Resist Intruders Manipulation via Context-based TCP/IP Packet Matching

Transcription

1 th IEEE International Conference on Advanced Information Networking and Applications Resist Intruders Manipulation via Context-based TCP/IP Packet Matching Yongzhong Zhang College of Management University of Shanghai for Science and Technology Shanghai, China Santhoshkumar Bediga TSYS School of Computer Science Columbus State University Columbus, USA Jianhua Yang TSYS School of Computer Science Columbus State University Columbus, USA Stephen S.-H. Huang Department of Computer Science University of Houston Houston, USA Abstract Stepping-stone is the most popular way used to attack other computers. The reason is that intruders can be protected through a long connection chain involving some compromised computers called stepping-stones. Some intruders even manipulate a stepping-stone to evade steppingstone intrusion detection. Intruders evasion makes detecting stepping-stone intrusion more difficult. In this paper, we propose a new approach, context-based TCP/IP packet matching, to detect stepping-stone intrusion, as well as resisting intruders evasion. The analysis shows that this approach can resist intruders time-jittering evasion. The simulation results showed even an intruder could chaff a connection with chaff-rate as high as 100%, this approach can still match the two connections to detect the intrusion and to resist intruders chaff-perturbation evasion. Keywords- Network security; intrusion detection; timejittering; chaff-perturbation; stepping-stone; evasion; manipulation I. INTRODUCTION Most intruders normally launch their attacks indirectly rather than directly to protect themselves. TCP/IP protocol defines the communications between two computer hosts, so direct attacks can be detected easily and intruders could be captured effortlessly. Indirect attack is a different story. Instead of connecting to a computer directly, intruders compromise some computers first, then launch their attacks via the compromised computers which are called steppingstones [1]. Using stepping-stone to invade or attack other computers is called stepping-stone intrusion. It can only be known that the attacks are from the neighboring steppingstone through the packets received at the victim side, rather than from the attacker s computer. That is why attackers can escape from detecting and capturing using indirect attack. One obvious way to detect and capture such kind of attackers is to analyze the TCP/IP packets received at each stepping-stone, and trace back along the connection chain from the victim, eventually to the intruder s computer. But the sad news is that even if you could locate where an intruders computer is, you would not capture the intruder as this investigation might take a long time because the connection chain may span different areas, different states, or different countries. With the existing technology, tracing intruders back and capturing them are considered to be impractical. The practical way to prevent victim hosts from stepping-stone attacking is to detect the attacks or intrusions, and cut them off. The basic idea to detect stepping-stone intrusion is to identify if a computer is used as a steppingstone. One notable characteristic for a computer used as a stepping-stone is that a session, called incoming connection, connected to the computer must have a relayed session which is also called outgoing connection connected out. Comparing an incoming connection with an outgoing connection of a computer to check if they are relayed constructs the main melody of the approaches proposed to detect stepping-stone intrusion since The first approach [2] to detect stepping-stone intrusion was proposed by Staniford-Chen and Heberlein is to compare the thumbprint, which is the summary of the packet contents in a TCP interactive session, of an incoming and an outgoing connection of a computer. The weakness of this approach is that it cannot be applied to encrypted sessions where the packets contents are invisible, as well as the thumbprint. To overcome the fatal problem in [2], Zhang and Paxson proposed a time-based approach [1] to detect stepping-stone intrusion. Everything of a TCP packet could be encrypted but the timestamp when a packet is received at a stepping-stone. This timestamp depends on the local clock of the stepping-stone. It is not encrypted by any encryption method. Zhang and Paxson proposed to use ON-OFF pattern of a session to compare if there are two relayed connections. ON means a time interval during which there are TCP/IP packets flowing through a connection; OFF means there are no packets flowing through the connection. If ON-OFF patterns are obtained from monitoring both incoming and outgoing connections of a computer and compared, it would be trivial to determine if the two connections are relayed or not. Further whether the computer X/10 $ IEEE DOI /AINA

