correlating tcp/ip packet contexts to detect stepping-stone intrusion
TRANSCRIPT
c om p u t e r s & s e c u r i t y 3 0 ( 2 0 1 1 ) 5 3 8e5 4 6
ava i lab le a t www.sc iencedi rec t .com
journa l homepage : www.e lsev ier . com/ loca te /cose
Correlating TCP/IP Packet contexts to detectstepping-stone intrusion
Jianhua Yang*, David Woolbright
TSYS School of Computer Science, Columbus State University, 4225 University Ave., Columbus, GA 31907, USA
a r t i c l e i n f o
Article history:
Received 15 February 2011
Received in revised form
10 May 2011
Accepted 9 June 2011
Keywords:
Network security
Intrusion detection
Time-jittering
Chaff-perturbation
Stepping-stone
Packet context
* Corresponding author.E-mail addresses: yang_jianhua@colstate
0167-4048/$ e see front matter ª 2011 Elsevdoi:10.1016/j.cose.2011.06.003
a b s t r a c t
Stepping-stone intrusion is one of the most popular techniques for attacking other
computers, and detecting this form of intrusion and resisting intruders’ evasion are critical
security issues. In this paper, we propose a new approach to this problem by introducing
packet context to help detect stepping-stone intrusion. Pearson product-moment correla-
tion coefficient is introduced to correlate packet context. The proposed approach does not
need a threshold, and it is easily implemented. The experimental results show that the
proposed approach can detect stepping-stone intrusion and resist intruders’ time-jittering
and chaff-perturbation manipulation to an extent.
ª 2011 Elsevier Ltd. All rights reserved.
1. Introduction The idea behind the first approach is that accessing a host
Using one or more compromised computers as a means of
attacking other host machines has become a popular tech-
nique of intruders. The compromised machines are referred
to as stepping-stones (Zhang and Paxson, 2000). The use of
this technique makes intrusion detection harder, and the
more the stepping-stones that are used, the safer the
intruders feel. Many approaches have been proposed to detect
stepping-stone intrusion. These approaches can be catego-
rized into two types. The first type requires the computation of
the length of the connection chain between a stepping-stone
and the victim (Yang and Huang, 2007; Yung, 2002). The
second type involves comparing incoming connections with
the outgoing connections at any compromised host
(Staniford-Chen and Heberlein, 1995; Yoda and Etoh, 2000;
Wang et al., 2002; Blum et al., 2004).
.edu (J. Yang), woolbrightier Ltd. All rights reserve
indirectly through a long connection chain (rather than con-
necting directly) is highly suspicious. As illustrated in Fig. 1,
detection involves the computation of the length of the whole
connection chain from the intruder to the victim host, where
a sensor is the stepping-stone at which a detection program
resides. The longer a connection chain, the higher the possi-
bility the chain is used by an intruder. Some legitimate
applications may need to use stepping-stones, but the chains
are rarely longer than three connections (Yung, 2002). If
a connection chain is longer than three computers, the user’s
intention is highly suspicious. The first type of approach has
the advantage of detecting stepping-stone intrusion with
a low false positive rate, and a negative rate if the total length
of a connection can be computed accurately. As a practical
matter, 1) it is difficult to compute the length of a connection
chain precisely, and 2) it is impossible to compute the length
[email protected] (D. Woolbright).d.
Fig. 1 e An intrusion example with a long connection
chain.
c om p u t e r s & s e c u r i t y 3 0 ( 2 0 1 1 ) 5 3 8e5 4 6 539
of a chain between an intruder and any one of the stepping-
stones. This distance is called the “upstream length”. If
a sensor is coincidently close to the victim host, not being able
to compute the upstream length would produce a high false
negative rate.
Fig. 2 illustrates a type II scenario in which we compare the
incoming connections with the outgoing connections of
a stepping-stone to see if any relayed connections exist.
Notationally, we let Ckin denote the kth incoming connection,
and Clout denote the lth outgoing connection. The basic idea
behind a type II approach is to find a feature or parameter F of
the connections, and to compare F in of an incoming connec-
tion with Fout of an outgoing connection to see if F in is equal
to or close to Fout. If the difference between F in and Fout is
within a predefined threshold, the two connections are
considered to be relayed. It also indicates that the computer is
used as a stepping-stone. Obviously, in a type II approach, we
do not concern about the location of the intruders and the
victims since this information is difficult to obtain. Instead,we
use the approach as a technique of detecting when a host has
been used as a stepping-stone. Type I approaches vary in the
kinds of features that are monitored. F can be packet content
(Staniford-Chen and Heberlein, 1995), timestamps of the
packets in a connection(Zhang and Paxson, 2000), timestamp
gaps (Yung, 2002), number of packets (Blum et al., 2004;
Donoho et al., 2002), watermark (Wang et al., 2002;Wang et al.,
2001), or a comprehensive one from packet size, sequence
number, timestamps, and so on (Yoda and Etoh, 2000).
Selecting F properly is vital to guarantee the accuracy and
efficiency of a detection approach. The main flaw of type II
approach is that the false positive error rate is high because it
is not rare that some applications use one or two stepping-
stones legitimately.
By varying F , we incur different advantages and disad-
vantages, but a common drawback shared by those
approaches is that they are all vulnerable to resisting
intruders’ manipulation by techniques such as time-jittering
Stepping-stone (sensor)
Incoming connections Outgoing connections
Fig. 2 e A stepping-stone with incoming and outgoing
connections.
and chaff-perturbation. Time-jittering can change the time-
stamps and gaps of the packets in a connection chain, while
watermarks, and the number of the packets in a TCP/IP
session, can be manipulated by chaff-perturbation. The
performance of an approach in detecting stepping-stone
intrusion relies on the feature F selected. In this paper, to
resist intruders’ evasion, we propose using the context of
a packet in a connection chain as the new feature F .
