Mining TCP/IP packets to detect stepping-stone intrusion

Yang, Jianhua; Huang, Shou-Hsuan Stephen

doi:10.1016/j.cose.2007.07.001

Cited by 38 publications

(65 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Yang et al . used the maximum–minimum distance classification method to cluster and simplify the RTT value and chose the higher clustering rates. This classification method has more accurate results than the original RTT.…”

Section: Related Workmentioning

confidence: 99%

“…Most of detecting stepping-stone attack studies included content-based thumbprint [4,5], time-based approach [6][7][8][9][10][11][12], deviation-based approach [13], packet number differencebased [14,15], context-based packet matching [16,17], and round-trip time (RTT) approach [18][19][20][21][22][23][24]. There were generally two types of detecting method.…”

Section: Related Workmentioning

confidence: 99%

“…Therefore, the problem of the RTT approach is that it generates inaccurate detection because it fails to precisely compute the RTT between two hosts. Yang et al [22,23] used the maximum-minimum distance classification method to cluster and simplify the RTT value and chose the higher clustering rates. This classification method has more accurate results than the original RTT.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Detecting stepping‐stone intrusion using association rule mining

Hsiao

Sun

Fan

2013

Security Comm Networks

View full text Add to dashboard Cite

Hackers generally do not use their own computers to launch attacks on the Internet to avoid exposing their actual locations. The trick involves an intruder connecting to a victim indirectly through a sequence of hosts called stepping‐stone, which makes network managers difficult to detect the intrusion, often results in serious injuries. In this study, a detection method of stepping‐stone based on the association rule mining of network traffic records is proposed. The association rules establish a model for detecting stepping‐stones in accordance with collecting the connecting records in the governed network. Test records are gathered from the source and destination addresses of Internet protocol in a fixed time interval, which are then analyzed with the association rules algorithm to filter out the transmission characteristics of stepping‐stone attacks. In the experimental results, empirical evaluation under 5 min of test records shows that the accuracy rate, the precision rate, and the recall rate are 83.81%, 84.26%, and 83.16%, respectively. When the test record gathering time is extended to 20 min, with the same detecting method, the three evaluations achieve 99.9%. The proposed detection method may be helpful to network management for detecting suspected stepping‐stone attacks. Copyright © 2013 John Wiley & Sons, Ltd.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Detecting stepping‐stone intrusion using association rule mining

Hsiao

Sun

Fan

2013

Security Comm Networks

View full text Add to dashboard Cite

show abstract

“…However, Yung's estimating approach for connection chain length can only give good results when network traffic is relatively uniform. On the other hand, Yang and Huang [3] proposed a "Step-Function" approach to detect stepping stones using the RTT feature that RTT changes small for normal connections, but this change, proportionally increases with the number of stepping stones in the chain. The number of steps for RTT changes reflects the number of hosts in the connections.…”

Section: Introductionmentioning

confidence: 99%

Getting the Real-Time Precise Round-Trip Time for Stepping Stone Detection

Zhou

Wang

2010

2010 Fourth International Conference on Network and System Security

View full text Add to dashboard Cite

Stepping stone attacks are often used by network intruders to hide their identities. The Round Trip Times (RTT) between the send packets and corresponding echo packets for the connection chains of stepping stones are critical for detecting such attacks. In this paper, we propose a novel real-time RTT getting algorithm for stepping stones which is based on the estimation of the current RTT value. Our experiments show that it is far more precise than the previous real-time RTT getting algorithms. We also present the probability analysis which shows that our algorithm has a high matching rate and a high accurate rate.

show abstract

“…Understanding the potential threats of an organization and assessing the risks associated with those threats Educating personnel in security awareness, code of conduct, and information security best practices Establishing policies and procedures to protect information assets from intentional or accidental misuse or loss Establishing policies and procedures to mitigate loss should security breaches occur Implementing and monitoring technologies to prevent or mitigate the loss from present or future security breaches Continuous assessment of technology, policies and procedures, and personnel to assure proper governance of information security issues Incorporating information security governance as an important part of corporate governance Prior research on computer security has concentrated mostly on either identifying security as a socio-philosophical concern [Ratnasingham 1998], a socio-organizational concern [Dhillon and Backhouse 2001], or as a purely technical issue [Bass 2000;Wong et al 2000;Li and Guo 2007;Yang and Huang 2007;]. Such delineation has possibly led to a situation where security is widely regarded as a field which lacks comprehensive research in IS [Paulson 2002;Kotulic and Clark 2004].…”

Section: Introductionmentioning

confidence: 99%