Detecting Anomalies in Active Insider Stepping Stone
Attacks
Giovanni Di Crescenzo1, Abhrajit Ghosh1,
Abhinay Kampasi2, Rajesh Talpade3 and Yin Zhang4
1Telcordia
Technologies
Piscataway, NJ, USA
{giovanni, aghosh}@research.telcordia.com
2Microsoft
Redmond, WA, USA
abhinay.kampasi@microsoft.com
3Niksun
Princeton, NJ, USA
rtalpade@niksun.com
4University of Texas
at Austin
1616 Guadalupe, Suite 2.408
Austin, TX 78701, USA
yzhang@cs.utexas.edu
Abstract
Network attackers frequently use a chain of compromised
intermediate nodes to attack a target
machine and maintain anonymity. This chain of nodes
between the attacker and the target is called
a stepping stone chain. Various classes of algorithms
have been proposed to detect stepping stones,
timing correlation based algorithms being a recent one
that is attracting significant research interest.
However, the existing timing based algorithms are
susceptible to failure if the attacker actively tries
to evade detection using jitter or chaff. We have
developed three anomaly detection algorithms to
detect the presence of jitter and chaff in interactive
connections, based on response time, edit distance
and causality. Experiments performed on Deter using
real-world traces and live traffic demonstrate
that the algorithms perform well with very low false
positives and false negatives and have a high
success percentage of about 99%. These algorithms based
on response times from the server and
causality of traffic in both directions of an interactive
connection have made the existing stepping
stone detection framework more robust and resistant to
evasion.
Keywords: anomaly detection algorithms and insider stepping stone
attacks
Journal of Wireless Mobile Networks,
Ubiquitous Computing, and Dependable Applications (JoWUA),
Vol. 2, No. 1, pp. 103-120, June 2011 [pdf]