The context of a packet, p, is defined as the timestamp gaps
that exist between the packets around p. The rationale of
selecting the context of a packet as a feature F , is that the
context of a packet cannot change linearly with intruders’
chaff-perturbation. Chaff-perturbation can alter the context
of a packet, but, if the chaff-rate is limited, the packet’s
context can still be used to identify the packet. Themotivation
for using the context of a packet to detect stepping-stone
intrusion is based on the notion that a person can recognize
their home without having to remember their home address,
simply by looking at the surrounding environment, provided
the environment hasn’t been radically altered. Experimental
results show that a context-based approach can resist
intruders’ chaff-perturbation by up to 80% of chaff-rate.
Instead of collecting Send (request packets), as often tried
in other approaches, we propose to collect Echo (response
packets) at both incoming and outgoing connections in order
to detect stepping-stone intrusion. It is trivial for intruders to
hold Send packets at a connection, and release them at the
intruders’ will, as a means of evading detection. However, it is
non-trivial to hold Echo packets because they are the
responses of the requests. Based on the TCP/IP protocol, if
a reply is not made within a certain time, the request packets
will need to be resent, which may incur more network traffic,
making the network inefficient. On the other hand, if a Send
packet is held, it does not affect the context of its corre-
sponding Echo packet. We exploit this technique as a method
for resisting an intruders’ time-jittering evasion.
The rest of this paper is arranged as follows: Section 2
summarizes the related work. Section 3 describes the
stepping-stone detection model. Section 4 discusses how the
proposed approach resists intruders’ time-jittering and chaff-
perturbation evasion. Section 5 presents the experimental
results and discussion. In Section 6 we conclude and look at
future work.
2. Related work
The first technique for detecting stepping-stone intrusion,
proposed by Staniford-Chen and Heberlein (1995), compared
the thumbprint that is the summary of the packet contents in
a TCP interactive session, of an incoming connection of
a computer, with an outgoing connection. The weakness of
this approach is that it cannot be applied to encrypted
sessions, where a packet’s contents are invisible. To overcome
this drawback, Zhang and Paxson (2000) proposed a time-
based approach for detecting stepping-stone intrusion. The
timestamp of a TCP packet cannot be encrypted when
a packet is received at a stepping-stone, and this timestamp
depends on the local clock of the stepping-stone host. An ‘ON-
OFF’ pattern of a session can be formed with the timestamps
c om p u t e r s & s e c u r i t y 3 0 ( 2 0 1 1 ) 5 3 8e5 4 6540
of the packets in the session. ‘ON’ is a time interval in which
there are TCP/IP packets flowing through a connection. ‘OFF’ is
an interval in which there is no packet flowing through
a connection at all. Zhang and Paxson proposed comparing
the ‘ON-OFF’ patterns of different sessions. If ‘ON-OFF’
patterns are obtained frommonitoring both the incoming and
outgoing connections of a computer and compared, it is trivial
to determine if two connections are relayed, as well as if the
computer is used as a stepping-stone. The disadvantage of
this time-based approach is that an ‘ON-OFF’ pattern could be
manipulated by intruders. For example, intruders can
manipulate a TCP interactive session by either holding some
packets for a time, or by inserting some meaningless packets
into the session, as a way of making non-relayed connections
related, or relayed connections unrelated. The former
manipulation is called time-jittering, and the latter one chaff-
perturbation.
Yoda and Etoh proposed a deviation-based approach that
is a network-based correlation scheme (Yoda and Etoh, 2000).
A deviation is defined as the minimum average delay gap
between the packet streams of two TCP connections. This
method was based on the observation that the deviation of
two unrelated connections is larger than that of two related
connections. The deviation of two connections can be used to
distinguish if the connections are relayed. The deviation-
based approach has the following flaws, in addition to the
drawbacks of a time-based approach: 1) it is not efficient to
compute deviation; 2) it is not applicable for a compressed
session, because computing the deviation depends on the size
of a packet; 3) it cannot correlate connections where padding
is added to the payload, because it can only correlate the TCP
connections that have one-to-one correspondence in their
TCP sequence numbers; 4) correlation measurements are
applicable only to the post-attack traces, because the corre-
lationmetrics are defined over the entire duration of sessions.
X. Wang, etc., proposed an active approach which exploits
a watermark idea in Wang et al. (2001). The basic idea of this
approach is that if two connections are relayed, a watermark
injected into an incoming connection could be identified with
high probability from its corresponding outgoing connection.
Otherwise, the probability that a watermark injected into an
incoming connection is restored back at an outgoing
connection, would be very low. The main issue of this
approach is that it incurs huge computations in terms of
injecting a watermark and restoring it back. Additionally, it is
not guaranteed that an injected watermark cannot be affected
by intruders’ manipulation.
J. Yang and S. Huang proposed several approaches for
detecting stepping-stone intrusion (Yang and Huang, 2007,
2006). Those approaches were focused on estimating the
length of a connection chain from the intruders to victim’s
side by matching TCP/IP packets. The algorithm proposed in
Yang and Huang (2006) exploits some basic information of
TCP/IP packets, such as Acknowledgment and Sequence
number of a packet, packet size, packet type (Send, Echo, or
Ack), to match TCP/IP packets in real time. The disadvantage
of the algorithm is that either the matching rate or matching
accuracy is low. To overcome the issues existed in Yang and
Huang (2006), a clustering-partitioning data mining algo-
rithm (Yang and Huang, 2007) was proposed for matching
TCP/IP packets such that the length of the connection chain is
computed. The main problem of the clustering-partitioning
data mining algorithm is that it needs to monitor a connec-
tion chain during the whole session time. Wu and Huang
(2010) proposed a neural network-based approach with just
a few packets collected. Unfortunately, they did not explore
how their neural network-based approach could resist
intruders’ chaff-perturbation.
The simplest way to compare two connections is to count
and compare the number of packets in each connection. The
difference between these two numbers should always be
bounded if the two connections are relayed. Otherwise, it
might be bounded, but not guaranteed. An approach based on
counting the number of packets of an interactive session was
proposed by Blum et al. (2004) in 2004. They claimed that this
method can resist intruders’ evasions, such as time-jittering
and chaff-perturbation to a certain extent. Donoho et al.