2 is used as a stepping-stone can be detected. The biggest disadvantage of this time-based approach is that an ON- OFF pattern could be manipulated by intruders. Intruders can manipulate a TCP interactive session through either holding some packets for length of time or inserting some meaningless packets into the session to make non-relayed connections related or relayed connections unrelated. The former manipulation is called time-jittering, and the latter one chaff-perturbation. Yoda and Etoh proposed the deviation-based approach, a network-based correlation scheme [3], to detected steppingstone intrusion. The deviation is defined as the minimum average delay gap between the packet streams of two TCP connections. This method is based on the observation that the deviation of two unrelated connections is large enough to be distinguished from that of connections in the same connection chain. The deviation-based approach has the following problems in addition to the problems that the timebased approach has: 1) computing deviation is not efficient; 2) it is not applicable for a compressed session because it depends on the size of a packet; 3) it cannot correlate connections where padding is added to the payload because it can correlate only the TCP connections that have one-toone correspondences in their TCP sequence numbers; 4) correlation measurements are applicable only to the postattack traces because the correlation metrics are defined over the entire duration of the connections. X. Wang, etc., proposed an active approach which exploits watermark to detect stepping-stone intrusion in 2001[4, 5, 6]. The basic idea of this approach is that if two connections are relayed, a watermark injected to an incoming connection could be identified in a high probability from its corresponding outgoing connection. Otherwise the probability that a watermark injected to an incoming connection is restored back at an outgoing connection would be very small. The main flaw of this approach is it incurs huge computations in terms of injecting a watermark and restoring it back. On the other hand, there is no guarantee that an injected watermark cannot be affected by intruders manipulation. The simplest way to compare two connections is to count the number of packets in each connection and compare them. The differences between these two numbers should be always bounded if the two connections are relayed. Otherwise, it might be bounded but not guaranteed. The approach based on counting the number of packets of an interactive session to detect stepping-stone intrusion was proposed by Blum, et al. [8] in It claimed that this method can resist intruders evasions, such as time-jittering and chaff-perturbation to an extent. Donoho, et al. [7] showed that there are theoretical limits on the ability of attackers to disguise their traffics using evasions during a long interactive session. Using wavelet and multi-scale methods they proved that even if a session is jittered by time and chaff perturbation, stepping-stone intrusion detection is still possible by monitoring the session for a long enough time. However, Donoho, et al., did not show how long a session needs to be monitored in order to detect a steppingstone intrusion. Blum proposed the algorithm to detect stepping-stone intrusion using Computational Learning Theory. He achieved provable upper bounds on the number of packets required to be monitored in an interactive session in order to achieve a given confidence. A major problem with this approach is due to the fact that the upper bound of the number of packets required to be monitored is large, while the lower bound of the amount of chaffed packets needed to evade this detection is small. This fact makes Blum s method weak in terms of resisting intruders chaff evasion. Instead of focusing on comparing Send packets of connections, J. Yang, etc., proposed a different approach [9] to detect stepping-stone intrusion by comparing the number of Send packets of an incoming connection with the number of Echo packets of an outgoing connection. The packet stream of a connection was filtered and only the packets connected to commands were kept. Every command-based Send packet should have an echoed packet. It means the difference between the number of Send packets of an incoming connection and the number of Echo packets of an outgoing connection can be modeled as a one-dimensional random walk process. For relayed connections, this random walk is always bounded, otherwise it is not. So a computer can be determined to be used as a stepping-stone or not by checking if is a bounded random walk or not. The disadvantage of this approach is that the random walk boundary is hard to be determined especially under the scenario that a session is