Algorithms to Detect Stepping-Stone Intrusions in the Presence of Evasion Techniques
by Kuo, Ying-Wei, Ph.D., UNIVERSITY OF HOUSTON, 2011, 174 pages; 3492359

Abstract:

With the rapid growth of computer networks, network security has become a crucial issue. The network intruders may use an SSH/Telnet to establish a connection session with the target machine. If directly connecting to the target machine, intruders' IP addresses are visible to the target. A common strategy to hide the intruders' true IP address is known as "stepping-stone intrusion." This strategy launches an intrusion by routing through a sequence of intermediate computers before reaching the target machine. In this dissertation, our goal is to detect stepping-stone intrusions.

One way to detect stepping-stone intrusion is to test if a host is used as part of a stepping-stone connection chain. The first algorithm we present avoids the traffic corruption by using a one-to-one mapping-based approach. The second detection algorithm based on association rule mining is presented in the presence of chaff and timing jitter perturbations. The experimental results and analysis show that these proposed algorithms have high detection rates and are able to resist intruders' evasions.

Finding out if two hosts belong to the same connection chain is another way to contribute to stepping-stone detection. If one suspects an attack originated from a particular host, one may correlate the connections to the target and the suspected host to confirm if they belong to the same chain without knowing much about other intermediate hosts. We propose several algorithms for detecting multi-hop stepping-stone hosts by using dynamic programming based pattern recognition techniques. According to the experimental results, our algorithms can detect stepping-stone attacks with a low time complexity, in the presence of clock skew and chaff.

Most of the detection algorithms above work well when there is a low chaff rate. However, if the chaff rate is high, the detection rate will deteriorate. We present a learning-based detection algorithm to detect chaff anomalies in a traffic stream. By coupling this chaff detection algorithm and the previous correlation-based algorithm, the combined algorithm makes it possible to identify a stepping-stone host in either circumstance.

With the algorithms designed in this dissertation, it is possible to identify intruders even when they use evasion techniques.
 
Advisor
SchoolUNIVERSITY OF HOUSTON
SourceDAI/B 73-04, p. , Jan 2012
Source TypeDissertation
SubjectsComputer science
Publication Number3492359
Adobe PDF Access the complete dissertation:
 

» Find an electronic copy at your library.
  Use the link below to access a full citation record of this graduate work:
  http://gateway.proquest.com/openurl%3furl_ver=Z39.88-2004%26res_dat=xri:pqdiss%26rft_val_fmt=info:ofi/fmt:kev:mtx:dissertation%26rft_dat=xri:pqdiss:3492359
  If your library subscribes to the ProQuest Dissertations & Theses (PQDT) database, you may be entitled to a free electronic version of this graduate work. If not, you will have the option to purchase one, and access a 24 page preview for free (if available).

About ProQuest Dissertations & Theses
With over 2.3 million records, the ProQuest Dissertations & Theses (PQDT) database is the most comprehensive collection of dissertations and theses in the world. It is the database of record for graduate research.

The database includes citations of graduate works ranging from the first U.S. dissertation, accepted in 1861, to those accepted as recently as last semester. Of the 2.3 million graduate works included in the database, ProQuest offers more than 1.9 million in full text formats. Of those, over 860,000 are available in PDF format. More than 60,000 dissertations and theses are added to the database each year.

If you have questions, please feel free to visit the ProQuest Web site - http://www.proquest.com - or call ProQuest Hotline Customer Support at 1-800-521-3042.