(2002) showed that there are theoretical limits on the ability
of attackers to disguise the network traffics using evasions
during a long interactive session. Using wavelet and multi-
scale methods they proved that even if a session is jittered
by time-jittering and chaff-perturbation, it is still possible to
detect intrusion by monitoring the session for an enough long
time. However, Donoho et al., did not showhow long a session
needs to be monitored in order to detect a stepping-stone
intrusion. Blum et al. achieved a provable bound on the
number of packets required to be monitored in an interactive
session in order to achieve a given confidence. The major
problem with this approach is due to the fact that the upper
bound of the number of packets required to be monitored
is large, while the lower bound of the amount of chaffed
packets needed to evade this detection is small. This fact
makes Blum’s method weak in resisting intruders’ chaff-
perturbation evasion.
Instead of focusing on comparing Send packets of connec-
tions, J. Yang, etc., proposed a different approach (Yang et al.,
2008) that involved comparing the number of Send packets of
an incoming connectionwith thenumberof Echopackets of an
outgoing connection. The packet stream of a connection was
filtered and only the packets related to commands were kept.
Every command-based Send packet should have at least one
echoed packet. This means that the difference Δ, between the
number of Send packets of an incoming connection, and the
number of Echo packets of an outgoing connection can be
modeled as a one-dimensional random-walk process. If two
connections are relayed, Δ should be always bounded. So,
whether a computer is used as a stepping-stone depends on if
Δ is bounded. The disadvantage of this approach is that the
random-walk boundary is hard to determine, especially in the
case that a session is manipulated. This makes the approach
theoretically meaningful, but practically not very useful.
Motivated by a pattern recognition idea, J. Yang, etc., was
the first to propose CPM (Context-based Packet Matching) as
a technique for detecting stepping-stone intrusion by corre-
lating TCP/IP packet contexts (Yongzhong et al., 2010). That
study shows that CPM can resist intruders’ chaff-
perturbation. The basic idea that CPM approach stems from
is that chaff can perturb the context of a packet, but if the
chaff-rate is bounded, and the context of a packet is properly
defined, the perturbed contexts can still be identified.
c om p u t e r s & s e c u r i t y 3 0 ( 2 0 1 1 ) 5 3 8e5 4 6 541
3. A stepping-stone detection model
The basic approach is to compare a selected feature F of an
incoming connection with that of an outgoing connection to
see if they are equal or close. This idea can bemodeled in Fig. 3
in which Cin and Cout represent an incoming and an outgoing
connection of a host Hi, respectively; Sin (Sout) represents the
Send packet stream of Cin (Cout); similarly, Ein (Eout) represents
the Echo packet stream of Cin (Cout). The thumbprint of
a connection, the ‘ON-OFF’ pattern of a packet stream, the
deviation of a TCP session, the number of packets in a stream,
and watermark have been selected as feature F in different
studies mentioned above. Even though different approaches
adopt different features, they all focus on using the Send
packet stream, rather than Echo stream. More or less, the
feature F in those approaches can be easily manipulated by
intruders with time-jittering or chaff-perturbation.
To make our approach more resistant to intruders’
evasion, we use the context of each Echo packet in an Echo
stream as F . In the following, we define a packet context and
introduce the correlation coefficient as a way of comparing
the contexts of different Echo packets.
3.1. Packet context definition
The context of a packet p is defined as the timestamp gap
sequence between the packets around p and p. For a given
packet stream E ¼ {p1, p2, .pn}, where pi (1 � i � n) denotes the
timestamp of the ith packet, the context of pi in awindowwith
size 2*w is defined as the sequence {jpi � pi�wj, jpi � pi�(w�1)j,.,
jpi� pi�1j, jpiþ1�pij, jpiþ2� pij, ., jpiþw� pij}, where w is a posi-
tive integer. The context can be considered as the identity or
thumbprint of a packet. We use the time distances between
the w packets immediately before and after the packet as the
feature for identifying the packet uniquely. The larger the
window size w, the easier it is to identify the packet. A larger
context windowmay incurmore computations. A smaller one
may lower the performance of the approach and incur a high
false positive rate. Selecting a context window with a proper
size is critical to the performance of the detection model. In
this paper, the context window size is seven.
If there are w packets before and after a given packet in
a packet stream, the context of the packet is called “symmetric
context”. If there are less than w packets either before or after
the packet, but the total number of the packets used to define
the context of the packet still remains 2 � w, the context
defined under this situation is called “asymmetric context”. For
the above sequence E, assuming w ¼ 3, the packets p1, p2, p3,
pn�2, pn�1, and pn have asymmetric context, respectively. For
example, the context of packet p1 is {jp7� p1j, jp6� p1j,.,
jp2� p1j }, which has zero packets before p1and six packets
after p1; the context of p3 is {jp3� p1j, jp3� p2j, jp4� p3j, jp5� p3j,
Host HiCin
Sin
Ein
Sout
Eout
Cout
Fig. 3 e A Model for detecting stepping-stone intrusion.
jp6� p3j, jp7� p3j}, which has two packets before and four
packets after packet p3.