manipulated. This makes the approach theoretically meaningful but practically not very useful in terms of resisting intruders evasion. If we summarize all the above approaches, besides the individual flaws, they all suffer from a common pain, intruders manipulation to an interactive TCP session. In other words, they are vulnerable to resist intruders timejittering manipulation, as well as chaff-perturbation evasion. In this paper, we propose a novel idea to detect steppingstone intrusion and resist intruders manipulation. First, instead of checking the Send packets of incoming and outgoing connection, this approach compares the Send packets of incoming connection with the Echo packets of outgoing connection. Second, packet context is introduced to compare if two connections are relayed. The experimental results showed that context-based comparison can resist intruders chaff-perturbation as high as 100%. It can also resist intruders time-jittering manipulation. The rest of this paper is arranged as the following. Section II describes intruders manipulation. Section III discusses how context-based packet matching can resist intruders manipulation. Section IV evaluates the performance of the context based packet matching algorithm through simulation. Section V finalizes the whole paper. II. MANIPULATION Intruders normally evade stepping-stone intrusion detection through either time-jittering to make the packets 1102

3 delayed or chaff-perturbation to disturb the incoming and outgoing connections of a host. Intruders may control one or some of the stepping-stones to evade intrusion detection. Our research focuses on studying the connections of one stepping-stone. The results can be extended to other stepping-stones. Before discussing the context-based packet matching algorithm, we first give a brief introduction about time-jittering and chaff-perturbation. A. Time-jittering Manipulation To evade stepping-stone intrusion detection, intruders may hold different Send packets of a TCP/IP session for different lengths of time to make random delays. Intruders might manipulate incoming connections or outgoing connections. For example, to manipulate an incoming connection, intruders would hold the i th Send packet at time t i for t i, then release it to the outgoing connection at time t i + t i. Zhang s approach [1] would be easily evaded by this manipulation. Intruders can only postpone packets other than advancing them. The time order of the TCP packets in an incoming connection must be kept as well at the relayed outgoing connection after being manipulated with timejittering. If n Send packets {s 1, s 2,, s n } are captured with the original timestamps {t 1, t 2,, t n }, and {t 1 + t 1, t 2 + t 2,, t n + t n } as the timestamps after being manipulated, the following relations must be satisfied. t n > t n-1 > > t 2 > t 1 (1) t n + t n > t n-1 + t n-1 > > t 2 + t 2 > t 1 + t 1 (2) Most approaches to detect stepping-stone intrusion mentioned before are evaded because the timestamps of the packets are modified from the incoming to outgoing connections. Blum s approach [8] will not be working because the number of packets in the same time interval is changed unless the monitoring time is long enough. Yoda s approach [3] will not be working well because the deviation of each connection might be changed by time-jittering manipulation. Wang s method might not work as the watermark which is highly dependent on the timestamps of packets injected to an incoming connection may be disturbed. B. Chaff-perturbation Manipulation Chaff-perturbation is another way used frequently by intruders to manipulate an interactive TCP session. An intruder would insert some meaningless packets into an incoming or an outgoing connection with intention to mess up the packet sequence. The meaningless packets may be inserted randomly or organizationally to make the packet sequence conform to a certain distribution to escape the detection of other tools. We assume in this paper that intruders insert meaningless packets randomly. Intruders chaff capability is constrained as well [7]. It means that intruders cannot insert as much as they want even though they may insert packets at any time, any host compromised. Too much inserted meaningless packets to a session may incur inefficient packets delivery. Nobody would like to use an inefficient session for an interactive communication. To evade detection, intruders prefer an efficient interactive session to finish their attack and leave as soon as possible. Another reason is that if too many packets are inserted between two normal packets, the session is easy to be identified as a suspicious session with even very simple tools. Instead of hiding themselves safely and deeply, intruders excessive chaff-perturbation may make them to be identified easily. This is not what intruders