Submitted:
01 August 2023
Posted:
02 August 2023
You are already at the latest version
Abstract
Keywords:
1. Introduction
2. Preliminaries
2.1. Definitions of Send and Echo Packets
2.2. RTT Distribution
2.3. Chaff Attack Definition
2.4. The Rationale of Network-based SSID Algorithms
2.5. Packet Crossover
3. Relationship between the downstream sub-chain length and packet crossover ratio
4. SSID Algorithm Design
- (1)
- Set up a connection chain A→S1→S2→V of length 3 with the host S1 as the sensor, where the hosts A, S2, and V serve as the attacker, another stepping-stone, and the victim, respectively. The length of the downstream sub-chain from S1 to V is two.
- (2)
- Some standard Linux commands (such as ls, dir, mkdir, etc.) are entered into a terminal in the attacker host A for a couple of minutes, and at the same time all the packets are captured at the sensor S1 from the connection S1→S2 in the chain. Totally, 10 datasets will be captured. Then we use the Packet Crossover Ratio algorithm (Algorithm 1 of [20]) to calculate the packet crossover ratio for each dataset of the above captured packets.
- (3)
- Calculate the intrusion threshold crossover ratio which is the average packet crossover ratio among the 10 captured datasets at Step 2.
- (4)
- To perform SSID, at the same time, we also use host S1 as the sensor and observe one of its outgoing links. We then determine whether this outgoing link from the sensor S1 is used by an intruder for a malicious SSI. We capture 10 datasets at the sensor S1 from this outgoing connection and calculate the average packet crossover ratio over all the 10 captured datasets using the Packet Crossover Ratio algorithm (Algorithm 1 of [20]).
- (5)
- If the average packet crossover ratio obtained at Step 4 is greater than or equal to the intrusion threshold crossover ratio obtained at Step 3, it is most likely that this outgoing link is used by a hacker for malicious SSI.
- (6)
- Repeat Step 4 for every outgoing link from the sensor S1 (except for the connection S1→S2 in the chain created in Step 2) to see whether it is used by a hacker for malicious SSI.
5. Network Experimental Results and Analysis
6. Conclusion and Future Work
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- L. Wang, J. Yang, X. Xu, and P.-J. Wan: “Mining Network Traffic with the k-Means Clustering Algorithm for Stepping-stone Intrusion Detection”, Wireless Communications and Mobile Computing, vol. 2021, Article ID 6632671, 2021. [CrossRef]
- Blum, D. Song, And S. Venkataraman, “Detection of Interactive Stepping-Stones: Algorithms and Confidence Bounds”, Proceedings of International Symposium on Recent Advance in Intrusion Detection (RAID), Sophia Antipolis, France, pp. 20-35, September 2004.
- Bishop Mathew. “UNIX security: threats and solutions”, Invited talk given at the 1995 system administration, networking, and security conference, Washington, DC, April 1995.
- Bhattacherjee, Debopam. “Stepping-stone detection for tracing attack sources in Software-Defined Networks”, Degree Project in Electrical Engineering, Stockholm, Sweden (2016).
- D. Donoho, A. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, “Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay,” in the 5th International Symposium on Recent Advances in Intrusion Detection, Lecture Notes in Computer Science, 2002.
- Liu, Jinping, Wuxia Zhang, Zhaohui Tang, Yongfang Xie, Tianyu Ma, Jingjing Zhang, Guoyong Zhang, and Jean Paul Niyoyita. “Adaptive intrusion detection via GA-GOGMM-based pattern learning with fuzzy rough set-based attribute selection.” Expert Systems with Applications 139 (2020): 112845. [CrossRef]
- J. Yang, S.-H. S. Huang, “A Real-Time Algorithm to Detect Long Connection Chains of Interactive Terminal Sessions,” Proceedings of 3rd ACM International Conference on Information Security (Infosecu’04), Shanghai, China, November 2004, pp. 198-203.
- J. Yang, S.–H. S. Huang, “Matching TCP Packets and Its Application to the Detection of Long Connection Chains,” Proceedings of 19th IEEE International Conference on Advanced Information Networking and Applications (AINA 2005), Taipei, Taiwan, China, March 2005, pp. 1005-1010.
- J. Yang, and S. S.-H. Huang, “Mining TCP/IP Packets to Detect Stepping-Stone Intrusion”, Journal of Computers and Security, Elsevier Ltd., vol.26, December 2007, pp. 479-484. [CrossRef]
- Yang, J., Wang, L., Lesh, A., & Lockerbie, B. (2018). Manipulating network traffic to evade stepping-stone intrusion detection. Internet of Things by Elsevier, 3, 34-45. December 2018. [CrossRef]
- K. H. Yung, “Detecting Long Connecting Chains of Interactive Terminal Sessions,” Proc. of International Symposium on Recent Advance in Intrusion Detection (RAID), Zurich, Switzerland, pp. 1-16, October 2002.
- Phaal, P., Panchen, S., and McKee, N., “InMon Corporation’s sFlow: A method for monitoring traffic in switched and routed networks”. RFC 3176, IETF, September 2001.
- S. Staniford-Chen, and L. T. Heberlein, “Holding Intruders Accountable on the Internet,” Proc. IEEE Symposium on Security and Privacy, Oakland, CA, pp. 39-49, 1995.
- V. Paxson, S. Floyd, “Wide-area Traffic: The Failure of Poisson Modeling”, IEEE/ACM Transactions on Networking, (3) 1995, pp. 226-244. [CrossRef]
- L. Wang and J. Yang. “A research survey in stepping-stone intrusion detection.” EURASIP Journal on Wireless Communications and Networking 2018.1 (2018): 1-15. [CrossRef]
- Wang, X., & Reeves, D., “Robust correlation of encrypted attack traffic through stepping-stones by flow watermarking”. IEEE Transactions on Dependable and Secure Computing, 8(3), pp. 434-449, 2011. [CrossRef]
- Chen, Y., and Wang, S., “A Novel Network Flow Watermark Embedding Model for Efficient Detection of Stepping-stone Intrusion Based on Entropy”, In Proceedings of the International Conference on e-Learning, e-Business, Enterprise Information Systems, and e-Government (EEE), WorldComp 2016.
- Y. Zhang, and V. Paxson, “Detecting Stepping-Stones,” In Proceedings of the 9th USENIX Security Symposium, Denver, CO, pp. 67-81, August 2000.
- L. Wang, J. Yang, and A. Lee: An Effective Approach for Stepping-Stone Intrusion Detection Using Packet Crossover, the 23rd World Conference on Information Security Applications (WISA), Aug. 24-26, 2022.
- Wang, L.; Yang, J.; Lee, A., and Wan, P.-J., Stepping-Stone Intrusion Detection via Estimating Numbers of Upstream and Downstream Connections using Packet Crossover, Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA), Vol. 13, No. 4 (Dec. 2022). [CrossRef]
- Li, Q.; Mills, D.L. On the Long-range Dependence of Packet Round-trip Delays on the Internet. In Proceedings of International Conference on Communications (ICC’98), Atlanta, GA, USA, 7–11 June 1998; Volume 1, pp. 1185–1192.



![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).