3.2. Context distance
A packet context can be viewed as a random variable. The
correlation coefficient indicates the strength and direction of
a linear relationship between two random variables. There
are three types of correlation coefficients: Spearman Rank,
Kendall Tau Rank, and Pearson Product-Moment (Kendall,
1938; Rodgers and Nicewander, 1988; Jerome Myers and
Arnold Well, 2003). Spearman and Kendall Tau Rank are not
suitable for packet context correlation because they require
an ordered random variable (increasing or decreasing). The
Pearson product-moment correlation coefficient, or Pearson’s
correlation, does not require a ranked variable, so we adopt
the Pearson’s correlation to represent the distance between
two contexts. A corollary of the Cauchy-Schwarz inequality
states that the correlation cannot exceed one in absolute
value. The closer the coefficient is to either �1 or 1, the
stronger the correlation between the two variables. Let rx,Y
denote the correlation coefficient between two random
variables X and Y which represent the contexts of two
different packets, respectively. The distance between two
contexts X and Y is defined as dX;Y ¼ 1� jrX;Y j. For two given
variables X ¼ fx1; x2;.; xng and Y ¼ fy1; y2;.; yng which
contain n measurements respectively, Pearson’s correlation
between X and Y can be computed as the following,
rX;Y ¼ nPn
i¼1 xiyi �Pn
i¼1 xi
Pni¼1 yiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
nPn
i¼1 x2i �
�Pni¼1 xi
�2s ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
nPn
i¼1 y2i �
�Pni¼1 yi
�2s (1)
3.3. Matching packet
We use the context distance to determine the matched
packets in a stream E2 ¼ {p21, p22, .p2m} for a packet p1i in
a stream E1 ¼ {p11, p12,.p1n}. Suppose datasetD¼ {d1, d2,.,dm}
represents the context distance between E1 and E2. The
minimum distance of D cannot always represent thematched
packet pair between E1 and E2 because it is possible there is no
matched packet pair at all, but D always has a minimum
value. In this paper, we derive the matched packet pair by
finding the outlier of the dataset D. In the case of more than
one outlier found, we take the minimum of the outliers as the
best match. If D has not outlier, it means there is no matched
packet pair between E1 and E2.
There are many ways to find the outliers for a given data-
set. We use a statistical method involving the mean and the
standard deviation of a random variable. For our purposes,
anything that falls less than two standard deviations away
from the mean is an outlier. If dataset D is our random vari-
able, we letm and s denote the mean and stand deviation of D,
respectively. For any value di in D, if the following condition is
met, di is an outlier of D.
jdi � mj < 2s (2)
If no element in D satisfies equation (2), there is nomatched
packet in E2 for the packet p1i of E1. If more than one outlier is
found, the best match is the minimum of all outliers.
Given two packet sequencesE1with n packets and E2 with m
packets
Compute the context of each packet in E1and E2, respectively
Compute the context distance set for each packet in E1
Determine the matched packet in E2 for each packet in E1 based on each context distance set
Count the number of the matched packets, Nmatched, in E1
Compute the relayed degree between E1 and E2 by the ratiobetween Nmatched and n
Fig. 4 e Overall flow of the detection algorithm.
c om p u t e r s & s e c u r i t y 3 0 ( 2 0 1 1 ) 5 3 8e5 4 6542
3.4. A context-based detection algorithm
We assume that a host has k incoming connections and l
outgoing connections. To determine if a connection Ci of k
incoming connections has a relayed connection Co in l
outgoing connections, the “relayed degree” between two
connections is proposed. The Relayed degree represents the
extent to which two connections are relayed. We use the
packet matching rate between two Echo packet streams to
measure the relayed degree of two connections. The higher
the relayed degree, the higher the probability the two
connections are relayed.
For two given sequences E1 with n packets and E2 with m
packets, the matching rate between E1 and E2 is defined as the
ratio between the number of thematched packets in E1 with E2and the total number of packets in E1. The matched packet
pair can be determined by themethod described in Section 3C.
The context of each packet in E1 is examined and compared
with the context of every packet in E2 to see if any matched
pair exists. The matching rate can be computed by counting
all the matched packets in E1. By comparing an incoming
connection Ci with all the outgoing connections, we get
a dataset R ¼ {r1, r2, .,rl} which contains all the relayed
degrees between Ci and each of l outgoing connections. The
outlier, or the maximum of the outliers in dataset R, indicates
which outgoing connection is the relayed connection for Ci. If
no outlier is found in R, there is not a relayed outgoing
connection for the incoming connection Ci. The above process
can be repeated for the other incoming connections until all k
incoming connections are examined. Similar to the idea in
Section 3C, the outlier in R can be found using equation (3),
where m and s denote the mean and stand deviation of the
random variable R, respectively.
jri � mj > 2s (3)
The proposed algorithm for detecting stepping-stone
intrusion and resisting intruders’ evasion is illustrated in
Fig. 4. We name the algorithm Context-Based stepping-stone
Intrusion Detection model (CBID).
4. Resisting intruders’ manipulation
4.1. Resistance to time-jittering evasion
CBID can resist intruders’ time-jittering evasion. Intruders
normally manipulate Sin or Sout, rather than Ein or Eout (see
Fig. 3). Based on the TCP/IP protocol design, any request must
be responded within a certain time limit, otherwise that
request must be resent. Unlike holding request packets,
holding response packets would cause many resends for the
corresponding request packets. This would incur lots of
network traffic, making the network inefficient. It is reason-
able to assume that intruderswillmanipulate only the request
stream.
Suppose Sin is manipulated and has the timestamp
sequence fts1 ; ts2 ;.; ts1g. The time-jittering manipulation can
affect and only affect Sout. We assume Sout has the timestamp
sequence fts1 þ Dts1 ; ts2 þ Dts2 ;.; tsn þ Dtsng. The stream Sout
determines Eout if they are in the same session. The difference
between Eout and Ein is bounded if the two connections are
relayed. Ein is assumed to have timestamp sequence
fte1 ; te2 ;.; temg. If ei and ej are the responses of si and sjrespectively, the difference between the gap tej � tei and tsj � tsiis bounded. The gap between any two packets in Ein is deter-
mined by the corresponding gap in Sout. In other words, any
context change in Sout can reflect the same change in the
context of Ein and Eout, respectively. Even if an incoming
connection is manipulated through time-jittering, CBID can
still identify the relayed connection through correlating Einand Eout.
