasons that eiP is incorrectly selected to match

siP :

eiP should be the corresponding packet for previous send packets, but is not

selected to match previous send packets because the real 1iRTT � is more than ERTT +

FR. In this case, the most probability is that eiP is the corresponding packet for the

last send packet ( 1)s iP � . We assume the timestamps for ( 1)s iP � , siP , eiP are

( 1)s it � , sit , eit respectively, and the time delay between eit and ( 1)s it � is 1iRTT � . So we

can get

( 1) 1ei si i s i it t ERTT FR t ERTT FR� ��

( 1) 1 ( 1) 1s i i si i s i it RTT t ERTT FR t ERTT FR� � � ��

1 ( 1) 1i i si s i i iRTT ERTT t t FR ERTT ERTT FR� � ��


47

47

Since eiP is not selected to match ( 1)s iP � , ERTT is not calculated again. So

iERTT is equal to 1iERTT � . Then

1 1 ( 1)i i si s iRTT ERTT t t FR FR� � ��

In addition, we assume 1iL � is the time interval between these two consecutive send

packets, i.e. ( 1) 1si s i it t L� �� . And L is the smallest time interval between two

consecutive send packets. Then

1 1 1i i iRTT ERTT L FR� � �� and 1 2iL FR� �

11 1 2

ii i

LRTT ERTT �� (3)

eiP should be the corresponding packet for ( 1)s iP � -- the next send packet of siP ,

but it is matched with siP . Because the difference of the timestamps siP and eiP is

closer to iERTT than the difference of timestamps ( 1)s iP � and eiP , we assume the

timestamps for siP , ( 1)s iP � , eiP are sit , ( 1)s it � , eit and the time delay between eit and

( 1)s it � is iRTT . Then we can get

1 ( 1)( )ei si i i ei s it t ERTT ERTT t t� ��

( 1) ( 1) 1 ( 1)( )ei s i s i si i i ei s it t t t ERTT ERTT t t� � � ��

( 1)( 1)

( )2

s i siei s i i

t tt t ERTT ��

� ��

2i

i iLRTT ERTT �� (4)


48

48

So we have | | 2 2i

i iL LRTT ERTT� � � from (3) and (4). And we assume

�RTT has the standard deviation � , and 2Lv�

, get the probability that eiP is

incorrectly selected to match siP by using Chebyshev inequality as the following:

ei

2

P (incorrect choice of P for P )

P(| | )21

si

i iLRTT ERTT

v

� �

�

Then the accuracy rate, i.e. the probability to make a correct selection of a packet

RTT can be estimated by using the following inequality:

ei

2

Accurate rate=P (correct choice of P for P )

11

si

v� �

Yang [51] claims that the accuracy rate of his SDBA algorithm is higher

than 2

11q

� ,where 2Lq�

, � is the standard deviation of RTT. We knew that the

standard deviation for RTT is close to the standard deviation of �RTT, i.e.� �� ,

then v q� . Therefore, our algorithm has nearly the same accuracy rate of SDBA.

Yang [51] claimed that the probability of the accuracy rate for his SDBA experiment

examples was higher than 97%.


49

49

3.5 Application

To achieve comparable results, we also implemented other real-time RTT getting

algorithms -- the Greedy and Conservative algorithms [16]. In order to test the

accuracy of the RTT getting algorithms, we applied the “Step-Function” [16] stepping

stone detection approach, and ascertained whether the RTT getting algorithms were

accurate enough to be applied to detect stepping stone.

The “Step-Function” approach is responsible for monitoring the steps of the RTT

changes on an interactive connection which reflect the number of connections in its

downstream connections chain. When the steps of RTTs change and are more than a

specified number, the connection will be considered a stepping stone connection.

Then further action such as block or trace-back may be taken. Since the RTT getting

algorithms are responsible for getting stepping stone RTTs in real-time, we

concentrated our experiment on the RTT values that the RTT getting algorithm can

achieve and the levels that RTT changes.

We estimated our experiments from two perspectives: if the RTT getting algorithms

can achieve RTTs with one level for a single connection, and if the RTT getting

algorithms can achieve RTTs with the correct number of levels during the establishing

of a connection chain. In addition, as we mentioned before, the typing speed and

inputting commands can affect the ordering and mapping of the send and echo packets.

So we conducted our experiments by using modes as well: slow typing speed and

simple inputting commands, quick typing speed and complex inputting commands.


50

50

To begin with, we built a connection in the Internet by SSH from host H1 to host

H2. We then captured the SSH packets and applied Greedy, Conservative and EBA

algorithms concurrently at host H1 from the time that host H2 was first connected. We

input simple commands by slow typing speed and complex commands with quick

typing speed respectively at the connection terminal of H1. We obtained the results by

simple inputting commands and slow typing speed as shown in Figure 3.5 and the

result by complex inputting commands and quick typing speed as shown in Figure 3.6,

where X-axis represents the send packet number, and Y-axis represents RTT values in

units of ms.

From Figure 3.5, we know that all three algorithms are concentrated around one

level, if we can ignore the big protuberances. This is despite the EBA algorithm

0 314 0 303 0 2960

100

200

300

400

500

600

Send Packets

RTT

(mic

rose

cond

)

GreedyConservativeEBA

Figure 3.5. One connection with simple inputting commands by slow typing

speed.


51

51

apparently being better than the Greedy and Conservative algorithms, as all the RTT

results are closely around 47 ms.

In Figure 3.6, the RTTs obtained by the Greedy algorithm are concentrated around

three levels, and it will be incorrectly considered a connection chain with three

connections by the “Step-Function” stepping stone detection approach. For the

Conservative algorithm, there were only 38 RTTs obtained, which is far fewer than

the 217 RTTs for the Greedy algorithm and 207 RTTs for the EBA algorithm. It will

be hard for the “Step-Function” approach to judge what kind of connection it is due to

a small number of RTTs. For the EBA algorithm, all the RTTs it obtained are closely

around 49 ms, so the “Step-Function” approach can identify it is a single connection.

0 217 0 38 0 2070

100

200

300

400

500

600

700

800

900

1000

Send Packets

RTT

(mic

rose

cond

)


Figure 3.6. One connection with complex inputting commands by quick typing

speed


52

52

We then built a connection chain by SSH that passed through host H1 to host H2,

then to host H3, and then to host H4. We captured the SSH packets and applied the

Greedy, Conservative and EBA algorithms concurrently at host H1 from the time host

H2 was first connected to the time the whole connection chain was built. We input

simple commands by slow typing speed and complex commands by quick speed

respectively at the connection terminal of H1 during the chain building. We obtained

the result by simple inputting commands and slow typing speed as shown in Figure

3.7 and the result by complex inputting commands and quick typing speed as shown

in Figure 3.8, where X-axis represents the send packet number, and Y-axis represents

RTT values in units of ms.

0 422 324 0 38900

100

200

300

400

500

600

700

800

900

1000

Send Packets

RTT

(mic

rose

cond

)


Figure 3.7. One chain with simple inputting commands by slow typing speed


53

53

In Figure 3.7, the RTTs obtained by the Greedy and Conservative algorithms are

approximately clustered around three levels. But both of them have too many large

protuberances that may affect the identification of steps for the “Step-Function”

approach.

From Figure 3.8, we know that the RTTs obtained by the Greedy algorithm are

clustered around many levels, and the “Step-Function” approach will consider it a

stepping stone connection when it is just a single connection. For the Conservative

algorithm, there are only 200 RTTs obtained, which is far fewer than the 970 and 898

RTTs for the Greedy algorithm and the EBA algorithm, respectively.

0 970 0 200 0 8980

100

200

300

400

500

600

700

800

900

1000

Send Packets

RTT

(mic

rose

cond

)


Figure 3.8. One chain with complex inputting commands by quick typing speed


54

54

In both Figure 3.7 and Figure 3.8, all the RTTs that the EBA algorithm obtained are

closely around three levels: 47 ms, 102ms and 170 ms. Therefore, the RTTs achieved

by the EBA algorithm can correctly reflect how many connections it has in its

downstream connection chain by any kind of typing speed and inputting commands.

From all of our experimental results, we found that the numbers of send packets

which are matched by the EBA algorithm are all fractionally smaller than those by the

Greedy algorithm. We achieved the ratios of the EBA send packet number and Greedy

send packet number for the above figures, which were all higher than 90%. As the

Greedy algorithm matches all the send packets, whether or not they had corresponding

echo packets, the real number of send packets having corresponding echo packets

should be smaller than the number of Greedy send packets. We are confident that the

real matching rate for the above figures should be higher than 90%.

We also achieved the standard deviations of �RTTs for the above figures among

1.771ms and 9.043ms. Although we are unable to achieve an exact accuracy rate from

the above figure, our algorithm can achieve RTTs precise enough to detect stepping

stones for a wide range of standard deviations for �RTTs.

3.6 Summary

RTTs are critical for stepping stone detection approaches. But how to achieve precise

RTTs for stepping stones in real-time remains a challenge. In this chapter, we propose

a novel real-time RTT getting algorithm which can be used at all times by RTT based

stepping stone detection approaches to detect stepping stones, and be used sparsely to


55

55

achieve the value of parameters by other non-RTT based stepping stone detection

approaches. We present the probability analysis in theory, which demonstrates our

algorithm has more than a 90% matching rate, and has a higher rate of accuracy than

the non real-time complicated RTT getting algorithm SDBA. Our experimental results

show that our algorithm is much more precise than previous real-time methods in the

detection of stepping stones.


56

56

Chapter 4

Detecting Stepping Stones in Real Internet

Environments

Stepping stones are often used by network intruders to launch attacks. However

current stepping stone detection approaches are hardly applicable in real Internet

environments due to their demands of storage, computation and excessive monitoring

time. In this chapter, we propose a simple but effective stepping stone detection

scheme that can reduce some of these demands. Our experiments show that our

proposed approach can achieve more than 90% accuracy by monitoring for 2 seconds

and can also achieve more than 95% accuracy by monitoring for10 seconds, and all at

with low computational costs.

4.1 Introduction


57

57

A stepping stones detection system normally detect stepping stones in a network by

searching for correlations such as identical payload or similar packet timings between

interactive connections at the network borders or routers. If a pair of interactive

connections is detected as part of a stepping stone chain, they can be blocked

immediately to stop the attack, thereby preventing further harm. Or, one can compile

them in the hope of tracing the stepping stone paths to identify the source of an attack.

To prevent such attacks, a stepping stone detection approach should be able to

correctly identify correlated connections as quickly as possible, since many attackers

launch their attacks in a very short time to evade detection. Plus, the quicker the

response, the less harm that will be done. To trace-back and identify the source of an

attack, real-time and quick-response is also because attackers may have many excuses

and techniques (such as a fake IP address) to deny their attacking activity when no

spot evidence is available. However current approaches seldom take responsiveness

into consideration (See Chapter 2 for related work).

Meanwhile, a stepping stone detection approach should not assume there is no

packet dropping during packet transmission on the Internet. Omar et al. [44] claim that

packet dropping, assumed by [5][8][9][10][21], would occur over a wide area of a

network. Therefore, the accuracy of these approaches with such assumptions should

be doubted when these approaches are applied in real Internet environments.

Besides the responsiveness and the no-packet-dropping assumption, a practical

stepping stone detection approach should have a lower demand for storage and

computation. It’s not hard to find correlations by complex computations, but when


58

58

applied to real environments, a stepping stone detection programme shouldn’t

overburden the whole system.

As shown in Table 4.1, among all current stepping stone detection approaches, only

sketching [35] takes these three factors into consideration, but it has a low accuracy.

In this chapter, we propose the Packet Delay Bidirectional Comparison (PDBC)

scheme which is a simple but practical stepping stone detection algorithm. It has no

assumptions of no-packet-dropping, and is designed with high efficiency. Our

experiments and analysis show that our system has high accuracy, quick

responsiveness along with low storage and computation costs. At the same time, it can

also be resistant to chaffs. We also present a comparison with previous methods,

including the sketching approach.

The rest of the chapter is organized as follows. Section 4.2 explains the definition

and properties. We demonstrate the scheme in Section 4.3 and experimental results are

given in Section 4.4. Finally, we summarize this chapter in Section 4.5.

4.2 Definitions and Property for Packet Delay

In this section we begin by defining some terms, and then present property for a

packet delay.

4.2.1 Related Definitions

Definition 4.1 (RTT) The packets sent in interactive connections from an attacker

(client) to a target (server) are called send packets; and the packets sent in the reverse


59

59

direction are called echo packets. The time delay between the send packet and the

corresponding echo packet on a connection is called the Round-Trip Time (RTT) for

this interactive connection.

Table 4.1. Practical features comparison among the encrypted traffic stepping

stone detection approaches

Approach Quick Responsiveness

No-packet-dropping assumption

Computation complexity

Storage demand

ON/OFF No No low high

Deviation No No high high

IPD Requires a few dozen packets

No high high

Multiscale No Yes low low

DA No Yes low low

DMV No Yes low low

DM No Yes high high

SI,SII,SIII,SIV

No Yes Depends on algorithm

high

RTT-Thumbprint

No Yes high high

Sketching Designed to response quickly

No Designed to be run efficiently

Depends on sketches


60

60

Definition 4.2 (RTT sequence) An RTT sequence aRtt is a series of RTTs in

chronological order obtained by an RTT getting algorithm on connection a . Let

1 1 2 2{ ( ), ( ), ( ) }( 0)i ia a a a a a aRtt Rtt t Rtt t Rtt t i �( ) }( 0)i i((a a((( ) }((( ) }(( ) }(((( ) }(( ) }((( , where i

aRtt (i > 0) is the ith

RTT obtained by the RTT getting algorithm for interactive connection a . iat is the

arrival epoch of echo packet by which to get the ith RTT on connection a . For an

easy description of an algorithm, the RTT sequence representation here is slightly

different from the definition in Section 3.3.

Definition 4.3 (Upstream and downstream connection) We say that connection

a is an upstream connection of connection b , and b is a downstream connection of

a when a and b are in the same connection chain, and a bRtt Rtt� is around the

same time.

Because the upstream connections have more relay nodes than their downstream

connections, for a relayed same send packet, the RTT for upstream connections is

larger than the RTT for their downstream.

Definition 4.4 (Correlated connections) We say that connection a and

connection b are correlated connections, if a and b are in the same connection

chain.

4.2.2 Property of Packet Delay

Theorem 4.1. Let interactive connections a and b be in the same connection chain,

connection a is the upstream connection of connection b , and ( )n na aRtt t and


61

61

( )m mb bRtt t are the RTTs got for connections a and b respectively by the same

original send packet. Then ( 2( )) 0n m n ma b a bE Rtt Rtt t t� � � , if the routes of the send

packet are the same as the corresponding echo packets.

