Detecting Stepping-Stone Traffic in Chaff: Fundamental Limits and Robust Algorithms

     T. He and L. Tong

    June, 2006.

    Abstract
    The detection of encrypted stepping-stone attack is considered.
    The attacker is capable of inserting chaff packets and perturbing
    packet timing and transmission order. For stepping-stone connections
    subject to bounded memory or bounded delay constraints, the amount
    of chaff required by the attacker to mimic independent traffic is
    characterized. It is shown that for stepping-stone pairs with either
    bounded memory or bounded delay constraint, the amount of chaff
    required to mimic independent traffic is proportional to the size
    of attacking traffic; this amount gives a fundamental limit on how
    much chaff a steppingstone detector can tolerate.When packet arrivals
    form renewal processes, a nonparametric detector is proposed to
    detect attacking traffic by testing the correlation between interarrival
    times. The detector requires no knowledge of the interarrival
    distribution, and it is shown to have exponentially decaying detection
    error probabilities. The error exponents are characterized using
    the Vapnik-Chervonenkis Theory. An efficient algorithm is proposed
    based on the detector structure to detect renewal processes with
    linearly correlated interarrival times. It is shown that the proposed
    algorithm is robust against an amount of chaff arbitrarily close
    to the fundamental limit.