4.2. Resistance to chaff-perturbation evasion
We use a context window size of 2 � 3 to demonstrate why
and how CBID can resist intruders’ chaff-perturbation
evasion. Assume si with timestamp tsi is a packet in Eout and
ej with timestamp tej is a packet in Ein, and si and ej are
matched. Before Eout is manipulated, si has context sequence
CSsi¼ftsi �tsi�3;tsi�tsi�2
;tsi�tsi�1;tsiþ1
�tsi ;tsiþ2�tsi ;tsiþ3
�tsig, and ejhas context sequence CSej¼ftej�tej�3
;tej�tej�2;tej�tej�1
;tejþ1�tej ;
tejþ2�tej ;tejþ3
�tejg. Since si and ej are matched, the following
approximations (4) are satisfied,
tsi � tsi�3ztej � tej�3
tsi � tsi�2ztej � tej�2
/tsiþ3
� tsiztejþ3� tej
(4)
We assume that intruders chaff a stream randomly. If Eout is
randomly chaffed with two packets: one between si and si�1,
and another between si and siþ1, the context sequence of si
c om p u t e r s & s e c u r i t y 3 0 ( 2 0 1 1 ) 5 3 8e5 4 6 543
with the same window size becomesCSs�ı ¼ ftsi � tsi�2; tsi � tsi�1
;
tsi � ts�ı�1; ts�ıþ1
� tsi ; tsiþ1� tsi ; tsiþ2
� tsig. Here we use s�ı�1 to repre-
sent the chaffed packet before si, and s�ıþ1 to represent the
packet inserted after si. After chaff-perturbation, the following
approximations (5) are satisfied,
tsi � tsi�2ztej � tej�2
tsi � tsi�1ztej � tej�1
tsiþ1� tsiztejþ1
� tejtsiþ2
� tsiztejþ2� tej
(5)
Compare the above two approximations (4) and (5). It is easy
to see that 33.3% of the context is affected by the two packets
chaffed randomly. But it is still possible to match the two
packets their contexts correlation because 66.6%of the context
remains unchanged. Of course, the change in context of the
packets in a stream caused by chaff-perturbation is far more
complex than this case. The above analysis suggests that as
longas the chaff-rate,which is definedas the ratio between the
number of the chaffed packets and the number of the packets
in a streambeforebeing chaffed is bounded, the contextsof the
packets can be used to identify the relayed connections. Next
we will examine how packet chaffing affects CBID.
5. Experimental results and discussion
In this section, we display our experimental results after
applying CBID for stepping-stone intrusion detection. First we
introduce the experimental environment, and then show the
experimental results with and without chaff-perturbation,
respectively. The purpose is to show how CBID resists
intruders’ evasion, particularly in the case of chaff-
perturbation.
Table 1 e Experimental results MR (%) without chaff.
5.1. The experimental environment
Ten users were connected to server Acl08 located in our lab
using Open SSH. They were asked to connect to a Unix server
in Shanghai, China from Acl08. Thus, Acl08 was used as
a stepping-stone with ten incoming connections and ten
outgoing connections. The ten users were scattered across our
university, and conducted the experiments from their own
computers. Different users executed different Unix
commands after they logged into the host, but all were
required to start their experiments at the same time, and to
type at their own normal speed. The entire experimental
environment is shown in Fig. 5.
Fig. 5 e Experimental setup.
In this experimental setup, there were ten connections
connected to Acl08which left fromhost Acl08. Assume the ten
users are named as A, B, C,., I, J, respectively. Obviously, user
A’s incoming connection was relayed with her/his own
outgoing connection. Different users’ incoming connections,
however, were not relayed with the other users’ outgoing
connections. For example, user B’s incoming connection was
not relayed by user C’s outgoing connection. If we compared
user A’s incoming connection with all the ten outgoing
connections, we would find only one relayed pair, and nine
unrelayed pairs.
5.2. Experimental results and discussion
TCP/IP packets can be collected through some existing tools,
such as Wire shark, and TCP dump. We made our own
program using the Pcap package on a Linux system tomonitor
and collect the Send and Echo packets from each connection.
The packets including Send and Echo collected from different
connections were put into different sequences. There were
ten Echo sequences collected from the 10 incoming connec-
tions, and another ten Echo sequences from the 10 outgoing
connections of host Acl08. We computed the relayed degree
between each incoming sequence and every outgoing
sequence after applying CBID with window size 2 � 7. The
results are shown in Table 1. The experiment was conducted
without chaffing. Consider user A as an example. We know
that user A’s incoming connection could only be relayed by
user A’s outgoing connection. The experimental result
showed the relayed degrees (MR) between user A’s incoming
connection and each of the outgoing connections: R ¼ {0.972,
0.043, 0.012, 0.037, 0.022, 0.014, 0.026, 0.011, 0.016, 0.013}. The
mean and standard deviation of R are 0.117 and 0.3, respec-
tively. Using inequality (3) we see that the outlier of R is 0.972.
This number represents the relayed degree between the
incoming connection and the outgoing connection of user A.
Similar computations can be carried out for other users. From
the experimental results, we know that each user’s incoming
connection can only be relayed by his/her outgoing
connection.
Instead of applying a real chaff, we simulate chaff-
perturbation manipulation. By taking the packet sequences
collected fromeach connection, we randomly added 10%, 20%,
In Out
A B C D E F G H I J
A 97.2 4.3 1.2 3.7 2.2 1.4 2.6 1.1 1.6 1.3
B 3.4 98.1 2.1 2.3 1.4 1.6 1.2 1.8 1.3 1.1
C 2.7 2.4 95.6 2.1 2.2 1.4 1.3 1.9 2.1 2.2
D 1.2 3.1 2.6 96.3 3.1 2.3 1.5 2.4 1.2 1.7
E 1.5 2.1 2.1 2.1 96.9 1.4 1.6 2.1 2.2 2.0
F 1.8 2.2 0.61 1.5 2.1 97.5 2.6 1.8 1.9 1.7
G 2.6 1.4 2.1 1.4 2.4 1.2 94.8 1.3 2.1 0.6
H 2.4 1.5 2.2 2.1 2.3 3.2 2.3 96.7 3.1 3.4
I 1.7 1.6 1.3 3.5 3.1 1.6 2.1 4.1 98.3 1.7
J 1.6 1.5 1.4 0.95 1.1 1.9 1.7 3.1 1.8 97.3
Table 2 e Experimental results MR (%) with 10% chaff.