Proof. The packet delay consists of four components, including processing delay,

queuing delay, transmission delay and propagation delay [69]. Given a packet of size

p that traverses a path of h hops, each link of capacity iC and propagation delay

i� , the average propagation and transmission delay can be written as:

propagation1

h

ii

T �

�

transmission1

h

i i

pTC

�

Applying Kleinrock [99] independence approximation, each link can be modelled

as an M/M/1 queue [90]. The average number of packets in the queue can be written

as:

1

hi

i i i

N ��

�� (where i� , i� are the arrival rate and service rate

for every link separately)

Apply Little’s Law [81], the average queuing delay per packet can be written as:

queuing1

1 hi

i i i

T ��

�� (where � is the total arrival rate)

Ignoring the processing delay, the average packet delay can be written as:


62

62

propagation transmission queuing

1 1 1

1h h hi

ii i ii i i

T T T T

pC

��

� �

� ��

Let the send packet time delay from connection a to b be abT , and the echo

packet time delay from connection b to a be baT , as shown in Figure 4.1. If the

routes of a send packet are the same as the corresponding echo packets, the links from

connection a to connection b should be the same with the links from b to a . So

every parameter on abT including i� , iC , i� , i� , � are the same as all parameters on

baT . The size of the send packet and corresponding echo packet are also the same. So

we can achieve:

( ) ( )ab baE T E T

Attacker Stepping stone a

Stepping stone b

Target

RTTb

send echo

RTTa

Tab

Tba

Figure 4.1. Stepping stone packet delay


63

63

Let the RTT from connection a to connection b be abRTT , and

ab ab baRTT T T � . By their definition we get:

n mab a bRTT Rtt Rtt �

n mba a bT t t �

ab ab baT RTT T �

Table 4.2. Real-time comparing processing in the PDBC algorithm

PDBC_compare ( , )na bRtt Rtt

If ( a bRtt Rtt� )

For(m strat from the last rtt sequence index to the front index)

If( n n m ma a b bt Rtt t Rtt� � � )

UCV_ab++;

Break;

Else if( 2( )n m n ma b a bRtt Rtt t t� � � � � )

CV_ab++;

Break;

Endif

Endif

Endfor

Endif


64

64

Then we can get:

( ) ( ) ( 2( )) 0n m n mab ba a b a bE T E T E Rtt Rtt t t� � � �

4.3 Algorithm and Analysis

4.3.1 PDBC Algorithm

Based on Theorem 4.1, we designed the Packet Delay Bidirectional Comparison

(PDBC) algorithm which examines the interactive connections and demonstrates that

if a connections pair is correlated within a specified monitor time, i.e. if the

connections pair in the same connection chain it can be run at the network gateway

node or as an independent process at the stepping stone host.

When packets come in on an interactive connections, PDBC will firstly calculate

the RTT in real-time by the RTT getting algorithm. We use Estimation-Based RTT

getting Algorithm proposed in Chapter 3 because it is far more precise than other real-

time RTT getting algorithms as analysed in Chapter 3.

Once a new RTT ( )n na aRtt t is obtained, the algorithm will compare all other

connections whose RTT is smaller than the current one. If there exists one RTT

( )m mb bRtt t on a comparing connection for such that:

2( )n m n ma b a bRtt Rtt t t� � � � � (1)

We then increase the correlated value (CV) for this pair of comparing connections,

otherwise we increase the uncorrelated value (UCV) for this pair of comparing


65

65

connections. The detail processing for the comparing between a new RTT ( )n na aRtt t

and other connection bRtt is shown in Table 4.2.

When the monitored time expired, we calculated the correlated rate (CR) by

CVCRCV UCV

�

If the CR for a pair of connections is higher than a specified threshold �, we then

consider it a pair of correlated connections, otherwise, it will be considered a normal

connection pair. The detail processing of monitoring time expired on a comparing pair

is shown in Table 4.3.

4.3.2 Analysis

� Computation Time

During the comparing processing, we do not need to compare the new RTT with

every RTT of other connections. All we need to do is compare the RTTs whose arrival

Table 4.3. Monitoring time expired processing in PDBC algorithm

PDBC_Monitor_Expired(UCV_ab, CV_ab)

CR = CV_ab/ (CV_ab+UCV_ab);

If(CR>�)

Return CORRELATED;

Else

Return NORMAL;


66

66

epoch for a send packet is later than the new RTT’s send packet arrival epoch. Then

the question arises, how many RTTs on another connection will be compared with the

new RTT?

If we consider two connections: a and b , and we suppose a bRtt Rtt� , the

total number RTTs on connection a is n, the packet arrival rate on connection b is

� . When a new RTT is achieved on connection a , the RTTs to be compared on

connection b should have a send packet arrival epoch bRtt earlier than the new

RTT’s echo packet. Therefore, the answer should be the packet number sent on

connection b during a bRtt Rtt� . Let p be the average number of RTTs on

connection b which will compared with a RTT on connection a . So we get:

( )* 1a bp Rtt Rtt � � �� for a correlated connection pair

( )*a bp Rtt Rtt � �� for a normal connection pair

We then get the computation time for comparing two connections pair as

( ( )* * )a bO Rtt Rtt n n�� for a correlated connections pair, and

( ( )* * )a bO Rtt Rtt n�� for a normal connections pair. Generally, the value of

( )*a bRtt Rtt �� is small if there is no manual intended delay added. In our

experiments, it equalled 0 in most cases, which resulted in the computation time no

bigger than ( )O n .

� Storage demand


67

67

On the other hand, because limited recent RTTs need to be compared, the algorithm

doesn’t need to store all RTTs. Suppose the maximum RTT value for all comparing

interactive connections is MRTT. When a new RTT for an interactive connection is

obtained, it will check if there are stored RTTs on this connection whose epoch are

MRTT earlier than the current time, and if so, are then deleted from storage. Therefore,

PDBC requires little storage.

� Parameters selection

According to Chebyshev inequality (Kao [1996]; Feller [1968]) and Theorem 4.1,

we get:

n m n ma a b b a b

ab ba ab ba

2ab ba

P(|Rtt (t ) - Rtt (t ) - 2(t - t )|< = P(|T - T - E(T - T )| < )

standard deviation of |T - T | 1 ( )

��

� ��

Therefore, the bigger the �, the higher the probability for equation (1) is. However,

the accuracy decreases as well.

For the CR threshold parameter �, with the decrease of �, the probability to be

determined for correlated connections will increase, but the probability for normal

connections to be determined for correlated connections will increase as well.

This means we should balance the two parameters in the applications and select

suitable values for the applications. In our experiments, we present the impaction of

different parameters. When � is set to 30ms and � is set to 0.2, we achieve the highest

accuracy.

� Asymmetric Routing


68

68

Due to the route of the Internet normally following the shortest path rules, the

routes of send packets are normally the same with the corresponding echo packets.

But there still exists some situations where the routing is asymmetric. For these

situations, we introduce an asymmetric parameter � for ( ) ( )ab baE T E T� . We

then change equation (1) to (2) in this situation.

(1 )( )n m n ma b a bRtt Rtt t t�� (2)

� Chaffs resistant

Attackers may also introduce superfluous packets, called chaff, which contain no

valuable information and are not relayed to the succeeding flow of the chain, in order

to perturb the timing information. In fact, when packets are transmitted on the Internet,

packet merges, packet drops and packets retransmissions occur, which can be

considered as a natural chaffs perturbation. Therefore, a stepping stone detection

approach should not assume there are no packet drops and the approach should be

resistant to chaffs to some extent.

Since PDBC is based on the RTTs achieved by the EBA algorithm, which is able to

filter unsymmetrical packets as analysed in Chapter 3, the PDBC scheme can also be

resistant to chaffs as well.


69

69

4.4 Experiments

4.4.1 Data Source and Testing Method

The data from a LAN environment or a simulation, generally presents packets one-to-

one mapping which makes stepping stone detection easier. To test the applications of

stepping stones detection approaches, the data must first be real data from the Internet.

In order to achieve this, we designed the topology on Internet environments and found

real stepping stone connection chain data for testing the stepping stone detection

approaches.

We built two separate connection chains on the Internet by SSH from host H1 and

host H2, with both passing through host H3, then to hosts H4, H5, H6, and finally

connecting to host H7. H4 and H6 are in the same network segment, as shown in

Figure 4.2. The other hosts were located in different areas of Melbourne, Australia.

We started to capture the packets at host H4 when all the connection chains were built.

We then quickly entered commands at the terminal of H1 and H2 and concurrently for

about three minutes. After that, we stopped capturing packets.

Figure 4.2. Experimental topology for data source


70

70

Since H4 and H6 are in the same network segment, there are eight SSH connections

which belong to two connection chains in the captured data. This means there is a total

of 12 correlated connections and 16 uncorrelated connections. As it is easier to detect

stepping stones in light traffic, we quickly entered commands so we could at least

obtain normal traffic. During the experiment we found there was more than 7%

retransmission packets on some connections, which is higher than the normal 1%-6%

Internet retransmission rate [53]. In addition to this, certain packet number differences

in some connection chains were more than 17%, which means there are many packet

drops and merges during the packet transmission on the connection chains. Therefore,

the captured data can be considered Internet data with normal or even heavy traffic.

With the captured data, then we can run the stepping stone detection approaches

from a start epoch of the captured data until a specified time (such as 10 seconds), and

then output the results of every two connection pairs. More results can be obtained by

selecting a different start epoch. We use the epoch of every 500ms along the data

source as the start epochs in our experiments, and run all the numbers of the start

epochs we selected. Every time we achieved 28 results, there were a total of more than

8000 results for 10 seconds of monitored time. With these results we then calculated

and obtained the accuracy. We used the terms below to weigh the accuracy.

False negative: the rate that a correlated connections pair is judged as compared to a

normal connections pair.

False positive: the rate that a normal connections pair is judged as compared to a

correlated connections pair.


71

71

Accuracy: the rate a correlated connections pair is judged as compared to a

0 10 20 30 40 50 60 70 800

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

0.2

Times(s)

Fals

e N

egat

ive

PDBC

�=20

�=30�=40

�=50

Figure 4.3. False negative with different �

0 10 20 30 40 50 60 70 800

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

0.2

Times

Fals

e P

ositi

ve

PDBC

�=20

�=30�=40

�=50

Figure 4.4. False positive with different �


72

72

correlated connections pair and the rate a normal connections pair is judged as

compared to a normal connections pair.

As attackers may add chaff to evade detection, we also created chaff inserting data

by introducing chaff packets into the original captured data at random times with

different Chaff Rates (CR), the ratio of the number of introduced chaff packets to the

number of original send packets.

4.4.2 Experimental Results

4.4.2.1 Parameters Impaction

In our experiments, there are two parameters: �, which is the maximum deviation of

packet delay difference in two directions, and �, which is the CR threshold. We then

ran the PDBC scheme with the original captured data and tested the impaction to the

accuracy of the algorithm by the parameters.

Figure 4.3 and Figure 4.4 shows the false negative and false positive results

separately with different � and different monitoring times. We can see that both of the

false negative and false positive decrease with the monitoring time increasing. But the

false negative decreases and false positive increases when � increases, which is

consistent with our previous analysis. To achieve the highest accuracy, we set � to

30ms in later experiments.

Figure 4.5 and Figure 4.6 shows the false negative and false positive results

separately with different � and different monitoring time. We can see that both of the

false negative and false positive decreases while the monitoring time increases. But


73

73

the false negative increases and false positive decreases with the � increasing. To

0 10 20 30 40 50 60 70 800

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

0.5

Times

Fals

e Ne

gativ

ePDBC

� =0.1

� =0.2

� =0.3� =0.4

� =0.5

Figure 4.5. False negative with different �

0 10 20 30 40 50 60 70 800

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

0.5

Times(s)

Fals

e P

ositi

ve

PDBC

�=0.1

�=0.2

�=0.3�=0.4

�=0.5

Figure 4.6. False positive with different �


74

74

achieve the highest accuracy, we set � to 0.2 in later experiments.

0 10 20 30 40 50 60 70 800

10

20

30

40

50

60

70

80

90

100

Monitoring time(s)

Fals

e ne

gativ

e(%

)PDBCsketchingIPD

Figure 4.7. False negative for PDBC,sketching and IPD

0 10 20 30 40 50 60 70 800

10

20

30

40

50

60

70

80

90

100

Monitoring time(s)

Fals

e po

sitiv

e(%

)

PDBCsketchingIPD

Figure 4.8. False positive for PDBC, sketching and IPD


75

75

4.4.2.2 Responsiveness and Accuracy

To compare our algorithm with previous approaches, we also implemented IPD [4]

and sketching [35] approaches, which are the only two approaches that take

responsiveness into consideration, as shown in Table 4.1. During our experiments, the

parameters we used, as shown in Table 4.4, which enabled us to get the best results for

every approach.

Figure 4.7, Figure 4.8 and Figure 4.9 shows the false negative, false positive and

accuracy results as compared with the IPD and sketching approaches using the

original captured data. We discovered that while both of the false negative and false

positive for the PDBC and sketching approaches drops with the monitored time

0 10 20 30 40 50 60 70 8040

50

60

70

80

90

100

Monitoring time(s)

Acc

urac

y(%

) PDBCsketchingIPD

Figure 4.9. Accuracy for PDBC, sketching and IPD


76

76

increasing, IPD has a different false negative and false positive changing direction

with the monitored time increasing. So the accuracy for PDBC and sketching

approaches rises to 100% with the monitored time increasing, and the accuracy for

IPD rises to around 95% to begin with and then drops with the monitored time

increasing. This is despite the apparent low rate of accuracy for the sketching

approaches when the monitoring time is shorter than 60 seconds. For PDBC, even if

the monitoring time is 2 seconds, it can still achieve above 90% accuracy, while the

other two approaches only have around 50% accuracy. In addition, the accuracy for

IPD is higher than 95% when the monitored time is longer than 10s and we can get

100% accuracy when the monitored time is longer than 60s.

4.4.2.3 Chaffs perturbation

Table 4.4. Parameters for PDBC, sketching and IPD

Approach Parameters

PDBC �=30ms �=71

Sketching slot=1500ms thresh=71

IPD window_size=10 point_thresh =0.8 thresh = 0.7


77

77

To test if the stepping stone detection approaches can be resistant to chaffs, we run

them by the chaffs inserting data with different chaff rate.

Figure 4.10 shows the accuracy comparison for PDBC with a chaff rate of 0, 10%,

20% and 40%. We can see that the PDBC is hardly affected by chaffs. The accuracy

comparison for sketching and IPD with different chaff rate is shown on Figure 4.11

and 4.12 respectively, which show the accuracy for IPD and sketching is affected by

chaffs, especially IPD.

4.4.2.4 Performance

We recorded the execution time for running the three stepping stone approaches

within the specified monitoring time with the start epoch changing from the beginning

to the end of the data source. However we did the pre-processing such as calculating

0 10 20 30 40 50 60 70 8040

50

60

70

80

90

100

Monitoring time(s)

Accu

racy

(%)

chaff rate = 0chaff rate = 10%chaff rate = 20%chaff rate = 40%

Figure 4.10. Accuracy for PDBC with different chaff rate


78

78

RTT, and calculating packets counts in slots, calculating inter-packet delay only once.

So the execution time only reflects the processing for comparison. We found these

0 10 20 30 40 50 60 70 8040

50

60

70

80

90

100

Monitoring time(s)

Acc

urac

y(%

)

chaff rate=0chaff rate=10%chaff rate=20%chaff rate=40%

Figure 4.11. Accuracy for sketching with different chaff rate

0 10 20 30 40 50 60 70 8040

50

60

70

80

90

100

Monitoring time(s)

Accu

racy

(%)

chaff rate=0chaff rate=10%chaff rate=20%chaff rate=40%

Figure 4.12. Accuracy for IPD with different chaff rate


79

79

execution time values were relatively stable, and the average values are shown in

Table 4.5. Since the computation time for PDBC is smaller than ( )O n in our

experiments, the execution time for PDBC changes only slightly for different

monitored times. Because IPD compares packets with the number of window sizes for

every packet, the execution time will increase exponentially with the monitoring time

increasing. For the sketching scheme, one of the main computing costs is calculating

sketches, which will increase linearly.

