Detecting Anomalies in Active Insider Stepping Stone Attacks

 

Giovanni Di Crescenzo¹, Abhrajit Ghosh¹, Abhinay Kampasi², Rajesh Talpade³ and Yin Zhang⁴

 

¹Telcordia Technologies

Piscataway, NJ, USA

{giovanni, aghosh}@research.telcordia.com

 

²Microsoft

Redmond, WA, USA

abhinay.kampasi@microsoft.com

 

³Niksun

Princeton, NJ, USA

rtalpade@niksun.com

 

⁴University of Texas at Austin

1616 Guadalupe, Suite 2.408

Austin, TX 78701, USA

yzhang@cs.utexas.edu

 

 

Abstract

 

Network attackers frequently use a chain of compromised intermediate nodes to attack a target

machine and maintain anonymity. This chain of nodes between the attacker and the target is called

a stepping stone chain. Various classes of algorithms have been proposed to detect stepping stones,

timing correlation based algorithms being a recent one that is attracting significant research interest.

However, the existing timing based algorithms are susceptible to failure if the attacker actively tries

to evade detection using jitter or chaff. We have developed three anomaly detection algorithms to

detect the presence of jitter and chaff in interactive connections, based on response time, edit distance

and causality. Experiments performed on Deter using real-world traces and live traffic demonstrate

that the algorithms perform well with very low false positives and false negatives and have a high

success percentage of about 99%. These algorithms based on response times from the server and

causality of traffic in both directions of an interactive connection have made the existing stepping

stone detection framework more robust and resistant to evasion.

 

Keywords: anomaly detection algorithms and insider stepping stone attacks

 

Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA),

Vol. 2, No. 1, pp. 103-120, June 2011 [pdf]