expect. A survey showed a skilled typist might type in 5 to 10 the key strokes per second. The gap between two keystrokes is averagely in a range (ms). Assuming too many packets are inserted in between two normal packets, the average gap range between the two packets would be down to an unreasonable range. It is enough to consider this session an abnormal session. For example, if four meaningless packets are inserted in between two normal packets with gap ms, the average gap in between two packets would be changed to (ms) which also indicates the typist could type as fast as 25 keystrokes per second which is impossible for human beings. Chaffed packets must be removed before they arrive at the destination host of a session. These packets do not have responses. The original packets represent Operating System commands from a user. They are supposed to be processed and executed at the destination host. These packets need to be echoed first and the execution results are sent back to the user s host. If the chaffed packets are not removed before reaching the destination, they would affect the execution of the original commands from the user s host. Obviously any users including intruders do not expect this happens. III. RESIST INTRUDERS MANIPULATION Stepping-stone intrusion detection is to compare a characteristic of an incoming connection with an outgoing connection to see if they are the same or close. Through studying the approaches mentioned above, we found that they all use the same model as Figure 1 shows. C in S in E in Steppingstone host Figure 1. Model of detecting stepping-stone. In this model, the stepping-stone host has an incoming connection C in, which includes a request packet stream S in and a response packet stream E in, and an outgoing connection C out including a request packet stream S out and a response packet stream E out. Most previous approaches focused on studying the relations between S in and S out. Staniford-Chen and Heberlein [2] studied the relations of the payloads of S in and S out, respectively. Zhang s approach [1] focused on comparison of the time features between S in and S out ; Yoda [3] proposed to compare the deviation of incoming and outgoing connections to detect an intruder where the deviation is defined on request packet stream; Blum s approach [8] has a direct relation with the number of packets in S in and S out. The reason that they are vulnerable to intruders time-jittering and chaff-perturbation evasion is that S out E out C out 1103

4 the characteristics used in these approaches are tightly related to either timestamps or the number of the packets in S in and S out. Different from them, the approach proposed in this paper to detect stepping-stone intrusion is to make this relation loosely, rather than tightly. So even though the connections of a host are manipulated, the characteristic of a connection used in this approach will not be affected too much. That is why we claim that this approach can resist intruders time-jittering and chaff-perturbation evasion. Different from the above approaches, we propose to use S out and E in rather than S in and S out, to identify intruders. Packet context defined later is used to describe the characteristic of a connection. The idea of this approach is to compare the contexts of all the packets in S in with in E out to see if they have similar contexts. The closer the contexts, the higher the probability a host is used as a stepping-stone. Before analyzing how this approach resists intruders timejittering and chaff-perturbation evasion, we define packet context first. A. Packet Context Definition Given a packet sequence {p 1, p 2, p n } with timestamp sequence {t 1, t 2, t n }, the context of any packet p i with window size 2*w is defined as a sequence { t i -t i-w, t i -t i-(w- 1),, t i -t i-1, t i+1 -t i, t i+2 -t i,, t i+w -t i }. Window size indicates the number of elements in a context sequence. However, the contexts of the first and the last w packets are different from other packets because any of these packets does not have w packets either before or after it. For example, a sequence with 16 packets has a timestamp sequence {t 1, t 2, t 16 }. Based on the definition, the context of packet p 2 which is the first three packets in the sequence with window size 2*3 is { t 2 -t 1, t 3 -t 2, t 4 -t 2, t 5 -t 2, t 6 -t 2, t 7 -t 2 }; for packet p 16 which is one of the last 3 packets in the packet sequence, its context sequence is { t 16 -t 10, t 16 -t 11, t 16 -t 12, t 16 -t 13, t 16 -t 14, t 16 -t 15 }; for packet p 4 which is neither in the first three packets nor in the last three packets of the, its context is { t 4 - t 1, t 4 -t 2, t 4 -t 3, t 5 -t 4, t 6 -t 4, t 7 -t 4 }. Packet context comparison is eventually a sequence comparison issue. Given two sequences Seq 1 = {u 1, u 2,, u n } and Seq 