4.5 Summary

Quick responsiveness with high accuracy and low computation costs are critical

challenges for applying stepping stone detection approaches in the real Internet

environment. In this chapter, we propose a simple but practical stepping stone

detection algorithm which has less storage and computation costs than existing

algorithms. The results of the experiments demonstrated our method can achieve

detection results with more than 90% accuracy within 2 seconds, and 100% accuracy

within 60 seconds. This is much better than the IPD and sketching approaches which

Table 4.5. Execute time for PDBC, IPD and sketching

Approach Execute time /Monitored time(10s)

Execute time /Monitored time(40s)

Execute time /Monitored time(80s)

PDBC 3.281s 3.281s 3.343s

IPD 4.109s 22.187s 52.437s

Sketching 4.640s 7.578s 8.640s


80

80

were the only two approaches taking responsiveness into consideration. Our

experiments also demonstrate that our approach can also be resistant to chaffs.

Chapter 5 Detecting Chaffed and Jittered Stepping Stone Connections

81

Chapter 5

Detecting Chaffed and Jittered Stepping

Stone Connections

Packet timing or frequency (count) characteristics are foundations commonly

employed in detecting stepping stones. However these characteristics may be altered

by attackers introducing jitters and chaffs into stepping stone connections. But the

timing causality that the packet has to arrive first before it can leave a node won’t be

changed. In this chapter, based on two Poisson processing models, we formulate and

prove two separate upper bounds of probability that normal connections present with

the timing causality of correlated connections. In addition, based on the two upper

bounds of probability, we propose two novel algorithms which have no parameters

that can detect stepping stones accurately even if there are big jitters and a high chaff

rate. We compare our algorithms with previous ones and our experiments show that

our algorithms are more resistant to chaffs and jitters than previous ones. In addition

to this, our algorithms maintain high accuracy for detecting normal stepping stones


82

with no chaff or jitter perturbation. We also present comparisons between our

algorithms through analysis and experimentation.

5.1 Introduction

Current stepping stone detection approaches [2, 3, 4, 5, 8, 9, 10, 21, 35] are

predominately based on timing or frequency characteristics that may be altered during

the packet transmission on the Internet Additionally, attackers may also introduce

random jitter delays before packets depart from stepping stones or they may insert

chaffs (chaffs are superfluous packets, which contain no valuable information and are

not relayed by stepping stones) into the original attack flow on stepping stones, which

can even completely break the timing and frequency features.

However the timing causality of the packet arriving first before it can leave a node

does not be change. Therefore, the packet arrival epochs on stepping stones keep the

order of stepping stone chain. But this timing causality between correlated stepping

stone connections may be appeared between normal connections as well. In our

experiments we gave much attention to the normal connections instead of stepping

stone connections, and found the existence of an upper bound for the probability that

normal connections present with the timing causality of correlated stepping stone

connections. In addition, based on the upper bounds of probability, we designed the

Abnormal Probability Detection algorithm (APD) and Speedy Abnormal Probability

Detection algorithm (SAPD) which can accurately detect stepping stones even with

chaff and jitter perturbation. In this chapter, we also compare our proposals with

previous approaches.


83

The rest of this chapter is organised as follows. In Section 5.2, we present related

work on the ability of stepping stone detections to resist evasion. We also analyse and

explain the mathematical models of connection streams, and present proof for two

formulas on the upper bounds of probability based on two Poisson models in Section

5.3. Section 5.4 describes the detail of two algorithms based on the two formulas.

Section 5.5 explains our experimental results. And finally, we conclude this chapter in

Section 5.6.

5.2 Related Works

With many approaches proposed to detect stepping stones, the evading technique

developed concurrently. At first, encryption to stepping stone connections makes the

approaches [1] based on content unavailable. Then, the introduction of chaffs and

jitters may perturb the timing or frequency characteristics of stepping stones, which

are the foundations of most stepping stone detection approaches [2, 3, 4, 5, 8, 9, 10, 21,

35]. The SNEAK attack tool [46] can even create constant rate streams by inserting

jitters and chaffs, which are completely removed from the inter packet information.

The evasion techniques of introducing chaffs and jitters also caught the attention of

researchers. Donoho et al. [5] argue that attackers have maximum tolerable delay

constraints and correlation between stepping stone connections can be detected

regardless of chaff packets if connections last long enough. Similarly, under a

maximum tolerable delay constraint, Blum et al. [8] present confidence bounds on the

stepping stone detections. Their algorithm is based on the difference of the number of

packets between two connections at a given time. This difference is expected to be


84

low for correlated connections even if there are a few chaff packets. In [9], Zhang et al.

propose several algorithms with special focus on random delays and chaff. They

compared most previous stepping stone detection approaches [2, 3, 4, 5, 8] and their

experiments demonstrated their proposals were more effective in resisting chaffs and

jitters even though their algorithms are also based on the assumption there is no packet

dropping, and their experimental data is not real connection data. In [54], Wu et al.

tried to improve the chaff resistance properties of [8]. However, they assumed that the

chaff is introduced for only one of the connections of a correlated connection pair.

Coskun et al. [35] proposed a sketching method and claimed it could resist chaff and

jitter perturbations. However, his experiments only involve cases of small jitter and

low chaff rates. Kampasi et al. [49] provide methods to improve stepping stone

detection when either jitter, chaff or both are introduced into a packet stream. But

these methods are only used as supplements to other stepping stone detection

approaches.

5.3 Probability Analysis

In this section, we begin by formally defining some terms. Then we introduce two

network stream models. Based on these two models, we formulate and prove two

different upper bounds of probability that stepping stone’s timing causality appears on

normal connections.


85

5.3.1 Related Definitions

Normally attackers launch stepping stone attacks by constructing a chain of interactive

connections on a series of compromised hosts (stepping stones) using protocols such

as Telnet or SSH, as shown on Figure 5.1.

Definition 5.1 (RTT and timing causality) The packets sent in interactive

connections from an attacker (client) to a target (server) are called send packets, and

the packets sent in the reverse direction are called echo packets. The time delay

between the send packet and the corresponding echo packet on a connection is called

Round-Trip Time (RTT) for this interactive connection.

From Figure 5.1, and also from the timing causality that the packet has to arrive

first before it can leave a node, we can see that for the same send packet, it arrives first

on stepping stone i-1, then arrives on stepping stone i. Until the send packet arrives at

Attacker Stepping stone 1

Stepping stone i-1

Stepping stone i

Target

RTT

Send Echo

a

Figure 5.1. The timing causality on a stepping stone chain


86

the target host, the corresponding echo packet will be generated, and will be sent back

to stepping stone i, and then to stepping stone i-1.

If two connections are in the same connection chain, we consider them as a

correlated connection pair, otherwise they are a normal connection pair.

Definition 5.2 (RTT Sequence and Packet Pair) A RTT sequence aRtt is a

series of RTTs in chronological order obtained by an RTT getting algorithm on

connection a . Let 1 1 1 2 2 2{ ( , ), ( , ), ( , ) }( 0)s e s e i si eia a a a a a a a a aRtt Rtt t t Rtt t t Rtt t t i �) }( 0)i si ei((a a a( ,( ,( , ) }(( , ) }(( ,( ,( , ) }((((( , ) }(( , ) }(((( ,

where iaRtt is the ith RTT obtained by the RTT getting algorithm for interactive

connection a . siat and ei

at are the arrival epoch of the Send and Echo packet by which

to get the ith RTT on connection a . ( , )si eia at t is called Packet Pair, and

si ei ia a at t Rtt � . For an easy description of the algorithm, the RTT sequence

representation here is slightly different from the definition in Section 3.3 and Section

4.3.

Definition 5.3 (Correlated Packet Pair and Correlated Probability) For the

packet pair ( , )si eia at t on connection a and the packet pair ( , )sj ej

b bt t on connection b ,

if there exists si sj ei eja b a bt t t t� � � , we consider ( , ) ( , )sj ej si ei

b b a at t t t� are a

correlated packet pair. By definition 5.2, we can also achieve for a correlated packet

pair, there exists:

si sj sj j si ia b b b a asi sj si i ja b a a b

t t t Rtt t Rtt

t t t Rtt Rtt

� � � � �

� � � � (1)


87

For the packet pair ( , )si eia at t on a , if there exists any packet pair ( , )sj ej

b bt t on b

such that ( , ) ( , )sj ej si eib b a at t t t� , we consider ( , )si ei

a at t has correlated pair. Correlated

Probability abCP is defined as the ratio that the number of packet pairs of a , having

correlated pairs on b to the number of total packet pairs of a .

The Correlated Probability for two normal connections seems random. But it is

actually related with the packet frequency and RTT value which we will prove in a

later analysis.

5.3.2 Modelling Connection Streams

Network streams are frequently modelled as a Poisson process [90]. The famous

Jackson’s theorem [80], a significant development in the theory of networks of queues,

simply assumes packet arrivals are Poisson processes. To detect stepping stones,

connection streams (the packet arrivals on connections) are generally modelled as

Poisson processes as well [5, 8, 9, 10].

Normally, Poisson processes with a fixed rate [5, 8, 9, 10] are used to generate the

model. In this situation, the distribution of the packet interval follows the exponential

distribution with distribution function xe �� , where� is the expected packet arrival

rate, and can be considered 1T (T is the expected packet interval, equals the average

packet interval).


88

Let us assume for every packet arrival on connection streams with different

rate ( )i i n� � and over time ( )iT i n� , which is the packet interval of ith packet, we

can get * 1i iT� . Then the average arrival rate is the same as the model with a fixed

rate Poisson distribution, as explained below:

1

1 1

n

i ii

n n

i ii i

Tn

T T

��

�

� �.

This means the Poisson process with a fixed rate can be modelled as many Poisson

distributions with varying rates, and over varying time periods [8]. As a result,

connection streams can be modelled as Poisson processes with varying rates, and over

varying time period. In this situation, the distribution of every inter arrival time will

follow the exponential distribution with distribution function ixie

�� , where1

iiT

� .

5.3.3 Probability Bound under Poisson Model with Varying Rate

Theorem 5.1. Let’s assume normal connections a and b behave as sequences of a

Poisson processes. For the two RTT sequences obtained by the RTT getting algorithm

on connection a and b during the same time range:

1 1 1 2 2 2{ ( , ), ( , ), ( , )}( 0)s e s e n sn ena a a a a a a a a aRtt Rtt t t Rtt t t Rtt t t n �(n sn(((((((((((((

1 1 1 2 2 2{ ( , ), ( , ), ( , )}( 0)s e s e m sm emb b b b b b b b b bRtt Rtt t t Rtt t t Rtt t t m �b b((m sm(((((((((((((((( ,

If ( , )i ja bRtt Rtt i n j m� � � � � ,


89

( , )( )sj ejb bt t j m� is the first packet pair on connection b after ( )si

at i n� ,

( )

( 1) ( 1)

)

1( , ) ( ,1) ( , )1

jia b

j

ij

Rtt Rttb

s i si sj s ji a a j b ba

b

eucp i j MIN a t t b t te

� �

� �

�

� � �

�

Then 1

1

1 ( , )1

n

ab abi

CP UVCP ucp i jn

�

� � �

Proof. Firstly, we derive the probability that one packet pair ( , ) {1, }si eia at t i n }

has correlated pairs on connection b .

According to (1), we know that only the packet pairs whose arrival epoch of a send

packet is after siat have a chance to be correlated with ( , )si ei

a at t . If the first packet pair

on connection b after siat is not correlated with ( , )si ei

a at t , then the later packet is also

not correlated with siat . So the probability that ( , )si ei

a at t has correlated pairs on

connection b equals the probability that the first packet pair on connection b after siat

is correlated with ( , )si eia at t , i.e. Pr(( , ) ( , ))sj ej si ei

b b a at t t t� .

Then we derive Pr(( , ) ( , ))sj ej si eib b a at t t t� from two cases:

a) When i ji a ba Rtt Rtt� �

! � ! �! � ! �! � ! �! � ! � ! � ! �

sj ej si eib b a a

sj ej si ei sj s(i+1) sj s(i+1)b b a a b a b a

sj ej si ei sj s(i+1) sj s(i+1)b b a a b a b a

sj ej si ei sj s(i+1) sj ej si ei sjb b a a b a b b a a b a

Pr( , , )

Pr( , , )*Pr( )

Pr( , , )*Pr( )

Pr( , , ) Pr( , ,

t t t t

t t t t t t t t

t t t t t t t t

t t t t t t t t t t t t

�

� � �

� � � �

� � � � � � s(i+1) )


90

� If ( 1)sj s ib at t ��

We assume connection stream b behaves as a Poisson process with rate j� during

the jth packet arrival. Then we can derive:

! � ! �sj ej si ei sj s(i+1)b b a a b a

si sja b

sj s(i+1)b a

si sja b

si sj s(i+1)a b a

Pr( , , )

Pr( )Pr( )

Pr( )Pr( )

si i ja a b

si i ja a b

t t t t t t

t t t Rtt Rttt t

t t t Rtt Rttt t t

� �

� � � �

�

� � � �

� �

( 1)

( 1)

( 1)( 1)

( 1)

( )11

j s jsi ija a b b

s jsia b

s js ija b

s jsia b

jia jb

i j

t Rtt Rtt t xjt t

t t xjt t

Rtt Rtt

a

e dx

e dx

ee

�

�

�

�

�

�

�

�

��

�

� � � �

�

� �

�

� �

�

�

�

"

"

� If ( 1)sj s ib at t ��

By the precondition of i ji a ba Rtt Rtt� � , we can achieve the below inequation which

is in conflict with definition 5.3.

sj ( 1)b

s i si si i ja a i a a bt t t a t Rtt Rtt��

So ( 1)Pr(( , ) ( , ) | ) 0sj ej si ei sj s ib b a a b at t t t t t ��

As a result, when i ji a ba Rtt Rtt� � , we can get:

! � ! �( )

sj ej si eib b a a

1Pr( , , )1

jia jb

i j

Rtt Rtt

aet t t t

e

�

�

� �

�

��

�

By the analysis in 5.3.2, we know 1j

jb� , so we can further get:


91

! � ! �( )

sj ej si eib b a a

1Pr( , , ) ( , )1

jia b

j

ij

Rtt Rttb

ab

et t t t ucp i je

� �

�

��

�

b) When i ji a ba Rtt Rtt� �

We can get Pr(( , ) ( , )) 1 ( , ),sj ej si eib b a at t t t ucp i j� � as the below inequation exists:

( )

1 1( )1

jia b

j

ij

Rtt Rttb

i ji a ba

b

e a Rtt Rtte

� �

�

��

�

From cases a) and b), we can derive:

Pr ( ( , )si eia at t has correlated pairs on connection b)

= Pr(( , ) ( , )) ( , ),sj ej si eib b a at t t t ucp i j� �

According to the definition of abCP , it can be considered as the expected value of

the Pr(( , ) ( , ))sj ej si eib b a at t t t� . So we get:

1

ab1

1CP ( , ) 1

n

iucp i j

n

�

��

5.3.4 Probability Bound under Poisson Model with a Fixed Rate

Theorem 5.2. For two normal connections a and b , assuming they behave as

Poisson processes with an equal rate of � ,

then | | | |(1 )*ln(1 )a b a bRtt Rtt Rtt Rttab abCP UVCP e e� �� , where aRtt and bRtt are the

average RTT on connection a and b separately.


