Stepping-stone intrusion is a hacking strategy in which an attacker sends attacking commands through compromised hosts, called stepping-stones, in order to remotely access a target host. These stepping-stones form part of a connection chain that serves as an intermediary between the target and attacker hosts, providing the attacker with increased anonymity and detection avoidance capabilities. It is well-known that a long connection chain with three or more connections often indicates malicious activities. In a long connection chain, it is possible for the sender to transmit the next request packet before the sender receives the response for the previous request. In such a case, some request and response packets may cross each other somewhere along the chain, producing packet crossover. In prior work, it was demonstrated that the number of crossover packets in a given data stream should be proportional to the length of a connection chain. In this work, we develop an innovative detection method for stepping-stone intrusion based on crossover packets, referred to as Crossover-Packet Detection. Our network experiments demonstrate that our proposed Crossover-Packet detection method is resilient to hackers’ session manipulation such as chaff perturbation or time jittering.
Lixin Wang
PDF Document