2 = {v 1, v 2,, v n }, the comparison of the two sequences is to compute the similarity Ω between two sequences. We define the similarity Ω as the number of elements that are connected. For any two elements u i in Seq 1 and v j in Seq 2, the Connection between the two elements is defined by inequality (3). (3),, where is a predefined threshold with range in between 0 and 1. The bigger the similarity Ω, the more similar the two sequences. The significance of the sequence similarity is that it reflects how the two corresponding packet sequences are related. The more similar the two sequences, the more related the two sessions. B. Context-based Packet Matching Algorithm Suppose the incoming and outgoing connections of a stepping-stone shown in Figure 1 are monitored and four streams are collected, S in, E in, S out, E out. We also assume a stepping-stone is manipulated by either time-jittering or chaff-perturbation, and the relayed S out and S in becomes unrelated. So intruders could evade the detections from most of the approaches mentioned in the above. It is assumed that there are n requests collected at stream S out ={s 1, s 2,, s n } and m responses at stream E in ={e 1, e 2,, e m }. We compute the context of each packet in S out, as well as in E in. There are n contexts from S out and m contexts from E in. Compare each context in S out with all the contexts in E in to see if they are similar. Count all the similar contexts between S out and E in. The matching rate is computed through the ratio between the number of similar contexts and the minimum of stream size m and n. It is trivial to determine if the two connections are related through the matching rate between S out and E in. The following is the context-based packet matching algorithm (CPM). CPM Algorithm (S out, E in, w,,, ): Begin 1. Compute the context of each packet in S out and E in, respectively. 2. Compare the contexts between the packets in S out and E in to get the matched packet pair. If the similarity Ω between two context sequences is bigger than, the two packets are considered to be matched. 3. Count N, the number of the matched packets. 4. Compute matching rate (MR),. 5. If, S out and E in are relayed, thus steppingstone intrusion is detected. If, S out and E in are not relayed, thus stepping-stone intrusion is not detected. End In this algorithm, S out and E in represent request and response sequence, respectively. The parameter w can determine the context window size. The parameter is a threshold to determine if two elements from two context sequences respectively are connected. The parameter with range in between 1 and 2*w is a threshold used to determine if two context sequences are similar. The parameter (0 1) is a threshold to determine if two sessions are relayed. C. Resistance to Time-jittering Evasion Context-based packet matching can resist intruders timejittering evasion. It is analyzed in Section II.A that even though a connection is manipulated with time-jittering, condition (1) and (2) still need to be satisfied. Intruders normally manipulate S in or S out, rather than E in or E out. Based on TCP/IP protocol design, any request must be responded within a certain time, otherwise that request must be resent. Different from holding request packets, holding response packets would cause lots of resend of the corresponding 1104

5 request packets. This would incur lots of network traffic, thus make the network inefficient. It is reasonable to assume that intruders manipulate request stream only. Suppose S in is manipulated and has the timestamp sequence,,,. The time-jittering manipulation can affect and only affect S out. We assume S out has the timestamp sequence,,,. The stream S out determines E out because they are in the same session. E out and E in have close timestamp sequences if these two connections are relayed. E in is assumed to have timestamp sequence,,,. If e i and e j are the responses of s i and s j respectively, the gaps and should be very close. The gap between any two packets in E in is determined by the corresponding gap in S out. It indicates that any context in S out can find its similar context in E in. So even though the incoming connection is timejittering manipulated, CPM can still find the related connections. D. Resistance to Chaff-perturbation Evasion We use context window size 2*3 to demonstrate why and how CPM can resist intruders chaff-perturbation evasion. Assume s i with timestamp is a packet in S out and e j with timestamp is a packet in E in, and s i and e j are matched. Before S out is manipulated, s i has context sequence,,,,,, and e j has context sequence,,,,,. We assume the similarity between the two sequences and are six. It indicates each element in can find its connected element in. As we mentioned before, intruders normally chaff a stream randomly. If S out