Abstract
Stepping-stone attacks are often used by network intruders to hide
their identities. In a stepping-stone attack, attacking commands
are sent indirectly to the victim through a chain of compromised
hosts acting as ``stepping stones''. In defending against such
attacks, it is necessary to detect stepping-stone connections at
the compromised hosts. The use of encrypted connections by the
attacker complicates the detection problem, and the attacker's
active timing perturbation makes it even more challenging. In this
paper, we consider strategies to identify stepping-stone
connections without using the content of the traffic. We propose
two activity-based algorithms which can detect stepping-stone
connections even though they are encrypted and modified by the
attacker. The first algorithm is based on the assumption that the
stepping-stone host has bounded memory to hold relay packets.
The second algorithm assumes that the stepping-stone connections
has bounded delay. We prove that both algorithms have no miss
detection and exponentially-decaying false alarm probabilities.
When both bounded memory and bounded delay conditions are
satisfied, a comparison of the error probabilities suggests how
to choose algorithms under different traffic rates.