In Out
A B C D E F G H I J
A 88.2 5.1 2.7 1.4 3.5 2.4 3.5 0.7 2.3 4.9
B 3.5 91.2 1.2 3.2 4.5 6.2 2.4 1.9 3.2 0.9
C 1.6 3.4 86.3 2.6 3.5 1.5 1.6 1.8 2.8 3.4
D 2.2 3.5 3.7 82.4 2.2 3.2 4.2 1.7 0.9 2.4
E 2.4 1.2 4.2 3.3 91.5 3.3 2.2 2.3 3.4 5.5
F 2.7 1.9 0.92 2.4 3.2 84.3 1.4 2.3 2.2 3.4
G 1.2 3.2 3.2 2.7 3.5 2.4 88.1 3.7 5.8 2.8
H 1.3 2.6 4.3 3.4 6.1 1.3 1.7 84.7 2.2 2.1
I 2.7 2.5 3.2 3.3 3.3 2.7 3.5 2.4 90.8 2.6
J 2.5 3.4 2.3 3.8 2.4 1.6 3.2 2.2 4.5 89.7
Table 4 e Experimental results MR (%) with 50% chaff.
In Out
A B C D E F G H I J
A 68.1 6.2 5.7 6.3 8.6 3.7 4.9 3.8 4.8 8.1
B 4.5 72.3 10.2 7.6 5.6 8.2 6.3 3.2 11.3 10.4
C 11.2 4.7 61.2 3.8 9.5 8.3 7.4 7.3 8.2 11.3
D 6.5 7.3 8.3 67.4 8.3 9.1 7.4 6.2 9.1 10.5
E 11.2 12.2 6.7 8.9 70.2 9.4 8.6 9.1 13.1 10.0
F 9.6 6.8 7.6 6.5 7.9 71.9 9.6 8.9 7.8 11.6
G 12.5 11.3 12.2 11.1 8.5 9.6 64.3 10.3 12.3 10.5
H 5.5 7.6 6.7 8.6 8.6 9.5 7.6 62.1 4.6 7.5
I 7.8 7.5 11.3 13.2 7.4 8.6 11.3 9.4 72.4 8.7
J 10.6 11.6 10.6 10.9 10.3 11.8 11.6 5.4 6.7 59.1
c om p u t e r s & s e c u r i t y 3 0 ( 2 0 1 1 ) 5 3 8e5 4 6544
30%, ., up to 100% chaffs and applied the CBID detection
algorithm to see if the relayed pairs could still be identified.
Tables 2e6 show part of the simulation results with chaff-rate
10%, 30%, 50%, 80%, and 100%, respectively. Our results show
that even when the chaff-rate is as high as 80%, CBID can still
identify the relayed connections. Table 6, however, shows that
inequality (3) cannot be satisfied if the chaff-rate is as high as
100%. We take user I with R ¼ {0.227, 0.241, 0.251, 0.239, 0.123,
0.197, 0.178, 0.169, 0.276, 0.246} as an example. The mean and
standard deviation of R are 0.215 and 0.047, respectively. The
largest MR in R is 0.276 which cannot satisfy inequality (3).
This indicates that when the chaff-rate is 100% or higher, CBID
is not effective. The proposed context-based stepping-stone
detection algorithm can resist intruders’ chaff manipulation
to a certain degree, up to 100%.
An interesting point we need to mention concerning the
use of CBID for detecting stepping-stone intrusion is the
requirement that the dataset R be sufficiently large. In our
experiments, we onlymonitored ten connections. In this case,
the random variable R had ten values. We also tried using four
connections. In this case we could not satisfy inequality (3),
even without any chaff. Let us consider user A in Table 1.
Taking only the relayed degrees between the incoming
connection of user A and the outgoing connections from users
A, B, C and D, we have R ¼ {0.972, 0.043, 0.012, 0.037}, and
a mean and standard deviation 0.266 and 0.471, respectively.
Obviously there is no value in R which could make satisfy
Table 3 e Experimental results MR (%) without 30% chaff.
In Out
A B C D E F G H I J
A 78.1 5.2 4.8 4.4 2.7 8.1 4.5 5.3 8.5 4.7
B 4.5 81.2 6.7 8.9 4.5 3.7 9.2 8.1 6.7 5.9
C 5.6 6.1 77.2 8.3 5.4 4.1 8.4 9.5 2.3 1.7
D 6.8 9.0 1.7 71.5 4.3 6.7 8.1 1.4 6.7 9.1
E 5.2 4.1 6.2 9.1 69.3 4.5 6.7 10.8 5.6 8.1
F 4.6 4.7 1.0 5.3 2.5 72.4 8.9 9.1 2.1 3.4
G 4.4 4.5 6.7 1.2 3.5 7.2 73.1 4.2 4.3 1.3
H 2.7 2.2 2.6 2.1 10.8 11.6 9.2 79.5 8.4 6.3
I 5.2 5.6 7.8 9.2 1.2 3.5 5.6 3.4 76.3 4.8
J 3.4 1.2 7.3 8.1 9.0 3.9 5.7 6.2 1.2 80.2
inequality (3). The result is interesting but consistent with the
feature of a random variable.
5.3. Comparing IDS algorithms
Many approaches have been proposed for detecting stepping-
stone intrusion. Few have the ability to resist intruders’
chaff-perturbation. Resistance to chaff-perturbation is dis-
cussed or mentioned in a few of the approaches. From the
above experimental results and discussion, we know our
approach can resist intruders’ chaff-perturbation up to 100%.
In other words, if an intruder can manipulate a connection
by inserting 100% useless packets, our approach can still
identify the manipulated connection. In this section, we
compare our technique with state-of the-art algorithms in
terms of the performance of resisting intruders’ chaff-
perturbation.
The approach proposed by A. Blum, etc. (Blum et al., 2004)
can detect stepping-stone intrusion and also resist intruder’s
chaff-perturbation. A. Blum stated in Theorem 7 of Blum et al.