92

Proof. Let’s assume a bRtt Rtt� . Similar to the proof of Theorem 5.1, we first

derive the probability that one packet pair ( , )si eia at t of connection a has correlated

pairs on connection b , which equals ! � ! �sj ej si eib b a aPr( , , )t t t t� , where ( , )sj ej

b bt t is the first

packet pair on connection b after siat

By the proof of Theorem 5.1, we knew that:

� When i ji a ba Rtt Rtt� � (where ( 1)s i si

i a aa t t� � )

! � ! �( )

sj ej si eib b a a

1Pr( , , )1

jia jb

i j

Rtt Rtt

aet t t t

e

�

�

� �

�

��

�, where j� is the varying packet arrival rate of

connection b .

� When i ji a ba Rtt Rtt� � ,

! � ! �sj ej si eib b a aPr( , , ) 1t t t t� �

As RTT always varies in a narrow range [56], we can approximately replace

i ja bRtt Rtt� with a bRtt Rtt� . By the assumption that connection b behaves as a

Poisson process with fixed rate� , we get that:

� When i a ba Rtt Rtt� �

! � ! �( )

sj ej si eib b a a

1Pr( , , )1

a b

i

Rtt Rtt

aet t t t

e

�

�

� �

�

��

�

� When i a ba Rtt Rtt� �

! � ! �sj ej si eib b a aPr( , , ) 1t t t t� �


93

abCP should be the expected value of ! � ! �sj ej si eib b a aPr( , , )t t t t� , and because

connection a behaves as Poisson processes with rate � , which means ia is

exponential distribution. Then we can derive:

! � ! �sj ej si eib b a a0

( )

0

( ) ( ) ( )

( ) (

Pr( , , )*

11* *( )1

1 (1 )*ln(1 )

(1 )*ln(1

a ba b

a b

a a ab b b

a ab b

ab

x

Rtt RttRtt Rtt x xxRtt Rtt

Rtt Rtt Rtt Rtt Rtt Rtt

Rtt Rtt Rtt Rtt

CP

t t t t e dx

ee dx e dxe

e e e

e e

�

��

�

� � �

�

�

� �

��

� ��

� � � � � �

� � � �

�

� �

� � � � �

� �

"

" "

) )�

Now we can relax the assumption a bRtt Rtt� by replacing the a bRtt Rtt� with

| |a bRtt Rtt� , and get:

| | | |(1 )*ln(1 )a ab bRtt Rtt Rtt Rttab abCP UFCP e e� ��

5.4 Algorithm and Analysis

By the definition of the correlated pair, we get that if all packets on a appear in b ,

abCP should be 1 for all correlated connection pairs. We then consider the case that

not all packets on a appear in b . We can divide correlated connection streams into

two parts: one part whose abCP is 1, includes all the packets appearing on both

connections. The second part whose abCP has an upper bound, includes the packets

just appearing on their own connection. From this point of view, if abCP is larger


94

than the upper bound, we consider the connection pair as correlated connection pairs.

Otherwise, it would be normal pairs.

Based on the upper bounds from the two Poisson models, two stepping stone

detection algorithms are designed.

5.4.1 Abnormal Probability Detection Algorithm

The Abnormal Probability Detection algorithm is based on Theorem 5.1. It examines

the interactive connections and demonstrates if a connections pair is correlated within

a specified monitoring time. It can also be run in real-time at the network gateway

node or as an independent process of the stepping stone hosts.

When packets come in on a connection, APD will firstly calculate the RTT in real-

time by the Estimation-Based RTT getting Algorithm proposed in Chapter 3. Once a

new RTT sequence iaRtt is obtained, the algorithm will do a comparison with each

connection that needs to be compared.

For every comparing pair, let bC be the connection with a bigger RTT, and sC be

the connection with a smaller RTT. We have a variable LAST_INDEX recording the

first RTT sequence index of bC , which is later than every RTT sequence on sC .

When the new RTT sequence is on bC , and if we can’t find a RTT sequence on

sC , which is later than the new RTT sequence, we will set the variable

LAST_INDEX with the index of the new RTT sequence. Otherwise we will set

LAST_INDEX to 0, increase the total count for the comparing connection pair,


95

calculate ucp (i, j), and check if they are Correlated Packet Pair. If they are Correlated

Table 5.1. Real-time comparing processing in APD algorithm

APD_compare ( , )ia bRtt Rtt

If (( a bRtt Rtt� )&&(last_uncompared_index_ab!=0))

For(j strat from the last_uncompared_index_ab to the latest index)

If( iaRtt is the first rtt sequences after j

bRtt )

Count_ab++;

UVCP = ucp(i,j)+UVCP;

If ( iaRtt is correlated with j

bRtt )

Count_correlated_ab++;

Endif

Endif

Endfor

last_uncompared_index_ab = 0;

Else if ( a bRtt Rtt� )

If (last_uncompared_index_ab == 0)

If (find one RTT sequence jbRtt is the first RTT sequence after

iaRtt )

Count_ab++;

UVCP = ucp(i,j)+UVCP;


bRtt )


Endif

Else


Endif

Endif


96

Packet Pair, we will increase the correlated count for the comparing connection pair.

The detail processing for the above comparing is shown in Table 5.1. If the new

RTT sequence is on the connection sC and the variable LAST_INDEX is not zero,

we will get RTT sequence on bC starting from the index of LAST_INDEX until the

last index, and check if iaRtt is later than this RTT sequence. If so, we will increase

the total count for the comparing connection pair, calculate ucp (i, j), and check if they

are Correlated Packet Pair. If they are Correlated Packet Pair, we will increase the

correlated count for the comparing connection pair.

When the monitoring time for a comparing connection pair expires, we calculate

the CP by the ratio of correlated count and total count, and UVCP by the ratio of

UVCP to the total count. If CP>UVCP, then we consider it as a Correlated

Connection pair, otherwise it will be considered a Normal Connection pair. The detail

processing of monitoring time expired on a comparing pair is shown in Table 5.2.

Table 5.2. Monitoring time expired processing in APD algorithm

APD_Monitor_Expired(UVCP, Count_ab, Count_correlated_ab)

UVCP = UVCP/ Count_ab;

CP = Count_correlated_ab/ Count_ab;

If(CP>UVCP)

Return CORRELATED;

Else

Return NORMAL;


97

During the processing, the algorithm may store some RTTs, but it doesn’t need to

Table 5.3. Real-time comparing processing in SAPD algorithm

SAPD_compare ( , )ia bRtt Rtt

If (( a bRtt Rtt� )&&(last_uncompared_index_ab!=0))

For(j strat from the last_uncompared_index_ab to the latest index)

If( iaRtt is the first rtt sequences after j

bRtt )

Count_ab++;


bRtt )


Endif

Endif

Endfor


Else if ( a bRtt Rtt� )

If (last_uncompared_index_ab == 0)

If (find one RTT sequence jbRtt is the first RTT sequence after

iaRtt )

Count_ab++;


bRtt )


Endif

Else

last_uncompared_index_ab = I;

Endif

Endif


98

store all RTTs. When the variable LAST_INDEX is set to zero, we can clear all stored

RTT for the comparing connection pair. Therefore, APD requires little storage.

5.4.2 Speedy Abnormal Probability Detection Algorithm

The Speedy Abnormal Probability Detection algorithm is based on Theorem 5.2. It is

nearly the same as the APD algorithm, except that it computes the probability bound

one time instead of n times (where n is the number of RTT sequences on the

connection with a bigger RTT). The detail processing for comparing and monitoring

time expired are shown in Tables 5.3 and 5.4 respectively.

However the calculating of UFCP will deal with � , which is the packet arrival rate

for the comparing connection pair. According to the analysis of 5.3.2, it can be

considered as 1T (T is the expected packet inter arrival time). However, we also have

the assumption that comparing connections has the same packet arrival rate� . So

how to set � is crucial for the algorithm. In our experiments, we found that

when1

( )2

a bT T� � , we were able to get a more accurate result.

5.4.3 Analysis and Improvement

� Assumptions

Assumptions such as no packet dropping and maximum delay constraint are generally

used by many stepping stone detection approaches [5, 8, 9, 10, 21]. However this is


99

not the facts of the real application. Omar et al. [44] claim that most of the papers

presented assumed no packet loss, and that packet loss would occur over a wide area

network.

The two algorithms we proposed are only based on the assumption of Poisson

models, which are often used in a network area. So APD and SAPD are more suited to

Internet environments.

� Resisting chaffs

APD and SAPD algorithms are dependent on the RTTs obtained by the Estimation-

Based (EBA) RTT getting Algorithm that can filter unsymmetrical chaff packets, as

proposed in Chapter 3. This means our algorithms can be resistant to chaffs.

� No parameters

There is no parameter in either of the two algorithms. This means we do not need to

adjust any parameters according to different network situations as most stepping stone

Table 5.4. Monitoring time expired processing in SAPD algorithm

SAPD_Monitor_Expired(UFCP, Count_ab, Count_correlated_ab)

Calculate UFCP;

CP = Count_correlated_ab/ Count_ab;

If(CP>UFCP)

Return CORRELATED;

Else

Return NORMAL;


100

detection approaches do. As a result, it is more practical than other detection

approaches.

� Resisting to jitters

Our algorithms can effectively resist jitters when UVCP or UFCP is far or a bit

smaller than 1. When UVCP and UFCP is close to 1, for a correlated connection pair

the gap between CP and UVCP or UFCP is close to 0. By the front proof, we know

that UVCP or UFCP will be 1 when the RTT difference is larger than the packet

interval. However in practice, it is harder to reduce the packet intervals due to the

minimum packet interval time normally controlled by OS and networks instead of

attackers. It is relative easier to increase the RTT difference by adding jitters.

However the delay in stepping stone attacks is usually bounded [5]. In practice, long

delay can cause the packets to be dropped. Furthermore, in interactive connections,

there is usually a certain order according to which packets should arrive to the victim,

and the delay of earlier packets will cause all subsequent packets to be delayed. So,

the packet interval will increase with jitter being added. Therefore, it is hard for

attackers to let UVCP and UFCP near to 1 simply by adding jitters.

On the other hand, if there exists such a long RTT difference in practice, and if we

get an abnormally large RTT on a connection, this connection can be assumed a

jittered connection.

� Performance

The performance of APD is mainly affected by the calculating of ucp (i, j). In

SAPD, we only need to once calculate UFCP, which means SAPD should be more

effective than APD.


101

� Improvement

Considering CP for a correlated connection pair is normally close to 1, if UVCP or

UFCP is becoming smaller than a specified value (such as 0.2), we will let UVCP or

UFCP be the specified value. Thus, we can remove the inaccuracy which is caused by

probability calculating when there is a small number of samples.

As RTT normally varies in a narrow range [56], we can use one of the RTT to

replace the mean value of RTT for UFCP calculating.

5.5 Experiment and Results

5.5.1 Experiment Design

5.5.1.1 Data Source

Packet timing or frequency features may be altered during packet transmission on the

Internet by packet merging and packet dropping, especially when traffic is heavy. The

data from the LAN environment or simulation generally presents a packet’s one-to-

one mapping, which makes stepping stone detection easier. We use our captured

genuine stepping stone dataset from the self-built connection chains on the Internet

from Chapter 4.

This dataset includes two connection chains which are composed of 4 connections

respectively, which means there are a total of 16 normal connection pairs and 12

correlated connection pairs, with each connection lasting three minutes. Additionally,

there is more than a 7% rate of retransmission packets for some connections, and the


102

packet number differences in some connection chains is more than 17%, which means

there are many packets drops and merges during the packet transmission on the

connection chains. Therefore, the captured data can be considered Internet data with

normal or even heavy traffic.

5.5.1.2 Testing Method

With the captured data we can ran the stepping stone detection approaches from a start

epoch of the captured data until a specified time (such as 60 seconds), and output the

results of every two connection pairs. More results can be obtained by selecting a

different start epoch. We use the epoch of every 500ms along the data source as the

start epochs in our experiments and ran all the start epochs we selected. Every time we

achieved 28 results, there were a total of more than 4000 results with 60 seconds of

monitoring time. With these results we can calculate and obtain the accuracy.

To test the impaction of chaffs, we created the chaff inserting data by introducing

chaff packets into the original captured data at random times with a different Chaff

Rate (CR), and the ratio of the number of introduced chaff packets to the number of

original send packets. Then we ran the stepping stone detection approaches with

different CR chaff inserting data to check the effect of chaffs.

To test the impaction of jitters, we modified the stepping stone detection algorithms.

For the APD and SAPD algorithm, when we achieved the packet pairs by the RTT

getting algorithm on the connection with a larger RTT, we subtract a random amount

chosen from the interval [0, max Jitter] to the arrival epoch of the send packet in the

packet pair. For other stepping stone detection algorithms, because they only consider


103

data from one direction, we directly added a random delay chosen from the interval [0,

max Jitter] to the arrival epoch of each packet on one of the compared connections.

5.5.2 Experiment Results

5.5.2.1 APD

To begin with, we ran the APD algorithm by the original data source with different

monitoring times, with the accuracy shown in Figure 5.2. We found that the accuracy

increases with the monitoring time rises because the computing of probability is based

10 20 30 40 50 60 70 80 90 100 110 1200

10

20

30

40

50

60

70

80

90

100

Monitoring Time(s)

Acc

urac

y(%

)

jitter=0 chaff=0jitter=1000 chaff=0jitter=1000 chaff=0.4

Figure 5.2. Accuracy for APD with monitoring time rising


104

on large amounts of data. It even has the potential to reach 100% accuracy when the

monitoring time is 50s.

As shown in Figure 5.2, we further tested the accuracy when jitter is added while

running the APD algorithm by the original data source or the chaff inserted data. We

found that the accuracy increases with the monitoring time rising as well when chaff

and jitter is added. Even with a large jitter of 1000ms and a high chaff rate of 0.4,

100% accuracy can be achieved when the monitoring time is larger than 110s.

By the definition of UVCP, we know UVCP will be close to 1 which makes it hard

to detect stepping stones, with the RTT difference rising or the packet arrival rates

rising (i.e. packet interval time dropping) on the compared connection pairs. As our

analysis in 5.4.3 demonstrates, attackers find it hard to reduce the packet interval

times.

0 500 1000 1500 2000 2500 30000

10

20

30

40

50

60

70

80

90

100

Fixed delay(ms)

Rat

e(%

)

CPUVCPTrue Positive

Figure 5.3. The impact of correlated connection by fixed delay for APD


105

Next we show how UVCP and CP are affected by a varying RTT difference. To get

a relative steady RTT difference, we adding a fixed delay instead of add a random

jitter as described in 5.5.1.2. And adding delay will not change the packet interval

time much, only change the RTT difference.

We then run the APD algorithm with a different fixed delay added to the original

data source. Figure 5.3 shows CP and UVCP varying for correlated connection pairs

on one of the monitoring time slots with the fixed delay rising. The monitoring time in

Figure 5.3 is 120 seconds. The total true positive varying with the different fixed delay

is also shown in Figure 5.3. We discovered the CP for correlated connection pairs is

always very high (more than 90%), but the UVCP increases and is close to CP by the

fixed delay (i.e. RTT difference) rising.

0 500 1000 1500 2000 2500 30000

10

20

30

40

50

60

70

80

90

100

Fixed delay(ms)

Rat

e(%

)

CPUVCPTrue Negative

Figure 5.4. The impact to a normal connection by fixed delay for APD


106

Most importantly, we found the true positive dropped significantly when the fixed

delay was bigger than 1600ms, which we call the dropping point. In addition, we

found the RTT difference is around 1700ms and packet intervals on the connection

with a larger RTT is around 1500ms on the dropping point. Therefore, we found that

APD can obtain high accuracy when the RTT difference is not much larger than

packet interval time. This is in accordance with the front proof and analysis. As the

front proof and analysis demonstrates, we know it is hard to make a RTT difference

bigger than the packet interval time simply by attackers adding jitter.

