Abstract
One of the key problems of detecting stepping stones is the construction of connections’ correlations. We focus on the use of detecting windows and propose two methods for constructing correlations of perturbed connections. Within the attacker’s perturbation range, the first method uses packet-based window and the average value of the packets in the detecting window is set to increase periodically. The method can construct correlations in attacking connection chains by analyzing the increase of the average value of the inter-packet delay between the two connection chains. The second method uses time-based windows. It divides time into segments, forms segments into groups and uses pairs of groups to take the watermarks. These methods can reduce the complexity of correlation computations and improve the efficiency of detecting. The second method can even work under packets loss and disorder.
Supported by NSFC(90204014).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Lee, S.C., Shields, C.: Tracing the Source of Network Attack: A Technical, Legal and Societal Problem. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and Security (June 2001)
Zhang, Y., Paxson, V.: Detecting Stepping Stones. In: Proceedings of 9th USENIX Security Symposium (August 2000)
Donoho, D., Flesia, A.G., Shanka, U., Paxson, V., Coit, J., Staniford, S.: Multiscale Stepping Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 17. Springer, Heidelberg (2002)
NLANR Trace Archive, http://pma.nlanr.net/Traces/long/
Wang, X., Reeves, D., Wu, S.F., Yuill, J.: Sleepy Watermark Tracing: An Active Network-Based Intrusion Response Framework. In: Proceedings of IFIP Conference on Security (March 2001)
Jung, H., et al.: Caller Identification System in the Internet Environment. In: Proceedings of 4th USENIX Security Symposium (1993)
Yung, K.H.: Detecting long connection chains of interactive terminal sessions. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 1. Springer, Heidelberg (2002)
Staniford-Chen, S., Heberlein, L.T.: Holding Intruders Accountable on the Internet. In: Proceedings of IEEE Symposium on Security and Privacy (1995)
Yoda, K., Etoh, H.: Finding a Connection Chain for Tracing Intruders. In: Guppens, F., Deswarte, Y., Gollamann, D., Waidner, M. (eds.) 6th European Symposisum on Research in Computer Security - ESORICS 2000, Toulouse, France, October 2000. LNCS, vol. 1985 (2000)
Wang, X., Reeves, D., Wu, S.F.: Inter-Packet Delay Based Correlation for Tracing Encrypted Connections Through Stepping Stones. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, p. 244. Springer, Heidelberg (2002)
Active Network Intrusion Detection and Response project (2001), http://www.pgp.com/research/nailabs/adaptive-network/active-networks.asp
Wang, X., Reeves, D.S.: Robust Correlation of Encrypted Attack Traffic Through Stepping Stones by Manipulation of Interpacket Delays. In: Proc. of ACM Conference on Computer and Communications Security CCS 2003 (October 2003)
Peng, P., Ning, P., Reeves, D.S., Wang, X.Y.: Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets. To appear in Proceedings of the The 2nd International Workshop on Security in Distributed Computing Systems (SDCS 2005) (January 2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Li, Q., Feng, Q., Liu, K., Ju, J. (2005). Constructing Correlations of Perturbed Connections Under Packets Loss and Disorder. In: Lu, X., Zhao, W. (eds) Networking and Mobile Computing. ICCNMC 2005. Lecture Notes in Computer Science, vol 3619. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11534310_68
Download citation
DOI: https://doi.org/10.1007/11534310_68
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28102-3
Online ISBN: 978-3-540-31868-2
eBook Packages: Computer ScienceComputer Science (R0)