Abstract

Exploiting stepping-stones to launch attacks has been widely used by most professional attackers. There are two reasons for doing this: first, it is hard to detect intrusion via stepping-stones; second, even though such intrusions can be detected, it is almost impossible to capture the intruders. There have been many algorithms developed to detect stepping-stone intrusion. In this paper, we propose a novel approach to detect stepping-stone intrusion by modelling and identifying encrypted network traffic of a host. Commonly, attackers use Secure Shell (SSH) to hide their identity. SSH securely connects two hosts together and encrypts their interactions. One connection of SSH leads to another on a different host, and again until the attacker becomes untraceable from a victim host. The previous work detecting a stepping-stone by viewing the lengths of encrypted packets assumed that the encryption algorithm used for both encryptions would remain the same. In this research, we explore an algorithm to determine if a host is used as a stepping-stone by focusing on the length sequences of incoming and outgoing packets under heterogeneous encryption algorithms. The performance of the algorithm proposed was assessed by experiments over the Internet. The results show that the average match rate for relayed connections was in the range of 94% to 96%, but for un-relayed connections, the average match rate never rose above 15%, and was often much lower.