Figure 5.4 shows varying CP, UVCP and true negative for normal connection pairs.

We found that the variance for CP and UVCP is almost identical, with UVCP is

always slightly higher than CP, which demonstrate the truth of Theorem 5.1. The true

negative keeps relative high which means the accuracy is mainly decided by true

positive.

0 500 1000 1500 2000 2500 3000 3500 4000 4500 50000

10

20

30

40

50

60

70

80

90

100

Max Jitter(ms)

Rate

(%)

CPUVCPTrue Positive

Figure 5.5. The impact to correlated connections by jitters for APD


107

Following this, we ran the APD algorithm with jitter added to the original data

source in order to find the random delay impact. Figure 5.5 and 5.6 shows the variance

of CP, UVCP, true positive and true negative for correlated connection pairs and

normal connection separately. The results are nearly the same as the results by fixed

delay, and the true positive also dropped significantly when the max jitter was bigger

than 1600ms, even though the dropping speed was slower than the fixed delay.

Because the average RTT difference for jitter is only around half of the RTT

difference for a fixed delay if the max jitter and fixed delay is the same. Therefore, the

true positive dropped relative slowly for jitter. However due to the similar max delay,

the dropping point for the fixed delay and random jitter was same.

0 500 1000 1500 2000 2500 3000 3500 4000 4500 50000

10

20

30

40

50

60

70

80

90

100

Max Jitter(ms)

Rat

e(%

)

CPUVCPTrue Negative

Figure 5.6. The impact to normal connection by jitters for APD


108

5.5.2.2 SAPD

In order to test APD, we first tested the accuracy with different monitoring times.

Figure 5.7 shows the accuracy for SAPD. We found that the accuracy increases and

when the monitoring time rises, it can reach 100% accuracy when the monitoring time

is 50s for the case of no jitter and chaff, and it can also reach 100% accuracy when

monitoring time is 100s with big jitter (1000ms) and a high chaff rate (0.4). These

results are coincident with APD.

Next we tested how UFCP, CP, true positive and true negative are affected by fixed

delay and random delay. Figure 5.8 and 5.9 show the results by fixed delay and Figure

5.10 shows the result compared with APD. From Figure 5.8 and 5.10, we found the

true positive for SAPD begins to drop significantly from a smaller dropping point than

10 20 30 40 50 60 70 80 90 100 110 1200

10

20

30

40

50

60

70

80

90

100

Monitoring Time(s)

Accu

racy

(%)

jitter=0 chaff=0jitter=1000 chaff=0jitter=1000 chaff=0.4

Figure 5.7. Accuracy for SAPD with monitoring time increasing


109

APD. The UFCP for SAPD rises slightly quicker than UVCP for APD, which is the

0 200 400 600 800 1000 1200 1400 1600 1800 20000

10

20

30

40

50

60

70

80

90

100

Fixed delay(ms)

Rat

e(%

)UFCPCPTrue Positive

Figure 5.8. The impact to correlated connections by fixed jitter for SAPD

0 200 400 600 800 1000 1200 1400 1600 1800 20000

10

20

30

40

50

60

70

80

90

100

Fixed delay(ms)

Rat

e(%

)

UFCPCPTrue Negative

Figure 5.9. The impact to normal connections by fixed delay for SAPD


110

reason why the true positive for SAPD starts to significantly drop from a smaller fixed

0 200 400 600 800 1000 1200 1400 1600 1800 20000

10

20

30

40

50

60

70

80

90

100

Fixed delay(ms)

Rat

e(%

)

UFCP for SAPDUVCP for APDTrue Positive for SAPDTrue Positive for APD

Figure 5.10. Comparing for APD and SAPD by fixed delay

0 500 1000 1500 2000 2500 30000

10

20

30

40

50

60

70

80

90

100

Max Jitter(ms)

Rate

(%)

UFCP for SAPDTrue Positive for SAPDUVCP for APDTrue Positive for APD

Figure 5.11. Comparing for APD and SAPD by jitter


111

delay than APD. From Figure 5.9, we found the true negative is 100%, as UFCP for

SAPD rises slightly quicker than UVCP for APD.

0 500 1000 1500 2000 2500 30000

10

20

30

40

50

60

70

80

90

100

Max Jitter(ms)

Rat

e(%

)

UFCPCPTrue Positive

Figure 5.12. Impact to correlated connections by jitter with SAPD

0 500 1000 1500 2000 2500 30000

10

20

30

40

50

60

70

80

90

100

Max jittter(ms)

Rat

e(%

)

UFCPCPTrue Negative

Figure 5.13. Impact to normal connections by jitter with SAPD


112

Figure 5.12 and Figure 5.13 shows the results by fixed delay. Figure 5.11 shows the

results compared with APD. We find the true positive for SAPD drops quicker than

APD.

As a result, we conclude the accuracy for SAPD starts to drop significantly from a

smaller dropping point than for APD, and its accuracy drops quicker than APD.

Therefore, APD is more suitable for detecting connections than SAPD if there are

relative big jitters.

5.5.2.3 Accuracy Comparison

We compared our methods and previous approaches from four perspectives:

1. The accuracy for identifying normal connections and correlated connections


with inserted chaffs


with added jitters


with both the insertion of chaffs and the addition of jitters

Table 5.5. Parameters values for sketching and S-III

Approach Parameters

Sketching slot=1500ms thresh=71

S-III max delay = 3000ms


113

For previous approaches, we selected and implemented sketching and S-III. S-III

was proposed by Zhang et al. [9], whose experiments demonstrated it is more

effective in detecting stepping stones with jitter and chaff than most other methods.

Sketching [35] is the latest approach which, to some extent, is resistant to both chaff

and packet jitters. During the experiments, we found the result of sketching and S-III

is largely affected by the different parameters, and with the parameters shown in Table

5.5, we can achieve the best results for them.

To reach the above four destinations, we ran the stepping stone detection

approaches on the original captured data or on the chaff inserting delay with the

addition of jitters or without the addition of jitters.

Figure 5.14 shows the accuracy of the original data for the different monitoring

times. We find both APD and SAPD have around 95% accuracy when monitoring

10 20 30 40 50 60 70 80 90 100 110 1200

10

20

30

40

50

60

70

80

90

100

Monitoring time(s)

Accu

racy

(%)

Max jitter=0ms Chaff rate=0

SAPDAPDsketchingS-III

Figure 5.14. Accuracy with no jitter and chaff


114

time is 10 seconds, and this increases to 100% accuracy when the monitoring time is

bigger than 50s. The accuracy for sketching is around 70%, when monitoring time is

10 seconds, and this increases to 100% accuracy when the monitoring time is larger

than 70s. The normal accuracy for SIII is only around 80%.

Figure 5.15 shows the accuracy for chaff inserting data of different chaff rates when

monitoring time is 60 seconds. We find that APD and SAPD is hardly affected by

chaffs, and sketching is only affected to a small degree by chaff packets, while the

accuracy of S-III drops significantly with the chaff rate rising.

The accuracy for original data with different jitter added with a monitoring time of

60 seconds is shown in Figure 5.16. Figure 5.16, which shows that APD, SAPD and

S-III are rarely affected by jitters, while the accuracy of sketching drops significantly

with the chaff rate rising.

0 0.2 0.4 0.6 0.80

10

20

30

40

50

60

70

80

90

100Monitoring time=60s Max jitter=0ms

Chaff rate

Accu

racy

(%)

APDSAPDsketchingS-III

0 0.2 0.4 0.6 0.8

50

60

70

80

90

100

Chaff rate

Accu

racy

(%)

APDSAPDSketchingS-III

Figure 5.15. Accuracy with chaff only


115

Figure 5.17 shows the accuracy for insertion of chaff data (chaff rate is 0.4) with

1000ms max jitter added. From Figure 5.17, we find the accuracy for SAPD and APD

0 200 400 600 800 10000

10

20

30

40

50

60

70

80

90

100

Max jitter(ms)

Accu

racy

(%)

Monitoring time=60s Chaff rate=0


Figure 5.16. Accuracy with jitter only

10 20 30 40 50 60 70 80 90 100 110 1200

10

20

30

40

50

60

70

80

90

100

Monitoring time(s)

Accu

racy

(%)

Max jitter = 1000ms chaff rate =0.4


Figure 5.17. Accuracy with chaff and jitter


116

is around or more than 90%, while other methods have an accuracy of around 65%

when the chaff rate is 0.4 and jitter is 1000ms. In addition, SAPD and APD will reach

around 100% accuracy if the monitoring time is long enough. Meanwhile, SAPD

demonstrates it is slightly more effective than APD in resisting to chaff and jitter.

5.6 Summary

In this chapter, based on the two Poisson processing models, we formulated and

proved two separate upper bounds of probability that normal connections present with

the timing causality of correlated connections. In addition, based on the two upper

bounds of probability, we proposed APD and SAPD algorithms which can detect

stepping stones accurately even if there are large jitters and a high chaff rate.

Compared to APD, SAPD has lower less computation costs, but its accuracy drops

quicker than APD when jitters are relative big. Our experiments show that both APD

and SAPD are increasingly resistant to chaffs and jitters than sketching and S-III

which are shown having high resistance to chaffs and jitters in previous researches. At

the same time, both APD and SAPD maintain a high accuracy for the detection of data

with no chaffs or jitters.

Chapter 6 Experimental Analysis for Stepping Stone Detection Approaches

117

Chapter 6

Experimental Analysis for Stepping Stone

Detection Approaches

Many network-based passive stepping stone detection approaches have been

suggested in this thesis. However, there are still two big issues for the previous

experimental design. One issue is the lack of application in Internet environments.

Another is the absence of high quantitative comparative studies. In this chapter, we

implement 13 stepping stone detection algorithms, exact the SSH data from public

traces that have millions of packets and obtain genuine stepping stone connection

chain data from the Internet. We establish a set of criteria and run these algorithms

through several scenarios with different datasets. Based on the experimental results

and analysis, we give our conclusion in real-time application of stepping stone

detection approaches, the accuracy of stepping stone detection approaches, the

impaction of assumption, chaffs and jitters. In addition, we give suggestions for

improving some stepping stone detection approaches.


118

6.1 Introduction

Since the problem of stepping stones was first discovered by Staniford-Chen and

Heberlein [1], many network-based passive approaches have been proposed to detect

encrypted stepping stones. However, there are still two big issues for the previous

experimental design.

Firstly, experiments should be conducted in Internet environments, which has been

addressed in the two stepping stone survey papers [15] and [100]. Currently, most

research has been conducted in a lab environment, such as running simulations on a

local area network (LAN), or by simulated data. While these present ideal situations,

when introduced to Internet queuing delays, packet dropping may occur which has

been proven in [44]. The question remains: can stepping stone approaches be suitable

for this situation, especially when some of the approaches assume there is no packet

drop?

Secondly, it needs high quantitative comparative studies. Currently most research

does not compare previous methods. In fact some only do the analysis in theory. Even

if certain approaches did compare the results using the insufficient criterion, they

would be are inconvincible. Zhang et al. in [9] compared his four algorithms with the

previous five algorithms, however their experiments were not based on genuine

stepping stone data. Although they use public SSH data, it cannot simulate genuine

stepping stone data, especially if there is no packet drop in their simulation.

In this chapter, our aim is to present high quantitative comparative experimental

results using various testing methods with multiple datasets, including a genuine


119

Internet stepping stone dataset. To achieve this, we implement a total of 13 algorithms,

exact the SSH data from the public traces that have millions of packets and obtain data

from the genuine stepping stone connection chains from the Internet. We also

establish a set of criteria and run these algorithms with different durations, different

drop rates, different chaff rates, different delays and different jitters. In addition, based

on the experimental results, we provide answers to the following questions:

1. Can the approaches, with the assumption of no packet drops, be applied in real

Internet environments?

2. Which approaches have high accuracy?

3. Which approaches have high accuracy during a short duration?

4. Which approaches can resist chaffs or jitters?

The rest of this chapter is organised as follows. In Section 6.2, we introduce the

design of our experiments, including the implementation of stepping stone detection

approaches, private dataset and public dataset. Section 6.3 provides an analysis of

comparative experimental results. Finally, in Section 6.4, we provide a summary of

this chapter.

6.2 Design of Experiments

6.2.1 The Implementation of Stepping Stone Detection Approaches

We implemented most of the network-based passive stepping stone detection

approaches, including ON/OFF [2], Deviation [3], IPD [4], DA [8], DMV [21], DM


120

[10], S-I [9], S-II [9], S-III [9], S-III [9], sketching [35], PDBC, APD and SAPD. The

essence of DM [10] is the same as S-I [9], therefore we only show the results of S-I

later in the analysis and experiments. The details for every algorithm can be found in

previous chapters. In this section, we only concentrate on the difference between our

implementation and the original algorithms, real-time application analysis and the

definition of parameters.

Most algorithms failed to indicate the length of connection streams or how many

packets they needed for the detection of stepping stones. Therefore, we added a

duration parameter to every algorithm. The duration parameter is the amount of time

connection streams last for every detection process. In real-time application, duration

means the monitoring time for stepping stone connections. For the same duration, the

algorithm with a higher accuracy is considered more accurate. A larger duration

means more processing and more monitoring time, i.e. slow responsiveness. Therefore,

for application in Internet environments, we prefer the algorithm with a higher

accuracy for the shortest duration.

Real-time application means less storage with lower one-off computing demands. If

an algorithm has a multiple layer circle from the beginning of the duration, it means

that it needs to store all packets during the duration and has to perform the detection

process when all packets are collected. Therefore, this kind of algorithm is not suited

for real-time application.

Before we introduce all algorithms, we list all the parameters for every algorithm in

Table. 6.1. PDBC, APD and SAPD are approaches proposed in Chapter 4 and Chapter

5, so we will not go into any further detail.


121

The ON/OFF approach proposed by Zhang et al. [2] is the first approach designed

to detect encrypted stepping stone data. In their approach, they calculated the

correlation of different connections by using each connection’s OFF periods. The

design is simple and the correlated OFF period can be calculated in real-time.

Table 6.1. Parameters of stepping stone detection approaches

Approach Parameter Denotation

ON/OFF idleT When there is no data traffic on a connection for more than idleT , the connection is considered to be in an OFF period

� Two OFF periods are correlated if their ending times differ by ��

� If the ratio of the number of correlated OFF periods to the smaller number of OFF periods in one of compared connection �� , then the two compared connections are correlated connections

Deviation dev If the deviations calculated from connection b to connection a dev� , a and b are correlated connections

IPD Window size

The number of packets used to calculate correlation points

CP� Maximum correlation points value � Correlation Value threshold

DA/DMV p� Maximum number of packets that may be sent in maximum tolerable delay bound

S-I(DM)/ S-III,

� Maximum tolerable delay bound

S-II/ SIV � Maximum tolerable delay bound

other Depend on the approach it used together

Sketching TSL The length of timeslots by forming the time axis

# If the sketches difference between two connections #� , the two connections are considered correlated connections

PDBC � Maximum packet delay difference on bidirection � Maximum correlated rate

APD/SAPD No No


122

However it does have several parameters, and these parameters should be adjusted for

different network situations, especially the � parameter, which determines if two OFF

periods are correlated. In application, � should be larger than the arrival time delay

for the same packet between two compared connections. For satellite links, it may be

of significant value, but for a LAN link it may be of insignificant value. The

inappropriate selection of � will lead ON/OFF to fail in detecting stepping stones.

