Volume 12 - Issue 1
Modelling Network Traffic and Exploiting Encrypted Packets to Detect Stepping-stone Intrusions
- Jianhua Yang
TSYS School of Computer Science, Columbus State University (CSU), Columbus, GA USA as a full Professor
yang jianhua@columbusstate.edu
- Lixin Wang
Associate Professor of computer science at Columbus State University, Columbus, GA USA
wang lixin@columbusstate.edu
- Suhev Shakya
Student of computer science at Columbus State University, Columbus, GA, USA
shakya suhev@columbusstate.edu
Keywords: Stepping-stone Intrusion, modelling network traffic, encrypted packet, Intrusion Detection
Abstract
In order to avoid being detected, most professional intruders have exploited stepping-stones to make
a long connection chain to launch their attacks indirectly, other than directly, since 1990s. The longer
a connection chain, the harder to capture the intruders and detect their intrusions. Most existing approaches
suffer from intruders’ session manipulation, such as chaff perturbation. In this paper, we
propose a novel algorithm by modelling network traffic and exploiting encrypted packets to detect
stepping-stone intrusions. The experimental results show that the proposed algorithm cannot only
detect stepping-stone intrusions, but also resist intruders’ single-side chaff perturbation up to 70%
in the context of a local area network, as well as 80% in the context of the Internet. The algorithm
presents much stronger performance in resisting intruders’ both-side chaff perturbation. Our study
shows if the incoming and outgoing connections of a sensor host are both manipulated, the algorithm
can resist intruders’ chaff rate up to 140%, and even more, regardless of a local area network or the
Internet environment.