is randomly chaffed with two packets: one between s i and s i-1, and another between s i and s i+1, the context sequence of s i with the same window size becomes,,,,,, here we use to represent the chaffed packet before s i and to represent the packet inserted after s i. The context sequence of packet e j remains the same as as we discussed before, all the packets inserted must be removed before they arrive at the destination host. Obviously, the similarity between and becomes four. Compare to the case without manipulation, the similarity is dropped but a little. The more packets inserted, the more similarity dropped. But if the two sessions are not related, the similarity between the two context sequences of two packets from the two connections respectively would be close to zero in a very high probability. It is still possible to determine if the two connections are related from the dropped similarity even though one connection is manipulated. IV. EXPERIMENTAL VERIFICATION From the above analysis, we know that CPM can resist intruders time-jittering and chaff-perturbation evasion. It is obvious that time-jittering manipulation cannot evade CPM detection because S out and E in are compared, rather than S in and S out. In this experiment, we only justify the performance of CPM in terms of resisting intruders chaff-perturbation evasion. This experiment has three objectives. First it is necessary to know that if two connections are not related, how much the probability is that the two connections are detected to be related by CPM under intruders chaffperturbation. Second, it is important to know that if a connection is under chaff-perturbation, how much the probability is that two related connections are detected to be unrelated by CPM. Third is to explore the relation between window size and MR. All these three issues focus on one goal that is CPM can resist intruders chaff-perturbation evasion. Through monitoring a stepping-stone two groups of packets were collected with one group including 2000 Send packets and 2012 Echo packets from relayed connections, another group including 2000 Sends and 2048 Echoes from non-relayed connections. If there is no chaff-perturbation to these two groups, the matching rates (MR) through CPM for the two groups are around 99% and 2%, respectively. If two groups are randomly chaffed, the MR for group one would be dropped depending on the chaff rate, CR, which is defined as the ratio between the number of inserted packets to a stream and the number of the packets in the chaffed stream. However, the MR for group two might be changed unpredictably. Section IV.A describes how a packet stream is randomly chaffed. Section IV.B demonstrates the simulation results between two unrelated connections; Section IV.C shows the results between two related ones. A. Random Chaff-perturbation Collected packets are essentially a timestamp sequence in which each element is an integer to represent the timestamp of a packet either Send or Echo. Suppose a sequence,,, represents the timestamps of a packet stream S out = {s 1, s 2,, s n }. Chaffing a packet stream is essentially the same as inserting some integers into the timestamp sequence,,,. Any inserted integer must be in between the two timestamps because the whole time sequence must be in order, as condition (1) shows. Randomly chaffing a packet stream is to first randomly generate the packets to be chaffed, and second randomly generate the integers to be inserted. For the sequence,,, which has n elements, if CR is 5%, it indicates there are 5n% packets are chaffed. We first randomly generate 5n% positions in range from 1 to n. Second, for position i, an integer is generated randomly in range from to and inserted after. 1105

6 B. Unrelated Connections Simulation with Different Chaff Rate and Window Size A program was made to simulate chaff-perturbation. The Send packet stream in group two is randomly inserted meaningless packets based on the inserting method described in Section IV.A. Initially 5% packets are inserted, and the CR is increased by 5% until 100%. The MRs are computed through CPM under the input parameters 2, 0.01 with the CR from 5% to 100%. This process is repeated with different window sizes 3, 5, and 7, respectively. The results are shown in Figure 2 where Y-axis and X-axis represent MR and CR, respectively. MR CR Figure 2. Packet matching between unrelated connections under different window sizes: + 3, 5, 7. As shown in Figure 2, the MRs are around 1% regardless the CRs when the window size is 3. When the window size is 5, the MRs are around 3% which is a little higher than when the window size is 3. It looks like weird that when the window size is 7, the MRs are much higher than other two especially when CR is around 5%. It is because the parameter is just 2 which is small (here we just want to show