But it is possible to automatically improve the ON/OFF by calculating � with the

EBA algorithm (as proposed in Chapter 3) according to the streams.

The deviation algorithm proposed by Yoda et al. [3] uses the idea that the sequence

number vs. the time curves of correlated connections should be close to each other.

This algorithm is not designed for real-time application, since the computation is very

complex and all packet timing and sequence number information needs to be stored

during the duration.

IPD, as proposed by Wang et al. [4] uses the inter-packet delay of packets to

correlate connections. While it was designed for quick responsiveness it is not suitable

for real-time application, since finding the correlated point consumes too much time

and all inter-packet delay information needs to be stored during the duration.

DA [8] and DMV [21] are packet number based algorithms. They assume there is

no packet drop during the relay of stepping stones, and all packets sent by the

upstream connection should arrive at the downstream connection in � (Maximum

tolerable delay bound). The accuracy of their real application is doubted due to this

unrealistic assumption, however their design is simple and can be used in real-time.

The original DMV algorithm has a packet number parameter which indicates the


123

packet number required. With our implementation, we replaced it with duration. In the

DA algorithm, there is a packet number upbound computed by the parameter p� ,

which is the maximum number of packets that may be sent in maximum tolerable

delay bound. If the packet number during the duration is smaller than the upbound, we

output the non correlated connections result.

S-I [9], S-II [9], S-III [9] and SIV [9] are timing based approaches which have

similar assumptions to DA and DMV, and therefore we doubt their accuracy in real

application as well. In addition, the maximum tolerable delay parameters � in these

algorithms will lose their meaning in real application because some packets sent by

the upstream connections may never appear on the downstream connections. On the

other hand, S-I is not suitable for real-time application because there is a multiple

layer circle from the beginning of the duration. S-II and SIV do the packet filtering

function first, but they have to be used together with other approaches. So, whether S-

II and SIV can be used in real-time application depends on the algorithms used with

them. During our implementation, we follow [9] and use the Deviation [3] approach in

SII and SIV.

The sketching approach proposed by Coskun et al. [35] is based on succinct packet-

timing sketches of network steams. Coskun et al. claim that it can be run efficiently in

real-time. However they failed to consider the value of timefor calculating sketches. In

our later experiments, we found the selection of time-slot length parameter TSL

significantly affected the accuracy of sketching. In addition, the correct selection of

TSL is related to the inter-packet delay on connections. Therefore, sketching


124

approaches can be improved by automatically calculating the TSL parameter according

to every actual connection stream.

From the above analysis, we conclude that the IPD, deviation and SI (DM) are not

suitable for real-time application.

6.2.2 Private Dataset

Genuine stepping stone data from the Internet is the best source of data for testing the

real application of stepping stone detection approaches. However, it is very difficult to

get a publicly available stepping stone dataset. Even if you do find one, it is very

difficult to prove it really is a stepping stone without TCP content.

Therefore, we used our captured genuine stepping stone dataset from the self-built

connection chains on the Internet from Chapter 4. This dataset includes two

connection chains which are composed of four connections respectively, with every

connection lasting three minutes. This dataset can be considered ideal data for testing

stepping stone detection approaches, in that:

1. It is genuine stepping stone data, and we know which connections are

correlated connections, and which connections are normal connections in

advance. There are a total of 16 normal connection pairs and 12 correlated

connection pairs. In addition, there are not only neighboured correlated

connections (connections relayed by one stepping stone), but also remote

correlated connections (connections relayed by multiple stepping stones).


125

2. There are more than 7% retransmission packets on some connections, which is

higher than the normal 1%-6% Internet retransmission rate [53], and the

packet number differences in some connection chains is more than 17%. This

means there are many packets drops and merges during the packet

transmission on connection chains.

Similar to the methods introduced in Chapter 4, we ran stepping stone detection

approaches with this dataset from a specified starting epoch for a specified duration,

and then output the results of every connection pair. In order to obtain more results,

every 500ms along the stream was selected as the starting epoch. For example, for

every connection pair or normal connection pair, was 240 results for 60 seconds

duration on the three minute captured dataset. This gave us a total of 240*(12+16)

results for 60 seconds duration. From these results we obtained our accuracy, which is

the ratio of the number of correct results to the number of total results.

Besides the natural packet drops, packet merge and packet retransmission during

packet transmission, chaffs and jitters may be added by attackers to evade detection.

To test the impaction of chaffs, we created chaff inserting data by introducing chaff

packets into the original captured data at random times with different chaff rates, the

ratio of the number of introduced chaff packets to the number of original send packets.

Then we were able to follow a similar method to the original dataset, by running the

stepping stone detection approaches with chaff inserting data to check the impact of

chaffs.

To test the impaction of jitters, we modified the stepping stone detection algorithms.

When we achieved the packet pairs by the RTT getting algorithm on the connection


126

with a bigger RTT for the APD and SAPD algorithm, we subtracted a random number

chosen from the interval [0, max Jitter] to the arrival epoch of the send packet in the

packet pair. For other stepping stone detection algorithms, because they only consider

data from one direction, we directly added a random delay chosen from the interval [0,

max Jitter] to the arrival epoch of each packet on one of the compared connections.

This means using the real stepping stone dataset, we can test:

1. How accurate a stepping stone detection approach can be for real internet

applications.

2. The impaction of chaffs to stepping stone detection approaches.

3. The impaction of jitters to stepping stone detection approaches.

6.2.3 Public Dataset

To prove and reinforce the experimental results by the private dataset, we extracted

separately one of the longest SSH connections from four different Auckland-VIX

traces [52] captured in 2008, with every extracted connection lasting for about 30

minutes. Since correlated connections must occur during the same time period, we

altered the start packet arrival time for every extracted connection to zero, and

changed the arrival time of later packets on this connection to the time delay with the

start packet of the connection. We refer to these four extracted connections as the

original connections.

Next, we created the correlated connections for the original connections by

subtracting a send delay from the send packets arrival epoch and adding an echo delay


127

to the echo packet arrival epoch. The send delay and the echo delay can be different,

and are the sum of a specified fixed delay and jitter, which is a random amount chosen

from the interval [0, maxDelay]. If the created arrival epoch for a send or echo packet

is earlier than the arrival epoch for a front send or echo packet, we add 1 micro-

seconds to the front arrival epoch as the created arrival epoch. This means we have

four correlated connection pairs. We refer to these four created connections as the

upstream connections.

Since every original connection is exacted from a different trace, they should be

uncorrelated, which is the same for upstream connections. Except for the above four

correlated connection pairs, every other connection pair among the four original

connections and four upstream connections is a normal connection pair.

For the four original connections and the four upstream connections, we follow the

procedure of the private dataset, obtain the stepping stone detection results and

calculate the accuracy. Since the difference between the number of correlated

connection pairs and the number of normal connection pairs is large, it is sometimes

the case that the accuracy cannot reflect the actual results. We also use the true

positive (the ratio that correlated connections are accurately judged as correlated

connections) and true negative (the ratio that normal connections accurately judged as

normal connections) to illuminate the accuracy.

The existence of packet drops is inevitable during packet relay on stepping stones.

To simulate this situation, we selectively deleted packets from the original

connections with a specified drop rate, the ratio of the number of deleted packets to

the number of original packets. It should be noted that the result is different for the


128

deletion of packets from upstream connections and the deletion of packets from

original connections. Deleting packets from upstream connections is similar to adding

chaffs. We refer to these four created connections as the drop connections. For the

four drop connections and four upstream connections, we follow the previous

procedure and achieve results based on accuracy.

During our experiments, we generated four group datasets, one group composed of

four original connections and four upstream connections with small delay (100ms)

and small jitter (20ms); one group composed of four original connections and four

upstream connections with big delay (200ms) and big jitter (50ms); one group

100 6000

50

100

Duration(s)

True

pos

itive

(%)

DA

100 6000

50

100

Duration(s)

True

pos

itive

(%)

DMV

delay=100ms;jitter=20ms;drop rate=0delay=200ms;jitter=50ms;drop rate=0delay=200ms;jitter=50ms;drop rate=0.2

delay=100ms;jitter=20ms;drop rate=0delay=200ms;jitter=50ms;drop rate=0delay=200ms;jitter=50ms;drop rate=0.2

Figure 6.1. True positive for DA and DMV by public dataset


129

composed of four original connections and four upstream connections with big jitter

(50ms) and asymmetrical delay (send delay is 200ms, echo delay is 50ms); and finally

the last group, composed of four drop connections with a drop rate of 0.2 and four

upstream connections with a larger delay (200ms) and larger jitter (50ms).

By using the public dataset, we can test:

1. The accuracy of a stepping stone detection approach if there is no packet drop.

2. The impaction of packet drops to a stepping stone detection approach.

3. The impaction of delays to a stepping stone detection approach.

20 40 60 80 100 120 14050

60

70

80

90

1

Duration(s)

Acc

urac

y(%

)

DADMV

Figure 6.2. Accuracy for DA and DMV by private dataset


130

6.3 Evaluation Results

6.3.1 The Approaches having Maximum Delay Assumption

6.3.1.1 Packet Number Based Approaches

DA [8] and DMV [21] are stepping stone detection approaches based on packet

numbers. Both of them assume there is no packet drop during the relay of stepping

stones, and all packets sent by the upstream connections should arrive at the

downstream connections in the maximum tolerable delay. We first tested them using

the public dataset, and set p� parameter to three. As shown in Figure 6.1, if there is

no packet drop, they can reach close to 100% true positive with a very large duration

100 6000

50

100S-I

Duration(s)

True

neg

ativ

e(%

)

100 6000

50

100S-III

Duration(s)

True

neg

ativ

e(%

)

100 6000

50

100

Duration(s)

True

pos

itive

(%)

S-I

100 6000

50

100

Duration(s)

True

pos

itive

(%)

S-III

droprate=0droprate=0.2

droprate=0droprate=0.2

Figure 6.3. True positive and true negative for S-I and S-III by public dataset


131

(600s), but their true positive is lower than 50% with a small duration (100s). Also, as

shown in Figure 6.1, their true positive is close to zero for a 200ms delay, 50ms jitter

and a 0.2 drop rate. By by changing p� and the duration to a larger value, they can

still achieve a high true positive when there is no packet drop. However when there

are packet drops, their true positive remains low even if we adjust p� and duration.

Figure 6.2 shows the accuracy by a private dataset. We still set the p� parameter to

three, because we achieve the highest accuracy. As shown in Figure 6.2, the accuracy

of both DA and DMV is not high, because there are packet drops in the private dataset.

6.3.1.2 Timing Based Approaches

S-I [9], S-II [9], S-III [9] and S-IV [9] have the same assumption as DA and DMV,

20 40 60 80 100 1200

10

20

30

40

50

60

70

80

90

100

Duration(s)

Acc

urac

y(%

)

S-I(Max delay = 6s)S-III((Max delay = 3s)

Figure 6.4. Accuracy for S-I and S-III by private dataset


132

but are timing based stepping stone detection approaches.

Figure 6.3 demonstrates the results by public dataset with a delay of 200ms, and

jitter of 50ms. Both S-I and S-III have a of max delay parameter set to 300ms. Both

can reach 100% accuracy if there is no packet drop and the duration is very large

(600m). However when the duration is small (100s), the true negative is lower than

50%. In addition, the true positive drops to nearly 0 for a 600s duration when the drop

rate is 0.2.

Figure 6.4 shows the results by private dataset with a 6s maximum delay parameter

(� ) for S-I and a 3ms maximum delay parameter (� ) for S-III. We can see S-I can

almost reach near 100% accuracy when the duration is larger than 110s. But the

abnormally large max delay parameter loses the meaning of its definitions. On the

20 40 60 80 100 120 1400

10

20

30

40

50

60

70

80

90

100

Duration(s)

Acc

urac

y(%

)

Deviation S-IIS-IV

Figure 6.5. Accuracy for Deviation, S-II and S-III by private dataset


133

other hand, the max accuracy for S-III is only 90% due to the fact there are packet

drops during the relay of stepping stones.

S-II and S-IV must be used together with other approaches, with the deviation

approach selected in our implementation. S-II and S-IV’s function is to filter packets

by their maximum delay constraints before other approaches run. Initially we tested if

their filtering can improve the accuracy of other approaches and if they can filter the

chaff and jitter. By a private dataset with 5000ms maximum delay parameter (� ) for

S-II and S-IV, 500 dev parameter for S-II and S-IV and deviation, we achieve the

accuracy as shown in Figure 6.5. We found they can improve the accuracy fractionally,

but not significantly, since the existence of packet drops destroy the maximum delay

0 0.2 0.4 0.6 0.850

60

70

80

90

100

Chaff rate

Acc

urac

y(%

)

S-IS-IIS-IIIS-IV

Figure 6.6. Accuracy for SI, S-II, SIII and S-IV by private dataset with

different chaff rate


134

constraint.

We also get the accuracy results with 60s duration, but with a different chaff rate

and different jitters by the private dataset, as shown in Figure 6.6 and 6.7. We first

discovered that S-II and S-IV were increasingly affected by chaffs and jitters, which

means they were unable to filter them. Then we discovered S-I and S-III was also

affected by lots of chaff, which is inconsistent with experimental results in [9]. [9],

only added chaffs to the downstream connections, but in our experiments, chaffs were

added to both upstream and downstream connections. By adding chaffs to downstream

connections maintains the assumption of no packet drops, so in [9], S-II, S-III and S-

IV maintain a high accuracy with chaffs. Lastly, S-I and S-III are not as affected by

jitters due to the abnormally large max delay parameter.

0 200 400 600 800 100040

50

60

70

80

90

100

Jitters(ms)

Acc

urac

y(%

)

S-IS-IIS-IIIS-IV

Figure 6.7. Accuracy for SI, S-II, SIII and S-IV by private dataset with

different jitter


135

Therefore, we conclude that the approaches with a max tolerable delay assumption

can reach achieve a high degree of accuracy when the duration is very large and there

are no packet drops. This means it is not suitable to be applied in real environments

due to the existence of packet drops.

6.3.2 Other Approaches

Initially, we ran every approach by the public dataset with a big duration of 600s, and

achieved the accuracy shown in Figure 6.8. We can see if there is no packet drop

nearly all of them can reach 100% accuracy except IPD, since some of the inter-

packet delay of the public dataset is in the order of 1s to 10s, which may mean IPD

fails to get some thresh points.

PDBC APD SAPD ON/OFFSketchingDeviation IPD0

10

20

30

40

50

60

70

80

90

100

Approach

Acc

urac

y(%

)

senddelay=100ms;echodelay=100ms;jitter=20ms;droprate=0

Figure 6.8. Accuracy by public dataset with 600s duration


136

Figure 6.9 shows the true positive and true negative by the public dataset with a

small duration of 100s. We can see that IPD and deviation have a relative low

accuracy, and are also affected to a large degree by packet drops. For sketching, the

true negative keeps the value low, since the precise sketches inevitably hide some

information of the packet streams when the duration is short.

When there is no drop, ON/OFF can still reach 100% accuracy for the small delay

and jitter. However, with big delay and jitter, its true positive drops to zero, since in

our experiments the value of parameter � is the same for a small delay and a big

delay. We attempted a bigger value for � , and found ON/OFF can still reach 100%

accuracy when there is no packet drop. Therefore, if the parameter can be calculated

according to the streams, the accuracy of ON/OFF will improve significantly.

