Constructing Correlations of Perturbed Connections Under Packets Loss and Disorder

Li, Qiang; Feng, Qinyuan; Liu, Kun; Ju, Jiubin

doi:10.1007/11534310_68

Qiang Li¹⁸,
Qinyuan Feng¹⁸,
Kun Liu¹⁸ &
…
Jiubin Ju¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 3619))

Included in the following conference series:

International Conference on Networking and Mobile Computing

520 Accesses

Abstract

One of the key problems of detecting stepping stones is the construction of connections’ correlations. We focus on the use of detecting windows and propose two methods for constructing correlations of perturbed connections. Within the attacker’s perturbation range, the first method uses packet-based window and the average value of the packets in the detecting window is set to increase periodically. The method can construct correlations in attacking connection chains by analyzing the increase of the average value of the inter-packet delay between the two connection chains. The second method uses time-based windows. It divides time into segments, forms segments into groups and uses pairs of groups to take the watermarks. These methods can reduce the complexity of correlation computations and improve the efficiency of detecting. The second method can even work under packets loss and disorder.

Supported by NSFC(90204014).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 149.00; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Lee, S.C., Shields, C.: Tracing the Source of Network Attack: A Technical, Legal and Societal Problem. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (June 2001)
Google Scholar
Zhang, Y., Paxson, V.: Detecting Stepping Stones. In: Proceedings of 9th USENIX Security Symposium (August 2000)
Google Scholar
Donoho, D., Flesia, A.G., Shanka, U., Paxson, V., Coit, J., Staniford, S.: Multiscale Stepping Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 17. Springer, Heidelberg (2002)
Chapter Google Scholar
NLANR Trace Archive, http://pma.nlanr.net/Traces/long/
Wang, X., Reeves, D., Wu, S.F., Yuill, J.: Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework. In: Proceedings of IFIP Conference on Security (March 2001)
Google Scholar
Jung, H., et al.: Caller Identification System in the Internet Environment. In: Proceedings of 4th USENIX Security Symposium (1993)
Google Scholar
Yung, K.H.: Detecting long connection chains of interactive terminal sessions. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 1. Springer, Heidelberg (2002)
Chapter Google Scholar
Staniford-Chen, S., Heberlein, L.T.: Holding Intruders Accountable on the Internet. In: Proceedings of IEEE Symposium on Security and Privacy (1995)
Google Scholar
Yoda, K., Etoh, H.: Finding a Connection Chain for Tracing Intruders. In: Guppens, F., Deswarte, Y., Gollamann, D., Waidner, M. (eds.) 6th European Symposisum on Research in Computer Security - ESORICS 2000, Toulouse, France, October 2000. LNCS, vol. 1985 (2000)
Google Scholar
Wang, X., Reeves, D., Wu, S.F.: Inter-Packet Delay Based Correlation for Tracing Encrypted Connections Through Stepping Stones. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, p. 244. Springer, Heidelberg (2002)
Chapter Google Scholar
Active Network Intrusion Detection and Response project (2001), http://www.pgp.com/research/nailabs/adaptive-network/active-networks.asp
Wang, X., Reeves, D.S.: Robust Correlation of Encrypted Attack Traffic Through Stepping Stones by Manipulation of Interpacket Delays. In: Proc. of ACM Conference on Computer and Communications Security CCS 2003 (October 2003)
Google Scholar
Peng, P., Ning, P., Reeves, D.S., Wang, X.Y.: Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets. To appear in Proceedings of the The 2nd International Workshop on Security in Distributed Computing Systems (SDCS 2005) (January 2005)
Google Scholar

Download references

Author information

Authors and Affiliations

Department of Computer Science, JiLin University, ChangChun, JiLin, 130012, China
Qiang Li, Qinyuan Feng, Kun Liu & Jiubin Ju

Authors

Qiang Li
View author publications
You can also search for this author in PubMed Google Scholar
Qinyuan Feng
View author publications
You can also search for this author in PubMed Google Scholar
Kun Liu
View author publications
You can also search for this author in PubMed Google Scholar
Jiubin Ju
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

National Laboratory for Parallel and Distributed Processing, NUDT, 410073, Changsha, Hunan, China
Xicheng Lu
Department of Radiology, State University of New York at Stony Brook, L-4, 120 Health Sciences Center, 11793-8460, Stony Brook, New York,
Wei Zhao

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Li, Q., Feng, Q., Liu, K., Ju, J. (2005). Constructing Correlations of Perturbed Connections Under Packets Loss and Disorder. In: Lu, X., Zhao, W. (eds) Networking and Mobile Computing. ICCNMC 2005. Lecture Notes in Computer Science, vol 3619. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11534310_68

Download citation

DOI: https://doi.org/10.1007/11534310_68
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28102-3
Online ISBN: 978-3-540-31868-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics