Attackers can exploit compromised hosts to launch attacks over the Internet. This protects an intruder, placing them behind a long connection chain consisting of multiple compromised hosts. Such attacks are called stepping-stone intrusions. Many algorithms have been proposed to detect stepping-stone intrusions, but most detection algorithms are weak in resisting intruders’ session manipulation, such as chaff-perturbation. This paper proposes a novel detection algorithm: Packet Cross-Matching and RTT-based two-dimensional random walk. Theoretical proof shows network traffic cross matching can be effective in resisting attackers’ chaff attack. Our experimental results over the AWS cloud show that the proposed algorithm can resist attackers’ chaff attacks up to a chaff rate of 100%.