As the capability to detect network intrusion has increased, so has attackers’ ability to avoid detection. Commonly, attackers use Secure Shell (SSH) to hide their identity. SSH securely connects two hosts together and encrypts their interactions. The first step to preventing Stepping-Stone Intrusion is to be able to detect if it occurs, in this regard, much research has been done to detect intrusion by looking at downstream network traffic, that is, the traffic flowing to the victim and back from them, but detection methods looking at upstream data, which is the traffic flowing from the attacker and back towards them from a sensor, are inadequate and underrepresented in the field.
To this end, a potential method for upstream detection has been devised. By observing the upstream connection, we can match a send packet with its respective echo packet, and as a result, determine the round trip time (RTT) of that packet. When looking at a series of these matches, we can find the average RTT of all the packets, and then the standard deviation of the RTTs among matches. We estimate that, as a result of the increasing routers, hops, and physical distance between them, transmission will vary more the further a sensor is from a victim. By observing the standard deviation of these RTTs at different places in a long connection chain, we may be able to discern a usable standard or pattern that can determine the length of a downstream connection, and with modification, estimate the length of an upstream connection.