(2004) that if the packet stream in a connection behaves as
Poisson process, his algorithm can detect the intrusion with
a false positive rate d under the condition that the intruder
sends fewer than pD packets of chaff every 8ðpD þ 1Þ2log1=dpackets. The chaff-rate is pD=8ðpD þ 1Þ2log1=dy1=8pDlog1=d if
pD is much bigger than one. The smaller the false positive rate
d, he lower the chaff-rate. The rate d annot be too large.
Table 5 e Experimental results MR (%) without 80% chaff.
In Out
A B C D E F G H I J
A 51.2 11.4 15.6 9.8 8.5 9.2 12.3 14.6 11.6 12.7
B 10.1 47.5 9.8 8.9 17.2 14.5 11.3 16.7 15.4 12.3
C 10.5 12.3 46.4 14.5 12.4 9.4 10.6 12.9 12.4 101
D 9.6 8.5 9.8 41.3 10.5 10.7 6.7 11.8 13.2 14.7
E 8.5 8.3 9.2 7.8 40.8 10.3 11.2 9.4 9.6 105
F 10.6 12.9 11.3 14.5 11.2 49.6 8.9 9.3 9.1 12.4
G 11.2 13.9 14.6 12.9 13.1 10.1 50.5 10.4 9.7 9.8
H 9.6 9.4 13.2 10.4 13.1 12.8 11.9 39.2 5.8 12.7
I 10.6 11.4 9.0 7.8 12.4 11.4 9.3 10.5 44.3 11.3
J 15.6 8.4 6.7 9.6 10.3 12.4 11.3 13.2 16.7 48.1
Table 6e Experimental resultsMR (%)without 100% chaff.
In Out
A B C D E F G H I J
A 36.3 20.1 19.5 26.2 14.8 18.2 17.6 21.7 22.4 23.2
B 20.6 32.1 21.7 24.1 25.7 19.6 15.8 16.7 22.5 20.8
C 17.5 18.3 30.4 19.4 18.3 17.6 21.7 22.6 14.8 16.3
D 21.9 20.7 19.4 27.1 17.6 21.8 23.4 19.4 18.5 11.3
E 13.7 15.7 17.3 12.8 25.8 15.9 14.8 19.5 21.8 23.2
F 19.8 17.5 14.8 16.7 19.8 31.5 19.1 13.5 22.7 24.5
G 21.6 22.4 14.7 13.7 18.4 195 33.1 14.6 19.2 17.8
H 20.4 22.3 15.6 19.4 17.8 19.1 13.2 19.7 14.8 14.7
I 22.7 24.1 25.1 23.9 12.3 19.7 17.8 16.9 27.6 24.6
J 19.6 18.5 11.6 19.3 19.1 13.8 23.9 22.4 16.7 37.3
c om p u t e r s & s e c u r i t y 3 0 ( 2 0 1 1 ) 5 3 8e5 4 6 545
Otherwise it may cause many other issues. If we select d ¼ 0.1
and pD ¼ 3 which are typical values, we see that the chaff-rate
of A. Blum’s algorithm is about 4.5%which ismuch lower than
our approach.
In He and Tong (2007) proposed an algorithm DBDC
(DETECT-BOUNDED-MEMORY-CHAFF) for detecting stepping-
stone intrusion with bounded memory or bounded delay
perturbation. It was stated that DBDC can deal with chaff
evasion and tolerate a number of chaff packets proportional to
the size of the attacking traffic. Their study shows that an
intruder needs to insert at least n=1þ lD chaff packets in every
n packets to evade DBDC detection if the packets delay is
bounded by Δ. This tells us the chaff-rate of DBDC is 1=1þ lD,
where e is a parameter of a Poisson distribution which indi-
cates the expected number of occurrences during a given
interval. It is obvious that a smaller e and Δwould make DBDC
tolerate more chaff, but would also make DBDC have a high
false alarm probability for a wide range of normal traffic. The
chaff-rate of DBDC is bounded by 100% (e ¼ 0, and Δ ¼ 0). A
typical example is l ¼ 1.0375, and Δ ¼ 10 which makes the
chaff-rate 8.77%.
J. Yang, etc. proposed a clustering-partitioning algorithm to
detect stepping-stone intrusion (Yang and Huang, 2007; Yang
et al., 2006). It clearly shows in Yang et al. (2006) that if the
chaff-rate is more than 50%, the noisy cluster and the signif-
icant cluster cannot be distinguished because their clustering
rates are very close. This indicates that the clustering-
partitioning algorithm can resist intruders’ chaff-
perturbation up to 50% which is lower than our approach.
6. Conclusion and future work
In this paper, we have proposed an algorithm, CBID, for
detecting stepping-stone intrusion and for resisting intruders’
time-jittering and chaff-perturbation evasion based on the
packet context. The Pearson product-moment correlation
coefficient is introduced to compare the packet context.
Unlike other approaches, this algorithm does not need any
threshold to determine if any intruder exists. Using Echo
packets, other than Send packets, CBID can resist intruders’
time-jittering manipulation. The experimental result showed
that CBID can resist intruders’ chaff-perturbation up to 100%.
One interesting result obtained fromour experiment is that
it is easy to make two relayed connections unrelated by
applying chaff-perturbation. However, if two connections are
not relayed, it is non-trivial to make them relayed by chaff-
perturbation. The experimental results from Table 3 to Table
6 clearly substantiate this point. This also indicates that an
intruders’ chaff evasion can impact on false positive error of
CBID difficultly, but on false negative error easily. Our future
work will focus on improving the performance of CBID by
lowering its false negative error rate.
In order to make CBID work effectively, sufficient connec-
tions must be involved. Otherwise, an outlier cannot be found
with a small number of connections. This algorithm is espe-
cially suitable for monitoring and detection of an enterprise
server with hundreds to thousands connections in and out.
Other future work involves testing CBID over an institutional
server on which will make our testing results more realistic.