0

20

40

60

80

100

True

pos

itive

(%)

PDBC APD SAPD ON/OFFSketchingDeviation IPD0

20

40

60

80

100

True

neg

ativ

e(%

)senddelay=100ms;echodelay=100ms;jitter=20ms;droprate=0senddelay=200ms;echodelay=200ms;jitter=50ms;droprate=0senddelay=200ms;echodelay=50ms;jitter=50ms;droprate=0senddelay=200ms;echodelay=200ms;jitter=50ms;droprate=0.2

Figure 6.9. True positive and true negative by public dataset with 100s

duration


137

PDBC, APD and SAPD maintain high accuracy, with or without packet drops, and

even with a big or small delay. But the true positive of PDBC largely decreases for

unsymmetrical delay.

We then ran every approach by using the private dataset with a different duration.

We achieved the accuracy as shown in Figure 6.10. We can see PDBC, APD and

SAPD all maintain more than 95% accuracy when the duration is bigger than 10s, and

PDBC has higher accuracy than APD and SAPD when the duration is small.

Sketching and ON/OFF can reach 95% accuracy when the duration is bigger than 60s.

IPD and deviation generally keeps an accuracy lower than 90% with a different

duration, although IPD can reach 95% accuracy when duration is very small. These

results are almost consistent with the result of the public dataset, except the accuracy

10 20 30 40 50 60 70 80 90 100 110 12060

65

70

75

80

85

90

95

100

Duration(s)

Acc

urac

y(%

)

PDBCAPDSAPDON/OFFSketchingIPDDeviation

Figure 6.10. Accuracy by private dataset with different durations


138

of sketching in the private dataset is much higher than the one in the public dataset.

0 0.2 0.4 0.6 0.850

55

60

65

70

75

80

85

90

95

100

Chaff rate

Acc

urac

y(%

)


Figure 6.11. Accuracy by private dataset with different chaff rate

0 200 400 600 800 100050

55

60

65

70

75

80

85

90

95

100

Jitter(ms)

Acc

urac

y(%

)


Figure 6.12. Accuracy by private dataset with different jitters


139

This is due to the inter-packet delays in the public dataset being much bigger than the

ones in the private dataset. So in the public dataset, sketching needs a very large

duration to achieve high accuracy.

Finally, we ran every approach using the private dataset with 60s duration and a

different chaff rate and jitter rate. We achieve accuracy as shown in Figure 6.11 and

6.12. We can see that PDBC, APD and SAPD are hardly affected by chaffs, and

sketching is slightly affected by chaffs, while others are significantly affected by

chaffs, as can be seen in Figure 6.11. Figure 6.12 shows APD and SAPD are the only

ones hardly affected by jitter.

The values of parameters for every approach in Figure 6.8 to Figure 6.13 are listed

in Table 6.2.

Table 6.2. Parameters values for stepping stone detection approaches

Approach Parameter Figure 6.8

Figure 6.9

Figure 6.10

Figure 6.11

Figure 6.12

ON/OFF idleT (ms) 700 700 700 700 700 � (ms) 120 120 120 120 120 � 0.5 0.5 0.4 0.4 0.4

Deviation dev 1700 1700 500 500 500 IPD Window

size 10 10 10 10 10

CP� 0.8 0.8 0.8 0.8 0.8 � 0.7 0.7 0.7 0.7 0.7

Sketching TSL (ms) 3000 3000 1500 1500 1500

# 200 200 70 70 70

PDBC � (ms) 100 100 50 50 50 � 0.3 0.3 0.2 0.2 0.2

APD/SAPD No No No No No No


140

6.3.3 Experimental Results Summary

By examining the experimental results and previous analysis, we can make the

following conclusions.

1. IPD, deviation and SI (DM) are not suitable for real-time application.

2. Approaches with the assumption of no packet drops are not suitable for use in real

Internet environments.

3. When there are no packet drops, nearly all approaches, except IPD, can achieve

100% accuracy if the duration is large enough.

4. In real Internet environments, PDBC, APD, SAPD, ON/OFF and sketching can

achieve high accuracy if the duration is big enough.

5. In real Internet environments, PDBC, APD, SAPD can achieve high accuracy if

the duration is small. PDBC is more accurate than APD or SAPD in very small

durations.

6. PDBC, APD and SAPD are hardly affected by chaffs.

7. APD and SAPD are hardly affected by jitters.

Therefore, if we want to apply a stepping stone detection approach in Internet

environments with quick responsiveness, we would select PDBC; if we want a

stepping stone detection approach to have high accuracy, even with chaff and jitter

perturbations, we would select APD or SAPD.

In addition, during experiments, for nearly all approaches except APD and SAPD,

we attempted to use different parameters for different datasets. The accuracy is

occasionally low because we didn’t find the appropriate value for the parameters,

especially the TSL parameter for the sketching approach and the � parameter for


141

ON/OFF. From this point, APD and SAPD have no parameter, and can be easily

suited to any dataset. As we mentioned before, the ON/OFF can be improved by

calculating the � parameter, and the sketching approach can be improved by

calculating the TSL parameter according to steams.

6.4 Summary

The insufficient application of stepping stone detection approaches in real Internet

environments, and the absence of high quantitative comparative studies using stepping

stone detection approaches are still current issues for stepping stone research. In this

chapter, we implemented a total of 13 stepping stone detection algorithms, exacted

SSH data from public traces that have millions of packets and obtained genuine

stepping stone connection chain data from the Internet. We established a set of criteria

and ran these algorithms in several scenarios with different dataset. Based on the

experimental results and analysis, we give the conclusion about the real-time

application of stepping stone detection approaches, the accuracy of stepping stone

detection approaches, the impaction of assumption, chaffs and jitters. In addition, we

also provided suggestions for improving stepping stone detection approaches.

Chapter 7 Conclusions and Future Work

142

Chapter 7

Conclusions and Future Work

This chapter summarises the main contributions of this thesis on detecting stepping

stone in real Internet environments, and presents the significance of this research.

Finally, we make suggestions for improving our research in the future.

7.1 Conclusions

7.1.1 Major Contributions

The Internet has become increasingly critical, but at the same time, Internet attacks

have increased significantly. One of the most important reasons for this is that

attackers are able to easily hide their identities and evade punishment by relaying their

attacks through stepping stones. To date, stepping stone detection systems have

already been proposed, however challenges still remain when applied in Internet

environments and whether they will resist evasion. The aim of the research in this

thesis has been to develop stepping stone detection systems, which can provide


143

effective and efficient stepping stone detection in real Internet environments, and identify

evasion techniques used by attackers. We have achieved these aims, and the main

contributions of our research can be summarised as follows.

� We proposed a real-time RTT getting algorithm for stepping stone detection.

The proposed Estimation Based Algorithm (EBA) can provide RTTs for RTT

based stepping stone detection systems to identify correlated connections, and

it also can provide RTTs for non-RTT based stepping stone detection systems

to calculate important parameters. The experiments show that our algorithm is

far more precise than other real-time RTT getting algorithms. We also present

theory analysis from the probability point, which shows that our algorithm has

a high matching rate and has a high accuracy rate similar to the complicated

non real-time SDBA [51] approach. By proposing the EBA, the stepping stone

detection systems [48] which cannot be applied in practice and those [2] which

are hard to select parameters for, may become practical.

� We proposed the Packet Delay Bidirectional Comparison (PDBC) scheme,

which is a simple but practical stepping stone detection system. It has no

assumption of no-packet-dropping, and it is designed with high efficiency. Our

experiments show that the proposed scheme can achieve more than 90%

accuracy by monitoring for 2 seconds and can achieve more than 95% accuracy

by monitoring for 10 seconds. This is in addition to low computation cost.


144

Compared to most stepping stone detection systems, it has the quickest

responsiveness when applied in Internet environments.

� We initially proposed the upper bounds of probability that normal streams

present with the timing feature of stepping stone attack streams, and applied

them first to stepping stone detection. We also designed the Abnormal

Probability Detection algorithm (APD) and the Speedy Abnormal Probability

Detection algorithm (SAPD) which can accurately detect stepping stones even

if there is big jitter and a high chaff rate. We compare the two proposed

stepping stone detection systems with many previous ones and the experiments

show that the two proposed systems are more resistant to chaffs and jitters than

previous ones. These two stepping stone detection systems also maintain high

accuracy for detecting stepping stone attack streams with no chaffs and jitter

perturbations. In addition, no parameters need to be adjusted in the APD and

SAPD algorithms, therefore it is suitable for application in practice.

� We presented high quantitative comparative experimental analysis of network

based passive stepping stone detection systems. Based on the implementation

of the 13 stepping stone detection systems, the exaction of SSH data from

public traces with millions of packets, and the capturing of genuine stepping

stone connection chains data from the Internet, we tested these stepping stone

detection systems in several scenarios using uniform criteria. According to the

experimental results and analysis, we give the conclusion about the real-time

application of stepping stone detection systems, the accuracy of stepping stone


145

detection systems, the impaction of assumption, the impaction of chaffs and

jitters. In addition, we presented some suggestions improvement suggestion for

previous stepping stone detection systems.

7.1.2 Significance of this Thesis

The proposed RTT getting algorithm for stepping stones, and the stepping stone

detection schemes described in this thesis can bring significant benefits to both

academia and industry. The significance of this thesis may be summarized as follows:

� Networks have dramatically changed the daily activities of people, particularly

in how we communicate and how we learn and conduct business.

Unfortunately, while enjoying the convenience of the Internet, we also have to

deal with network security problems. Attackers from anywhere may attack a

site at any time causing near irreparable damage. One of the reasons for this is

that attackers can very easily hide their identities and evade the desired

punishment by relaying their attacks through stepping stones. Therefore, this

research into stepping stone detection systems in Internet environments is very

important and highly practical.

� The RTT getting algorithm is critical for stepping stone detection. Due to the

absence of a real-time precise RTT getting algorithm, some stepping stone

detection systems [48] cannot be applied in practice, and some of them can’t be


146

easily employed [2]. Therefore, the proposed RTT getting algorithm will

accelerate the application of stepping stone detection systems in industry and

also improve the research of stepping stone detection systems in academia.

� The profound analysis presented in the comparative experimental study on

network based passive stepping stones can provide advantages to further research

in this area. At the same time, it provides a sound reference for the application of

stepping stone detection systems in industry.

� Since we focus our research on real application, the proposed stepping stone

detection schemes and RTT getting algorithm described in this thesis can be

directly adopted by industry, which has the potential to change the current

stagnant application of stepping stone detection systems in industry.

7.2 Future Work

This thesis has developed several stepping stone detection systems and compared

most network based passive stepping stone detection systems. However, there is room

for further improvement. Below, we outline some issues that have arisen from this

thesis and future directions for this work. This list is intended to be neither detailed

nor comprehensive, but merely suggests some possible ideas for developing future

work explored in this thesis first.


147

� Improve some aspects of the experiments conducted. Experiments about chaffs

and jitters were based on simulation. So in future work, we would like to use

real-life SSH data with chaffs and jitters using the SNEAK tool [46], or by

directly modifying the SSH client and server software. Secondly, the scale of

data in our experiments was not large enough, so we would like to collect more

private or public data to conduct a scalable experiment in the future.

� Improve some aspects of the algorithms. When there were very large jitters, the

EBA RTT getting algorithm does not work well. In this scenario, we would like

to consider the RTT with big fluctuation as an anomaly, and be able to notify

the stepping stone detection system. Secondly, while we presented some

improvements for other approaches, in the future work, we would like to

implement and evaluate these.

� Detect non-interactive connections. In this thesis, our research focuses on

interactive connections. Although attackers normally launch attacks via

interactive connections, one-way communication is still possible. In future

work, we will consider applying the probability bounds to one-way

communication.

� Develop a stepping stone detection device. In this thesis, all of our proposed

algorithms can be run in real-time, however in our experiments we ran them


148

off-line. In future work, we will consider the development of a real stepping

stone detection device which can be run on the Internet.

� Identify legal stepping stone connections. In this thesis, our aim is to detect

connections in the same connection chain. But some of them may not be attack

traffic, as normal users may also construct a connection chain. While this may

be so, the traffic mode is usually different for normal users and attackers. In

future work, we will consider a system to identify between legal connections

and stepping stone connections.

Bibliography

149

Bibliography

[1] S. Staniford-Chen and L.T. Herberlein: “Holding Intruders Accountable on the Internet”, Proc. 1995 IEEE Symposium on Security and Privacy, 1995, pp. 39-49. [2] Y. Zhang and V. Paxson: “Detecting Stepping-Stones”, Proc. 9th USENIX Security Symposium, 2000, pp. 67-81. [3] K. Yoda and H. Etoh: “Finding a Connection Chain for Tracing Intruders”, Proc. 6th European Symposium on Research in Computer Security (LNCS 1985), 2000, pp. 31-42. [4] X. Wang, D.S. Reeves, and S.F. Wu: “Inter-packet delay based correlation for tracing encrypted connection through Stepping-Stone”, Proc. 7th European Symposium on Research in Computer Security (ESORICS 2002), 2002, pp. 244-263. [5] D.L. Donoho, A.G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford: “Multiscale Stepping-Stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay”, Proc. 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), 2002, pp. 49-64 [6] X. Wang and D.S. Reeves: “Robust correlation of encrypted attack traffic through Stepping-Stones by manipulation of interpacket delays”, Proc. 10th ACM Conference on Computer and Communication Security (CCS 2003), 2003, pp. 20-29. [7] W.T. Strayer, C.E. Jones, I. Castineyra, J.B. Levin, and R.R. Hain: “An integrated architecture for attack attribution”, BBN Technologies, Tech. Rep. BBN REPORT-8384, 2003. [8] A. Blum, D. Song, and S. Venkataraman: “Detection of interactive Stepping-Stones: Algorithm and confidence bounds”, The 7th International Symposium on Recent Advances in Intrusion Detection (RAID 2004), 2004. [9] L. Zhang, A. G. Persaud, A. Johson, Y. Guan: “Stepping- Stone Attack Attribution in Non-Cooperative IP Networks”, in Proc. Of the 25th IEEE International Performance Computing and Conference (IPCCC 2006), 2006.

Bibliography

150

[10] T. He and L. Tong: “A Signal Processing Perspective to Stepping-Stone Detection”, in Proc. 2006 Conference on Information Sciences and Systems, (Princeton, NJ), March 2006. [11] P. Peng, P. Ning, and D. S. Reeves: “On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques”, in Proc. of the 2006 IEEE Symposium on Security and Privacy (S&P), May 2006, pp. 334–349. [12] K. H. Yung: “Detecting long connection chains of interactive terminal sessions”, in RAID 2002, Lecture Notes in Computer Science, vol. 2516, Jan 2002, pp. 1–16. [13] J. Yang and S. Huang: “A Real-Time algorithm to Detect Long Connection Chains of Interactive Terminal Sessions”, Proceedings of InfoSecu04, Shanghai, China, 2004, pp.198-203. [14] J. Yang and S.-H. Huang: “Matching tcp packets and its application to the detection of long connection chains on the internet”, in AINA 2005 19th International Conference on Advanced Information Networking and Applications, March 2005, pp. 1005–1010. [15] A. Almulhem and I. Traore: “A Survey of Connection-Chains Detection Techniques”, 2007 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, (2007) [16] J. Yang, and S-H. .S. Huang: “Matching TCP/IP packets to Detect Stepping-Stone Intrusion”, International Journal of Computer Science and Network Security (IJCSNS), vol. 6, no. 10, Oct. 2006, pp. 269-276. [17] P. Peng, P. Ning, D. S. Reeve, and X. Wang: “Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets”, in Proc. Of the 2nd International Workshop on Security in Distributed Computing Systems (SDCS), Jun. 2005, pp. 107–113. [18] X. Wang, D. S. Reeves, S. F. Wu, and J. Yuill: “Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework”, in Proc. of the 16th International Conference on Information Security (IFIP/Sec), Jun. 2001, pp. 369–384. [19] X. Wang, D. S. Reeves, P. Ning, and F. Feng: “Robust network-based attack attribution through probabilistic watermarking of packet flows”, Technical Report TR-2005-10, Department of Computer Science, NC State Univ., 2005. [20] T. He and L. Tong: “Detecting Encrypted Stepping-Stone Connections”, Tech. Rep. ACSPTR- 01-06-02, Cornell University, January 2006.

