Abstract

In order to avoid being detected, most professional intruders have exploited stepping-stones to make a long connection chain to launch their attacks indirectly, other than directly, since 1990s. The longer a connection chain, the harder to capture the intruders and detect their intrusions. Most existing approaches suffer from intruders’ session manipulation, such as chaff perturbation. In this paper, we propose a novel algorithm by modelling network traffic and exploiting encrypted packets to detect stepping-stone intrusions. The experimental results show that the proposed algorithm cannot only detect stepping-stone intrusions, but also resist intruders’ single-side chaff perturbation up to 70% in the context of a local area network, as well as 80% in the context of the Internet. The algorithm presents much stronger performance in resisting intruders’ both-side chaff perturbation. Our study shows if the incoming and outgoing connections of a sensor host are both manipulated, the algorithm can resist intruders’ chaff rate up to 140%, and even more, regardless of a local area network or the Internet environment.