Volume 12 - Issue 4
Modeling Network Traffic via Identifying Encrypted Packets to Detect Stepping-stone Intrusion under the Framework of Heterogonous Packet Encryption
- Jianhua Yang
Columbus State University, Columbus, Georgia, USA
yang jianhua@columbusstate.edu
- Noah Neundorfer
Columbus State University, Columbus, Georgia, USA
noah neundorfer@columbusstate.edu
- Lixin Wang
Columbus State University, Columbus, Georgia, USA
wang lixin@columbusstate.edu
Keywords: Stepping-stone, Intrusion detection, Modelling network traffic, Heterogeneous packet encryption
Abstract
Exploiting stepping-stones to launch attacks has been widely used by most professional attackers.
There are two reasons for doing this: first, it is hard to detect intrusion via stepping-stones; second,
even though such intrusions can be detected, it is almost impossible to capture the intruders. There
have been many algorithms developed to detect stepping-stone intrusion. In this paper, we propose
a novel approach to detect stepping-stone intrusion by modelling and identifying encrypted network
traffic of a host. Commonly, attackers use Secure Shell (SSH) to hide their identity. SSH securely
connects two hosts together and encrypts their interactions. One connection of SSH leads to another
on a different host, and again until the attacker becomes untraceable from a victim host. The previous
work detecting a stepping-stone by viewing the lengths of encrypted packets assumed that the
encryption algorithm used for both encryptions would remain the same. In this research, we explore
an algorithm to determine if a host is used as a stepping-stone by focusing on the length sequences of
incoming and outgoing packets under heterogeneous encryption algorithms. The performance of the
algorithm proposed was assessed by experiments over the Internet. The results show that the average
match rate for relayed connections was in the range of 94% to 96%, but for un-relayed connections,
the average match rate never rose above 15%, and was often much lower.