Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05) (2005)
Columbus, Ohio, USA
June 6, 2005 to June 10, 2005
Pai Peng , North Carolina State University
Peng Ning , North Carolina State University
Douglas S. Reeves , North Carolina State University
Xinyuan Wang , George Mason University
Network intruders usually launch their attacks through a chain of intermediate stepping stone hosts in order to hide their identities. Detecting such stepping stone attacks is difficult because packet encryption, timing perturbations, and meaningless chaff packets can all be utilized by attackers to evade from detection. In this paper, we propose a method based on packet matching and timing-based active watermarking that can successfully correlate interactive stepping stone connections even if there are chaff packets and limited timing perturbations. We provide several algorithms that have different trade-offs among detection rate, false positive rate and computation cost. Our experimental evaluation with both real world and synthetic data indicates that by integrating packet matching and active watermarking, our approach has overall better performance than existing schemes.
P. Ning, D. S. Reeves, P. Peng and X. Wang, "Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets," 25th IEEE International Conference on Distributed Computing Systems Workshops(ICDCSW), Columbus, OH USA, 2005, pp. 107-113.