In Partial Fulfillment of the Requirements for the Degree of
Doctor of Philosophy
Will defend her dissertation
With the rapid growth of computer networks, security has become a crucial issue for the Internet community. The network intruders often launches an intrusion by routing through a sequence of intermediate computers before reaching the target machine in order to maintain anonymity. This type of attack of using a connection chain is called stepping-stone attack. In this dissertation, our goal is to detect stepping-stone intrusions.
One way to detect stepping-stone intrusion is to test if a host is an intermediate host used as part of a stepping-stone connection chain. The first algorithm we present avoids the traffic corruption by using an one-to-one mapping-based approach. The second detection algorithm based on association rule mining is presented in the presence of chaff and timing jitter perturbation. Finding if two hosts belong to the same connection chain is another way to contribute to the stepping-stone detection. If one suspects an attack originated from a particular host, one may correlate the connections to the target and the suspected host to confirm if they belong to the same chain without knowing much about other intermediate hosts. We propose several detection algorithms of detecting this type of multi-hop stepping-stone hosts by using dynamic programming based pattern recognition techniques.
Most of the detection algorithms work well when there is low chaff rate. However, if the chaff rate is high, the detection rate will deteriorate. We present a learning-based detection algorithm to detect chaff anomalies in a traffic stream. By coupling this chaff detection algorithm (which works well when the traffic flow is highly chaffed) and the previous correlation-based algorithm (which works well when there is no or low chaff), the combined algorithm makes it possible to identify a stepping-stone host in either circumstance.