Acknowledgments
The authors wish to express their appreciation to all the
graduate and undergraduate students involved in this project,
who provided many experimental results that were used
during the design and development of the stepping-stone
intrusion detection model. Professors Wayne Summers,
Edward Bosworth were a constant driving force behind the
development of different versions of CBID system. Dr. Yu
Liang, Central State University, Ohio, provided many insight-
ful comments on the actual experience of using the intrusion
detection system. Mr. Qiang Ling provided the remote SSH
server in Shanghai, China for the experiments. Mrs. GraceWu
provided andmaintained the servers in University of Houston,
and Mrs. Aurelia Smith provided and maintained the servers
and computers used in our SAIL lab.
r e f e r e n c e s
Blum A, Song D, Venkataraman S. Detection of interactivestepping-stones: algorithms and confidence bounds. In:Proceedings of 7th International symposium on recentadvance in intrusion detection. LNCS, vol. 3224. Heidelberg:Springer Press; 2004. pp. 296e314.
Donoho DL, Flesia AG, Shankar U, Paxson V, Coit J, StuartStaniford S. Multiscale stepping-stone detection: detectingpairs of jittered interactive streams by exploiting maximumtolerable delay. In: Proceedings of 5th internationalsymposium on recent advances in intrusion detection. LNCS,vol. 2516. Heidelberg: Springer Press; 2002. pp. 45e59.
He T, Tong L. Detecting encrypted stepping-stone connections. In:Proceedings of IEEE Transaction on signal processing, vol. 55,No. 5, 2007, pp. 1612e1623.
Jerome Myers L, Arnold Well D. Research design and statisticalanalysis. 2nd ed. Lawrence Erlbaum, ISBN 0805840370; 2003.508.
Kendall M. A new measure of rank correlation. Biometrika 1938;30(1e2):81e9. doi:10.1093/biomet/30.1-2.81. JSTOR 2332226.
Rodgers JL, Nicewander WA. Thirteen ways to look at thecorrelation coefficient. The American Statistician February1988;42(1):59e66.
c om p u t e r s & s e c u r i t y 3 0 ( 2 0 1 1 ) 5 3 8e5 4 6546
Staniford-Chen S, Heberlein LT. Holding intruders accountable onthe internet. In: Proceedings of IEEE symposium on securityand Privacy, Oakland, CA; 1995. pp. 39e49.
Wang X, Reeves D, Wu S, Yuill J. Sleepy Watermark Tracing: Anactive network-based intrusion response framework. In:Proceedings of 16th international conference on informationsecurity, Paris, France; 2001. pp. 369e384.
Wang X, Reeves D, Wu S. Inter-Packet delay-based correlation fortracing encrypted connections through stepping stones. In:Proceedings of 7th European symposium on research incomputer security. LNCS, vol. 2502. Heidelberg: Springer Press;2002. pp. 244e263.
Wu Han-Ching, Huang Shou-Hsuan Stephen. Neural networks-based detection of stepping-stone intrusion. Journal of ExpertSystems with Applications 2010;37:1431e7. Elsevier Ltd.
Yang Jianhua, Huang Stephen. Matching TCP/IP packets to detectstepping-stone intrusion. International Journal of ComputerScience and Network Security October 2006;6(4):269e76.
Yang J, Huang S. Mining TCP/IP packets to detect stepping-stoneintrusion. Journal of Computers and Security 2007;26:479e84.Elsevier Ltd.
Yang Jianhua, Huang Shou-Hsuan Stephen, Zhang Yongzhong.Resistance analysis to intruders’ evasion of detectingintrusion. Lecture Notes in Computer Science (LNCS).Springer-Verlag; September 2006. 9th Information SecurityConference, Samos, Greece, vol. 4176, pp 383e398.
Yang J, Lee B, Huang S. Monitoring network traffic to detectstepping-stone intrusion. In: Proceedings of 22nd IEEEinternational conference on advanced informationnetworking and applications, vol. 1. New York: IEEE Press;2008. pp. 56e61.
Yoda K, Etoh H. Finding connection chain for tracing intruders. In:Proceedings of 6th European symposium on research incomputer security. LNCS, vol. 1985. Heidelberg: Springer Press;2000. pp. 31e42.
Yongzhong Zhang, Jianhua Yang, Santhoshkumar Bediga, StephenHuang S.-H. Resist intruders’ manipulation via context-basedTCP/IP packet matching, advanced information networking andapplications. In: International Conference on, 2010 24th IEEEinternational conference on advanced information networkingand applications; 2010. pp. 1101e1107.
Yung KH. Detecting long connecting chains of interactiveterminal sessions. In: Proceedings of the 5th internationalconference on recent advances in intrusion detection. LNCS,vol. 2516. Heidelberg: Springer Press; 2002. pp. 1e16.
Zhang Y, Paxson V. Detecting stepping-stones. In: Proceedingsof the 9th USENIX security symposium, Denver, CO; 2000.pp.67e81.
Jianhua Yang became aMember of IEEE from2003 and ACM from 2006. He was born inWeifang, China at 1966. He earned his Ph.D.degree in computer science at University ofHouston, Houston, TX USA in 2006, Masterdegree in computer engineering at Shan-dong University, Jinan, Shandong China in1990, and Bachelor degree in electronicengineering at Shandong University, Jinan,Shandong China in 1987. His major field ofstudy is computer science. He is currentlyworking at TSYS School of Computer
Science, Columbus State University (CSU), Columbus, GA USA asan Associate Professor. Before joining CSU, he was an AssistantProfessor at Bennett College for Women from 2006 to 2008,University of Maryland Eastern Shore from 2008 to 2009, andAssociate Professor at Beijing Institute of Petro-Chemical Tech-nology, Beijing, China from 1990 to 2000. His current researchinterests are computer network and information security. Dr.Yang has published more than 20 research papers in the area ofstepping-stone intrusion detection since 2004. He is serving asa reviewer for IEEE Transactions on Signal Processing and Journalof Computers and Security, Elsevier.
David Woolbright is currently a fullprofessor in the TSYS School of ComputerScience at Columbus State University,Columbus, GA. His research interestsinclude combinatorial theory, graph theory,and programming languages. He receiveda PhD in Mathematics from Auburn Univer-sity in 1978. He can be reached [email protected].