Bibliography

151

[21] T. He and L. Tong: “Detecting Encrypted Interactive Stepping-Stone Connections”, in Proc. 2006 IEEE International Conference on Acoustics, Speech, and Signal Processing, (Toulouse, France), May 2006. [22] L. Zhang, A. G. Persaud, A. Johnson, and Y. Guan: “Detection of Stepping-Stone attack under delay and chaff perturbations”, presented at the 25th IEEE Int. Perform. Comput. Commun. Conf. (IPCCC), Phoenix, AZ, 2006. [23] T. He, P. Venkitasubramaniam, and L. Tong: “Packet Scheduling Against Stepping-Stone Attacks with Chaff”, Proceedings of IEEE MILCOM, Cornell University, October, 2006 [24] T. He and L. Tong: “Detecting Information Flows: “Improving Chaff Tolerance by Joint Detection”, CISS 2007: 51-56 [25] Y.J. Pyun and D. S. Reeves: "Strategic Deployment of Network Monitors for Attack Attribution", to appear in Proc. of the 4th Intl. Conf. on Broadband Communications, Networks, and Systems (IEEE Broadnets 2007), September 2007 [26] J. Yang, S-H. S. Huang, and M. D. Wan: “A clustering partitioning algorithm to find TCP packet round-trip time for intrusion detection”, Advanced Information Networking and Applications, 2006. AINA 2006. 20th International Conference on Volume 1, Issue , 18-20 April 2006 Page(s): 6 pp [27] M.N. Omar, M.A. Maarof, A. Zainal: “Solving time gap problems through the optimization of detecting Stepping-Stone algorithm”, Computer and Information Technology, 2004. CIT '04. The Fourth International Conference on Date: 14-16 Sept. 2004, Pages: 391 – 396 [28] J. Yang and S-H. S. Huang: “Correlating Temporal Thumbprints for Tracing Intruders”, To appear in Proceedings of 3rd International Conference on Computing, Communications and Control Technologies (CCCT’05), Austin, TX, July (2005). [29] W.T. Strayer, C. Jones, B. Schwartz, S. Edwards, W. Milliken, and A. Jackson: “Efficient Multi-Dimensional Flow Correlation”, In Proceedings of the 32nd IEEE Conference on Local Computer Networks (October 15 - 18, 2007). IEEE Computer Society, Washington, DC, 531-538 [30] W.T. Strayer, C.E. Jones, B.I. Schwartz,J. Mikkelson, and C. Livadas: “Architecture for multi-stage network attack traceback” In Proceedings of the the IEEE Conference on Local Computer Networks 30th Anniversary (November 15 - 17, 2005). IEEE Computer Society, Washington, DC, 776-785 [31] M.N. Omar, M.A. Maarof and A. Zainal: “The Optimization of Stepping-Stone Detection: Packet Capture Steps”, Jurnal Teknologi, vol. 44, no. (D), Jun 2006, pp. 1-14.

Bibliography

152

[32] Y. Tang, Y. Liverpool and T.E. Daniels: “Monitor placement for Stepping-Stone analysis”, Performance, Computing, and Communications Conference, 2006. IPCCC 2006. 25th IEEE International Date: 10-12 April 2006, Pages: 8 pp. 509-512 [33] S-H. S. Huang, R. Lychev and J. Yang: “Stepping-Stone Detection Via Request-Response Traffic Analysis”, ATC 2007: 276-285 [34] Y. J. Pyun, Y. H. Park, X. Y. Wang, D. S. Reeves, and P. Ning: "Tracing Traffic Through Intermediate Hosts that Repacketize Flows", in Proc. of the 26th Annual IEEE Conf. on Computer Communications (Infocom 2007), May 2007 [35] B. Coskun and N. Memon,: “Efficient Detection of Delay-Constrained Relay Nodes”, Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual Date: 10-14 Dec. 2007, Pages: 353 – 362 [36] A. Chantler and R. Broadhurst: “Social Engineering and Crime Prevention in Cyberspace“, Technical Report, Justice, Queensland University of Technology, 2006 [37] E. Messmer: “Cyber Espionage: A growing Threat to Business”, PC World, January 21, 2008 [38] B. Coskun and N. Memon: “Online Sketching of Network Flows for Real-Time Stepping-Stone Detection”, in Proc. of the Annual Computer Security Applications Conference, pp 473-483, 2009 [39] P. Li, W. Zhou and Y. Wang: “Getting the Real-Time Precise Round-Trip Time for Stepping Stone Detection”, in Proc 4th International Network and System Security(NSS), Melbourne, Australia, 2010 [40] G. Gu, J. Zhang, and W. Lee: “BotSniffer: Detecting botnet command and control channels in network traffic”. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), 2008. [41] G. Gu, R. Perdisci, J. Zhang, and W. Lee. “Botminer: Clustering analysis of network traffic for protocol and structure independent botnet detection”. In USENIX Security, 2008. [42] S. Kent and R. Atkinson: “RFC 2401: Security Architecture for the Internet Protocol”, IETF, September 1998. draft-ietfipsec-arch-sec [43] T. Ylonen.: “IETF Internet Draft: SSH Protocol Architecture”, IETF, March 2005. draft-ietf-secsharchitecture-22 [44] M. N. Omar, L. Siregar, and R. Budiart: “Dropped Packet Problems in Stepping-Stone Detection”, IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.2, February 2008

Bibliography

153

[45] M. Venkateshaiah and M. Wright: “Evading Stepping-Stone Detection Under the Cloak of Streaming Media”, Tech. Report, Department of Computer Science and Engineering, University of Texas at Arlington, Arlington, TX 76019, 2007. [46] J. D. Padhye and M. Wright: “Stepping-Stone Network Attack Kit (SNEAK) For Evading Timing-based Detection Methods Under The Cloak Of Constant Rate Multimedia Streams”, Computer Science & Engineering, 17-Sep-2008 [47] M. Venkateshaiah and M. Wright: “Evading Existing Stepping-Stone Detection Methods Using Buffering”, Computer Science & Engineering, 23-Aug-2007 [48] J. Yang and S-H. S. Huang, "Improved Thumbprint and Its Application for Intrusion Detection," Proceedings of the Third International Conference on Computer Network and Mobile Computing (ICCNMC), Zhangjiajie, China, August 2-4, 2005, pp. 433-442 [49] A. Kampasi, Y. Zhang, G. Di Crescenzo, A. Ghosh, and R.Talpade: "Improving Stepping-Stone Detection Algorithms using Anomaly Detection Techniques". The University of Texas at Austin, Department of Computer Sciences. Report# TR-07-28 (regular report). May 21, 2007. 8 pages. [50] S. C. Lee and C. Shields: “Tracing the Source of Network Attack: A Technical, Legal, and Societal Problem”. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, West Point, NY, June 2001. [51] J. Yang and S. Huang: “Probabilistic Analysis of an Algorithm to Compute TCP Packet Round-Trip Time for Intrusion Detection”, Journal of Computers and Security, Elsevier Ltd., 2007, pp137-144, Vol. 26 [52] http://www.wand.net.nz/wits/auck/9/ [53] C. Chen, M. Mangrulkar, N. Ramos and M. Sarkar: “Trends in TCP/IP Retransmissions and Resets”, Technical Report, URL: http://cseweb.ucsd.edu/classes/wi01/cse222/projects/reports/tcp-flags-13.pdf [54] H.-C. Wu and S.-H. S. Huang: “Detecting steppingstone with chaff perturbations,” in AINAW ’07: Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops, 2007, pp. 85–90. [55] D. Knuth: "The Art of Computer Programming", 3rd ed., vol. 1, 1997, p.98 [56] D.L., Mills: Internet Delay Experiments. IETF document, http://www.ietf.org/rfc/rfc889.txt (1983) [57] Department of the Air Force and Air Force Materiel Command: “Network attack traceback,” April 2005.

Bibliography

154

[58] H-C. Wu and S-H. S. Huang: “Performance of Neural Networks in Stepping-Stone Intrusion Detection”, Networking, Sensing and Control, 2008. ICNSC 2008. IEEE International Conference on Date: 6-8 April 2008, Pages: 608 – 613 [59] X. Wang: “The loop fallacy and serialization in tracing intrusion connections through Stepping-Stones.”, SAC 2004: 404-411 [60] X. Wang: "The Loop Fallacy and Deterministic Serialization in Tracing Intrusion Connections Through Stepping-Stones", in International Journal of Security and Networks, Vol. 1, No. 3/4, 2006 [61] J. Postel: “RFC793 - Transmission Control Protocol”, September 1981, http://www.faqs.org/rfcs/rfc793.html [62] J. Postel: “RFC 768 - User Datagram Protocol”, August 1980, http://www.faqs.org/rfcs/rfc768.html [63] J. Postel: “RFC 792 - Internet Control Message Protocol”, September 1981, http://www.faqs.org/rfcs/rfc792.html [64] Z. Trabelsi, W. El-Hajj, S. Hamdy: “Implementation of an ICMP-based covert channel for file and message transfer”, Electronics, Circuits and Systems, 2008. ICECS 2008. 15th IEEE International Conference on Date: Aug. 31 2008-Sept. 3 2008, Pages: 894 – 897 [65] J. Postel and J. Reynolds : “RFC 854 - Telnet Protocol Specification”, May 1983, http://www.faqs.org/rfcs/rfc854.html [66] T. Ylonen and C. Lonvick : “RFC 4251 - The Secure Shell (SSH) Protocol Architecture”, January 2006, http://www.ietf.org/rfc/rfc4251.txt [67] J. Oikarinen and D. Reed: “RFC 1459 - Internet Relay Chat Protocol”, May 1993, http://www.ietf.org/rfc/rfc1459.txt [68] J. Yang and S. Huang: “Mining TCP/IP Packets to Detect Stepping-Stone Intrusion”, Journal of Computers and Security, Elsevier Ltd., pp 479-484, Vol. 26 (2007) [69] Q. Li and D.L. Mills: “On the long-range dependence of packet round-trip delays in Internet”, In: Proc. international conference on communications (ICC’98), Atlanta, USA, No. 1, pp 1185–92 (1998) [70] T. Elteto and S. Molna.: “On the Distribution of Round-Trip Delays in TCP/IP Networks”, In: Proc. the 24th Annual IEEE Conference on Local Computer Networks, p172 (1999)

Bibliography

155

[71] J. Yang and S. Huang: “Probabilistic Analysis of an Algorithm to Compute TCP Packet Round-Trip Time for Intrusion Detection”, Journal of Computers and Security, Elsevier Ltd., 2007, pp137-144, Vol. 26. [72] Y. Zhang, J. Yang and C. Ye, “ Modeling and Detecting Stepping-Stone Intrusion”, IJCSNS International Journal of Computer Science and Network Security, VOL.9 No.7, July 2009 [73] W. Feller.: Probability Theory and its Applications. Volume 1. John Wiley and Sons, Inc. (1968) [74] V. Paxson and S. Floyd: Wide-area tra_c: The failure of poisson modeling. IEEE/ACM Transactions on Networking 3 (1995) 226-244 [75] OpenSSH, http://www.openssh.com. [76] Cygwin,http://www.cygwin.com/ [77] Wireshark, http://www.wireshark.org/ [78] Putty, http://www.chiark.greenend.org.uk/~sgtatham/putty/ [79] KpyM, http://www.kpym.com/2/kpym/index.htm [80] Jackson network, http://en.wikipedia.org/wiki/Jackson_network [81] Little’s law, http://en.wikipedia.org/wiki/Little's_law [82] Poisson distribution, http://en.wikipedia.org/wiki/Poisson_distribution [83] Expected value, http://en.wikipedia.org/wiki/Expected_value [84] Probability theory, http://en.wikipedia.org/wiki/Probability_theory [85] Normal distribution, http://en.wikipedia.org/wiki/Normal_distribution [86] Exponential distribution, http://en.wikipedia.org/wiki/Exponential_distribution [87] Jensen’s inequality, http://en.wikipedia.org/wiki/Jensen's_inequality [88] Chebyshev’s inequality, http://en.wikipedia.org/wiki/Chebyshev's_inequality [89] DDoS, http://en.wikipedia.org/wiki/Denial-of-service_attack [90] Queueing theory, http://en.wikipedia.org/wiki/Queueing_theory

Bibliography

156

[91] M. N. Omar and R. Budiarto: “Hybriding Intelligent Host-Based and Network-Based Stepping Stone Detections”, Machine Learning and Systems Engineering, Lecture Notes in Electrical Engineering, 2010, Volume 68, 83-95 [92] J. Xin, L. Zhang, B.Aswegan, J. Dickerson, T. Daniels and Y. Guan: “A Testbed for Evaluation and Analysis of Stepping Stone Attack Attribution Techniques”, Testbeds and Research Infrastructures for the Development of Networks and Communities, 2006. TRIDENTCOM 2006. 2nd International Conference 9 pp. – 378 [93] J. Aikat, J. Kaur, F.D. Smith and K. Jeffay: “Variability in TCP round-trip times”, Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2003, IMC, pp. 279-284. [94] P. Karn and C. Partridge: “Improving round-trip time estimates in reliable transport protocols”, Proceedings of the ACM workshop on Frontiers in computer communications technology, p.2-7, August 11-13, 1987, Stowe, Vermont, United States [95] F. Leu: “Intrusion Detection, Forecast and Traceback Against DDoS Attacks”,2009, http://jitas.im.cpu.edu.tw/2009/2.pdf [96] W. Zhou. Keynote III: Detection and traceback of DDoS attacks. in Computer and Information Technology, 2008. CIT 2008. 8th IEEE International Conference on. 2008. [97] H. Jung, H. Kim, Y. Seo, G. Choe, S. Min, C. Kim and K. Koh: “Caller Identification System in the Internet Environment,” Proceedings of 4th USENIX Security Symposium, vol. 246, 1993. [98] S. Snapp, J. Brentano, G. Dias, T. Goan, L. Heberlein, C. Ho, K. Levitt, B. Mukher-jee, S. Smaha, T. Grance, et al.: “DIDS (Distributed Intrusion Detection System)-Motivation, Architecture, and an Early Prototype,” Proceedings of the 14th National Computer Security Conference, pp. 167–176, 1991. [99] T. Yan M. Veeraraghavan: “Networks of Queues”, 2004, http://www.ece.virginia.edu/mv/edu/715/lectures/QNet.pdf [100] R. Shullich, J. Chu, P. Ji, and W. Chen: “A Survey of Research in Stepping-Stone Detection”, Proceedings of International Conference on Internet Studies (NETs2010), Taiwan, 2010

Date post:	08-Jul-2020
Category:	Documents
Upload:	others
View:	8 times
Download:	0 times

Detecting Stepping Stones in Internet...

Documents