the worst results). The bigger the window size, the higher the probability that the contexts of two packets from unrelated connections are similar if the similarity threshold is small. We tried if is 3, the MRs are close to 0 regardless the window size. Another observation from this simulation is that, unlike the results in Section IV.C that the MRs drop monotonically, the MRs fluctuate with the variations of CR. The conclusion is if two connections are not relayed, it is hard to make them relayed through randomly chaffperturbation. C. Related Connections Simulation with Different Chaff Rate and Window Size If two connections are relayed, it means the computer is used as a stepping-stone. What the intruder tries to do is to evade the detection through chaff-perturbation manipulation. We do the same thing as in Section IV.B for group one. The purpose of this simulation is to explore the performance of CPM in terms of resisting intruders chaff-perturbation evasion. The results computed through CPM under the input parameters 2, 0.01 are shown in Figure 3. MR Figure 3. Packet matching between related connections under different window sizes: + 3, 5, 7. From Figure 3, we have three observations. First, the MRs drop monotonically with the variations of CR. This means the two relayed connections can be interfered to be unrelated by chaff-perturbation. If the CR is kept increasing, eventually two relayed connections will be detected as not relayed even with CPM. Second, CPM could resist intruders chaff-perturbation up to 100%. Third, the window size does helpful at the higher CR. When CR is higher than 50%, the bigger the window size, the better the MR. The reason that we claim CPM can detect an evaded intrusion is that the gap between the MRs for two chaffed related-connections and unrelated-connections is as high as 40% at least. V. CONCLUSION In this paper, we have proposed a new algorithm, CPM, to detect stepping-stone intrusion and to resist intruders time-jittering and chaff-perturbation evasion. CPM compares the context of each packet, rather than just the packet itself. Intruders may manipulate a single connection to evade some stepping-stone detection approaches. However, it is difficult to manipulate the whole context of each packet. CPM just uses this point to resist intruders manipulation. The analysis showed that CPM can resist intruders time-jittering evasion. The simulation results showed when intruders chaff a connection chain with chaff-rate as high as 100%, CPM can still detect such kind of intrusion. We also found that CPM could not work efficiently, especially when a large amount of packets are processed. If the number of packets captured is more than ten thousands, CPM may need more than two hours (depends on the computer used, we were using a desktop with CPU Quad Core Processor Core i7-870, 2.93GHz, 8MB, 4G memory) to get the final results. One future work is to revise this algorithm to make it more efficient. CR 1106

7 REFERENCES [1] Y. Zhang, V. Paxson, Detecting Stepping-Stones, Proceedings of the 9th USENIX Security Symposium, pp , Denver, CO, August [2] S. Staniford-Chen, L. Todd Heberlein, Holding Intruders Accountable on the Internet, Proc. IEEE Symposium on Security and Privacy, pp , Oakland, CA, [3] K. Yoda, H. Etoh, Finding Connection Chain for Tracing Intruders, Proc. 6th European Symposium on Research in Computer Security (LNCS 1985), pp , Toulouse, France, [4] X. Wang, D. S. Reeves, S. F. Wu, J. Yuill, Sleepy Watermark Tracing: An Active Network-based Intrusion Response Framework, Proceedings of 16 th International Conference on Information Security, pp , Paris, France, June [5] X. Wang, D. Reeves, and S. Wu, Inter-Packet Delay-based Correlation for Tracing Encrypted Connections through Stepping Stones, Proceedings of 7th European Symposium on Research in Computer Security, Lecture Notes in Computer Science. Vol. 2502, pp , Zurich, Switzerland, October [6] X. Wang, D. S. Reeves, Robust Correlation of Encrypted Attack Traffic through Stepping-Stones by Manipulation of Inter packet Delays, Proceedings of the 10th ACM Conference on Computer and Communications Security, pp , Washington DC, October [7] D. L. Donoho (ed.), Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay, Proc. 5th International Symposium on Recent Advances in Intrusion Detection, pp , Zurich, Switzerland, [8] A. Blum, D. Song, S. Venkataraman, Detection of Interactive Stepping-Stones: Algorithms and Confidence Bounds, Proceedings of International Symposium on Recent Advance in Intrusion Detection, pp , Sophia Antipolis, France, September [9] J. Yang, B. Lee, S. S. H. Huang, "Monitoring Network Traffic to Detect Stepping-Stone Intrusion," the Proceedings of 22nd IEEE International Conference on Advanced Information Networking and Applications (AINA 2008), pp 56-61, Okinawa, Japan, March