Modelling Network Traffic and
Exploiting Encrypted Packets to Detect Stepping-stone Intrusions Jianhua Yang+, Lixin Wang, and Suhev Shakya
TSYS School of Computer Science, Columbus State University, Columbus, GA
31904, USA {yang_jianhua,
wang_lixin, shakya_suhev}@columbusstate.edu Abstract In order to avoid being detected, most professional
intruders have exploited stepping-stones to make a long connection chain to
launch their attacks indirectly, other than directly, since 1990s. The longer
a connection chain, the harder to capture the intruders and detect their
intrusions. Most existing approaches suffer from intruders’ session
manipulation, such as chaff perturbation. In this paper, we propose a novel
algorithm by modelling network traffic and exploiting encrypted packets
to detect stepping-stone intrusions. The experimental results show that the proposed
algorithm cannot only detect stepping-stone intrusions, but also resist
intruders’ single-side chaff perturbation up to 70% in the context of a local
area network, as well as 80% in the context of the Internet. The algorithm
presents much stronger performance in resisting intruders’ both-side chaff
perturbation. Our study shows if the incoming and outgoing connections of a
sensor host are both manipulated, the algorithm can resist intruders’ chaff
rate up to 140%, and even more, regardless of a local area network or the
Internet environment. Keywords: Stepping-stone Intrusion, modelling network
traffic, encrypted packet, Intrusion Detection +: Corresponding author: Jianhua Yang
Journal of Internet Services and
Information Security (JISIS), 12(1): 2-25, February 2022 |